Newsletter Archives

  • Microsoft’s latest Word security hole, KB 2953095, is part of an on-going embarrassment

    Has everybody forgotten that RTF – the sticking point in the latest zero-day, and dozens of zero-days before it – was invented and controlled by Microsoft?

    InfoWorld Tech Watch.

  • Word buffer overflows found in the wild

    And you thought that Word-based exploits were so last-century…

    Microsoft Malware Protection Center blog reports that the Softies have discovered several bogus RTF files, in the wild, that can take over your PC. Here’s how it works:

    You open a bogus RTF file. (RTF = Rich Text Format, an ancient file format that Word opens automatically.)

    The RTF file has been jiggered with infectious code at the end of the file. The file itself says it’s “X” bytes long, when in fact it’s longer. The infectious code starts at location “X + 1”.

    Word loads the file, then jumps to the location immediately after the end of the file, and starts running. Ooops. It’s running the infectious code at location X+1.

    The infectious code does some fancy stuff but, in the end, downloads a Trojan and saves it on your computer as c:\windows\a.exe .

    As best I can tell, the Trojan just sits there until you randomly decide you want to run the program a.exe, at which point Windows puts up its usual warning about running unknown programs.

    I wouldn’t call that a major security exposure, but it’s certainly embarrassing: the RTF format has been around since the beginning of Word time, and nobody caught the problem until now.

    Anyway, the hole was plugged in November, with security bulletin MS10-087. If you’ve been following along, you’ve already applied that patch and have nothing to worry about. If you haven’t applied the patch, avoid randomly running programs called a.exe, OK?

    Nope, I still don’t feel comfortable about the December patches, so if you’re waiting, we’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.