Old Microsoft is old again and Britney with a shaved head is more interesting
After a year of listening to Microsoft tout its new security features and explanations of its rigorous life cycle testing of Vista and its new office 2007 suite, we appear to be right back on the same path. Last week Eeye hinted to an advisory in Publisher 2007. A day later we learned they had in fact disclosed the vulnerability to Microsoft with respect to the Publisher 2007 file format. Didn’t we do this already in office 2003? Oh yes, we did, a few times. Yesterday we learned that Symantec reported a pair of vulnerabilities in Word 2003 and Excel 2003. Apparently, a Russian researcher found a new exploit in, you guessed it, the WMF file format.
The new, yet to be disclosed, vulnerability in Publisher 2007 probably won’t affect many enterprise shops. Publisher isn’t an enterprise application and historically has been targeted to the SMB market. As I recall, the last time I installed Office from CD, wasn’t Publisher on an entirely separate CD? Though in recent years it has taken a slight step forward with its integration with Sharepoint, Microsoft’s enterprise content management and Intranet platform. Nonetheless, if Publisher was subjected to the same rigorous security testing as the rest of the office 2007 suite, we can probably assume that similar bugs will eventually end up affecting Word and Excel. The real question today is “just how good was Microsoft’s stepped up security testing of its new products for a vulnerability to have been found so quickly?”
The fight is getting old and taxing. The insecurity of Microsoft apps probably keeps 20% of security operations employed. How many times do I need to deploy new GPOs to issue a kill bit on some ActiveX bug? Just how many file formats can we be excluding from our perimeter email gateways? We worry about the loss of intellectual property. Seriously, it may get so bad that unless you convert all your Word docs to text only, you be will be unable to find any buyers for your stolen IP. I can imagine a new SOA market – conversion of Office docs to their equivalent text-only formats for the purpose of black-market dealings. Vulnerabilities aren’t going to go away, but lets get something new. How about a new multidimensional attack worm? How about something funny like the Solaris telnet vulnerability? I got to imagine that security teams, press and consumers are probably pretty bored as well. Probably explains why we all flock to our computers to see pictures of Britney shaving her head.
Comments (2)
please see:
http://security-protocols.com/sp-x44-advisory.php
not a huge deal, but something like this would have been found if the proper testing was conducted.
-- tom
Posted by tom ferris | February 27, 2007 11:01 AM
Posted on February 27, 2007 11:01
People have been fuzzing the hell out of Office apps for about a year now. We've seen an awful lot of 0day since then (perhaps in part because of Halvar's rotting fish theory), and Office vuln fixes have been in almost every recent patch Tuesday.
What I want to know is why these same people aren't turning their toolsets against OpenOffice? I tend to think that the fault lies primarily with the designers of the Office file formats, and less with the developers who are have the unenviable job of implementing the bloody things. Have you read those specs? There's no way anyone could write a complete parser and cover every possible vuln they engender. The move to XML formats will help, but only when we get to the point where they can break compatibility and drop support for the older formats.
Posted by Refried | February 27, 2007 8:12 PM
Posted on February 27, 2007 20:12