» Microsoft Word 0-day flaw = Bad news -> Pavlov Scope

2006 May 26

Microsoft Word 0-day flaw = Bad news

Filed under: ITSec — FreyGuy @ 15:00:31

Several watchdog groups have reported that a flaw has been found in Microsoft Word (XP and 2003) and it is being actively exploited "in the wild." This doesn’t appear to affect the Mac versions of Office. Microsoft’s bulletin on the flaw is here . The flaw is intended to be fixed on the upcoming June 13th release of monthly fixes, but it might be issued sooner if larger-scale (more widespread) exploits arise. This is a nasty flaw since it is related to email attachments and people generally trust Word docs. Don’t open any Word attachments until you have applied the forthcoming fix (unless you are expecting it from a known sender)! If a bad guy decides to couple this attack with collected, related address book email addresses, one could easily receive a message from a known sender but it could contain an exploited Word doc attachment, so be careful in all cases. The trouble with patching this flaw is that Office XP users will probably need to have their installation media available to install the patch. This isn’t such a big deal in a home environment, but in an enterprise it presents the challenge of deploying patches to users that do not have Administrative rights to their PCs. Office 2003 does not seem to have this trouble. Microsoft has issued a workaround procedure to assist users in protecting themselves from this flaw in the interim. Good news is that they have instructions for both home users and enterprise-focused administrators. Expand the "Workarounds…" section in the above listed link (there are several levels to expand using the plus "+" signs). In there you will find the workaround directions that best suit your situation. Domain administrators have been given a method for Group Policy deployment (GPO) for implementing the "safe mode" portion of the workaround. This is nice, but to disable Outlook feature of using Word as an email editor is still a manual workaround according to Microsoft. However, you should be able to enforce the Microsoft Word editor option using the Office Resource Kit’s Group Policy object to modify the Mail Editor settings accordingly (based on your environment). All you Admins out there: I haven’t experimented with this option myself, but it should do the trick… if concerned, try it out on a limited OU of test machines/users and let me know if you feel altruistic. Here is where the setting should be: