Feeds

back to article It's 2014 and you can pwn a PC by opening a .RTF in Word, Outlook

Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in "limited, targeted attacks" in the wild. There is no patch available at this time. The flaw is triggered by opening a maliciously crafted RTF document in the Microsoft Office word processor, or opening …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Facepalm

Microsoft Word 2003, 2007, 2010, 2013

See Icon ->

41
1
Silver badge
Trollface

Re: Microsoft Word 2003, 2007, 2010, 2013

Well isn't it good that I'm still using Word 97...

18
1
Silver badge

Re: Microsoft Word 2003, 2007, 2010, 2013

Fortunately I stuck with WindowsXP and OfficeXP so I'm safe

14
2
Silver badge
Pint

Re: Microsoft Word 2003, 2007, 2010, 2013

Well the good news is that OpenOffice is safe if fed a maliciously crafted .doc file.

16
1
Bronze badge

Re: Microsoft Word 2003, 2007, 2010, 2013

&Office97 user

NO, no, no, no .... RTF is pretty old ... since Office 97 and 2002 are no longer supported, I guess they have the issue, however, it will simply not be patched.

7
0
IT Angle

ElReg writes:

Microsoft Word 2003, 2007, 2010, 2013, and Office for Mac 2011 are vulnerable, according to Redmond. Microsoft Office Web Apps, Automation Services on SharePoint Server 2010 and 20103, and Outlook 2007, 2010 and 2013 when using Word as the email viewer, are also affected.

Legacy code or what!

Their latest Web Apps replicate a bug of Word 2003???

Code review any one?

30
0
Silver badge
Big Brother

Legacy code or what!

Well, they DO have to keep the backdoors open for the spooks....

30
2
Anonymous Coward

@forget it

They were too busy with the ribbon to actually worry about what's under the bonnet.

70
3
Silver badge
Windows

I bet if you fired up a VM with Windows 3.1 and ran WFW 2.0 the same bug would still be there...

(But at least the UI would be better than Word 2013.)

33
0

This post has been deleted by its author

Anonymous Coward

But at least the UI would be better than Word 2013.

Lordy no! All those little buttons with tiny black and white icons of printers, floppy disks, etc?! And so buggy it crashed at least once a day (ok maybe that was Win3.1 as well)?

Ah those GPFs...

2
1
Bronze badge

Given the age of the vulnerability, I wonder whether any one has bothered to check how non-MS products handle this maliciously crafted RTF document.

1
1
Anonymous Coward

FFS!

What else is there...?

10
1
Bronze badge
Childcatcher

Re: FFS!

I imagine anything that can open Legacy Documents but we all know about them.

Just need to start worrying when exploits on plain text files start to appear.

3
1
Bronze badge

Re: FFS!

They have been around for years. A text file with something about typing the "Format" of the "C:" drive to speed up your computer.

4
0
Silver badge

Re: FFS!

You don't want to know.

0
0
Anonymous Coward

Having a ridiculous bug like that, spread over a decade of versions is one thing..

But it's been known by Microsoft since the end of January. It's now almost the end of March, and there's still no patch for a remote code execution vulnerability, that's potentially in the wild??

If you ever wanted a reason to use open-source then this is it!

50
3
FAIL

er hemm, January?

January what year?

http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=880

8
0
Silver badge

re: known by Microsoft since the end of January.

I'll accept it might be a difficult to patch the bug, regression test it, and still get it packaged for the March patch release. BFFS, why didn't you announce the mitigation options earlier?

2
0
Bronze badge
Thumb Down

Since 2003?

Just goes to show that all new versions have been mostly cosmetic changes.

32
1
Anonymous Coward

"Just goes to show that all new versions have been mostly cosmetic changes."

And not for the better !

45
1

Yes, that's what I think too. However the little woman disagrees and applies more and more mascara and potions to hide the wrinkles.

Think I'll go out looking for some new hussy (free and open and obviously without viruses, etc.)

7
3

"all new versions have been mostly cosmetic changes"

That is a bit of a stretch. RTF was never the main document format for MSWord. http://en.wikipedia.org/wiki/Rich_Text_Format shows some changes to the RTF format over the years, but I don't necessarily see why you feel they should rewrite all of their code with every release. (Wouldn't that make it harder to ensure compatibility with previous versions -- something MSOffice users do have an interest in keeping?)

4
6
Silver badge
Windows

"... compatibility with previous versions..."

MS Office- Crap yesterday, crap tomorrow. You can rely on it.

11
5
Anonymous Coward

downvote for the misogynistic comments.

1
18

Arse to their Microsoft Word document

Problem is... people don't know their arse to their Microsoft Word document most of the time in the home or office-scape. Especially when Word (AFAIK) conceals each document under the same icon. You'd need to understand what a file extension is to avoid opening a malicious document.

Even worse, someone could easily send a mass *.doc/*.docx and disguise an RTF underneath as the later versions will auto detect the format?

Oh oh.

2
0
Anonymous Coward

"downvote for the misogynistic comments."

To be fair there's no suggestion that any free open and virus-free hussy would be interested in having him!

2
0
Silver badge

@9Rune5

I wouldn't except

The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1. Which to me implies checking the code with all your security tools at each release. As an earlier poster noted, the absence of Word 97 or earlier versions doesn't mean the bug doesn't exist in them, only that MS haven't arsed themselves to test them. So it could be a 20+ year old bug, but it is confirmed to be at least a 13 year old bug.

2
0
Bronze badge
Linux

@Tom 13 Re: @9Rune5

"The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1."

MAKE HIM STOP!!!

I ABOUT PISSED MYSELF LAUGHING....

Oh, better now.

People are still using Microsoft products?

1
2
Bronze badge

Support ends...

"Mainstream" support for Office 2003 ended back in 2009 - and "extended" support for it ends early next month. I wonder how many installations of this won't get patched, particularly if this issue doesn't get patched by next month's cut-off? 2007 is out of "mainstream" support too, and I'm sure it's far from extinct out there - and probably far from currently patched...

6
1
Bronze badge

Re: Support ends...

Ha

We only "upgraded" to 2007 just before Xmas. It was installed "vanilla" (no sp). Our I.T. team don't like updates. At all. I mean ANY updates for ANY software. Now whenever I have a meeting with our road warriors I make them fire up windows update before we get started

2
1
Bronze badge
Facepalm

Incorrect MIME type

How long (oh Lord) have we been telling Microsoft *not* to couple Word with Outlook? I know I told them, circa 1998, that it was a bad idea.

It still is.

40
2
Bronze badge

Re: Incorrect MIME type

Don't know about coupling Word with Outlook, but the insecurity of the Outlook preview mode has been known about since Outlook 97/98...

6
0

Phew!

Office 2004 for Mac no longer runs under 10.7 after the upgrade from 10.6. Libre Office is now useable even if it does still take far too long to load, so no point in paying for the upgrade.

I have warned the rest of the family wife uses PC's and kids might well run various versions at home and at work.

Oh and I'm reminded why I never liked Outlook so never more than glanced at it, let alone set it up. Thunderbird does just fine and dandy.

7
0
Silver badge
Facepalm

Recycled plastic - good

Recycled code - bad

3
7
Anonymous Coward

Recycled code - bad ?

Recycled trustworthy code - doubleplus good

18
1
Silver badge

"Recycled code - bad"

Code re-use is pretty standard practice, actually. No-one is going to re-write every part of a very large software project each time an iterative version is released, especially the legacy parts. If you did that you'd (a) never release a new version and (b) introduce more bugs with each version than you would otherwise.

10
1
Bronze badge

But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data.

I suspect the original coder is long gone, and it's spaghetti code that no one dares touch.

5
3
Silver badge

This actually come closer to what I was thinking. Also I have known occasions where re-use of 'good' code has been a disaster because the new dev didn't properly understand it and tried to use it as-is.

I know this to be true cos it wos me!

9
0
Silver badge

>>"But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data."

By that logic parts of the PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux. It loads external data and its over ten years old. Point is that the OP I replied to said re-using code was bad. That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out.

OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP.

12
3
Bronze badge

Good code is good code, no matter how old it is. The term "bit rot" was debunked a long time ago. The trouble is that good code isn't that easy to come by.

Or if you prefer, there's the old adage that I recall from my programming days - there's no such thing as a finished product; just one that's in a high state of debug. :)

6
1
Silver badge

"Bit rot"

"The term "bit rot" was debunked a long time ago".

I think you'll find that "bit rot" was humorous shorthand for the well-known problems that arise when an originally crisp, efficient system is gradually patched and "enhanced" year after year. It's the programmer's version of what Verity Stob calls "cruft" from the end-user POV.

4
1
Silver badge

@Will Godfrey

I know this to be true cos it wos me!

And there's the difference between you and MS. MS would never admit that in public.

4
1
Anonymous Coward

"That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out."

I don't think it's been suggested to re-write all code for every iteration. (Why do you people bicker back with edge cases and extreme counter-arguments?)

I have written code, and it's been running for years. It doesn't get touched, it does what it's supposed to do. I've also written shitty code where I feel sorry for the next person to maintain. I've also been on the receiving end of shit code.

But don't you do code reviews, especially on code that already had similar issues? Or are you the type to leave code well alone once it's proven to work?

When you have code in high-risk areas, running on the vast majority of desktops over the world, and you're getting an obscene amount of money for it - it's more of a case of responsibility.

I'd love to know if a code analysis tool would have picked this bug up, or if a second glance at the function would spot something... but I guess we'll never know.

3
0
Anonymous Coward

>> PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux

A pathetic example! That code (and any updates to it) can be reviewed by anyone, and it's not dealing with data directly from the Internet - ie, in emails.

Old code should be reviewed, every so often. The security landscape has changed a lot in the past decade.

5
0
Bronze badge

"OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP."

Sorry, I was just trying to add something to the discussion regarding reviewing old code... I'm not here to gain credibility, or score points.

2
1
Silver badge

>>"I don't think it's been suggested to re-write all code for every iteration. "

OP wrote "Code re-cycling is bad". Other than an accompanying sentence saying that "plastic recycling is good", that was the sum total of their post. I responded pointing out that code re-use is standard practice and attempting to re-write everything would introduce more bugs.

Then you argued with me.

0
0
Bronze badge
Linux

@h4rm0ny "Recycled code - bad"

If they are just going to put a new polish on the same old turd, then why FFS do people go out and get the "newest" one?

Everyone needs to stop buying the "new" crap to make a point.

I know, I know... Good luck with that.

I've done my part... See icon -->

0
1
Bronze badge
Pirate

@Chika Bit Rot

Bit Rot is still valid, but not for code. It is however prevelant at the hardware level in lots of cheaply made ROMs and CDs. I have an Atari 5200 that has suffered from it.

0
0
Bronze badge
Paris Hilton

Oversight?

I don't think it is a bug - more of an oversight.

The root of the issue seems to be the time when Ms thought that t'internet would be a great way to do systems management on Windows PCs remotely and all that IE6 development stuff that so many organisations and (ActiveX?) are still snagged into?

2
0

Page:

This topic is closed for new posts.