• Word buffer overflows found in the wild

    Posted on December 31, 2010 at 08:39 CST by Comment in the Forums

    And you thought that Word-based exploits were so last-century…

    Microsoft Malware Protection Center blog reports that the Softies have discovered several bogus RTF files, in the wild, that can take over your PC. Here’s how it works:

    You open a bogus RTF file. (RTF = Rich Text Format, an ancient file format that Word opens automatically.)

    The RTF file has been jiggered with infectious code at the end of the file. The file itself says it’s “X” bytes long, when in fact it’s longer. The infectious code starts at location “X + 1”.

    Word loads the file, then jumps to the location immediately after the end of the file, and starts running. Ooops. It’s running the infectious code at location X+1.

    The infectious code does some fancy stuff but, in the end, downloads a Trojan and saves it on your computer as c:\windows\a.exe .

    As best I can tell, the Trojan just sits there until you randomly decide you want to run the program a.exe, at which point Windows puts up its usual warning about running unknown programs.

    I wouldn’t call that a major security exposure, but it’s certainly embarrassing: the RTF format has been around since the beginning of Word time, and nobody caught the problem until now.

    Anyway, the hole was plugged in November, with security bulletin MS10-087. If you’ve been following along, you’ve already applied that patch and have nothing to worry about. If you haven’t applied the patch, avoid randomly running programs called a.exe, OK?

    Nope, I still don’t feel comfortable about the December patches, so if you’re waiting, we’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Office Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    May 2023
    S M T W T F S
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.