So this week we released another security advisory in response to targeted attacks making use of a malicious office document as the attack vector . . . and in it we make the following statement which seems to have caused a stir in some circles:
"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."
Read that very closely - we are saying that if you get an e-mail with an attached Word document 'unexpectedly' from a trusted source - you should proceed with caution. What does unexpectedly mean? Why should I exercise caution with emails from 'trusted' sources (i.e. people I know?). What's going on here?
Soooooo . . . maybe my friend sends me a Word document out of the blue that I'm not expecting and the subject simply says 'Hey dude - check this out' and there's nothing in the e-mail to describe what the Word document is or why I should check it out. What should I do? What would YOU do?
Here are some questions to ask:1. Are you sure your friend really is the one who sent that email? What sort of proof or assurance do you have with standard e-mail systems that the email was actually sent by him/her? Was the e-mail S/MIME or PGP signed/encrypted using their private key? Probably not. The vast majority of e-mail is sent very insecurely plain text or HTML with no assurance its from who it claims to be from. The e-mail could in fact have been spoofed to appear as if it was from your friend but sent by an unknown attacker. The only way you would be able to tell (maybe) is if you peered into the e-mail headers and looked at the trail of mail servers it was sent through and you discover that the mail originated in another country or from an ISP / IP address your friend is not known to use for sending e-mail. But how many people go peering into the depths of the e-mail headers for every e-mail they receive from their friends to verify that the header information displayed in the mail client wasn't in fact spoofed and that the e-mail in fact did originate from an ISP / IP address used by their friend? What if your friends personal / work machine was compromised and it was used to send the e-mail . . . so the e-mail wasn't even spoofed - it actually did come from your 'friend' (under the control of someone else via the backdoor they've installed on your friends machine). You think that's air your breathing?
2. What's the worst that could happen if I open this Office document to 'check it out'?Knowing that you are probably logged in as an Administrator on some flavor of Windows and that opening an Office Document these days could potentially allow for code execution - what you are really doing when you open an Office document is effectively running an EXE. NO ONE these days would dream of running an EXE mailed to them from someone they don't know - but for some reason people are all too happy to open random Office documents from random people that get spread around. I can think of many instances of viral (no pun intended) PPT files I've received with cutesy slide shows of kittens or funny pictures of drunk college students making assess of themselves that spread quickly through social networks due to their cute or comedic value. I'm sure you've gotten them to. Who authored that document?
What we are saying is that in the post 9/11 Web 1.0 world in which we now live, things are different. Gone are the days of fun, frivolity and blissful ignorance of the threats and the attackers that are out there. This is Web 2.0. It's extremely hostile because there is money to be made buying and selling information/data and 'information' is ubiquitous now. They really are out there and they really are out to get you (well, your information/data) - especially if you are an individual or an organization with information of value that 'they' want. And guess what? They're getting bolder about how they go about getting it.
So getting back to the question I posed above - what would YOU do? What should you do? (NOTE These are not always the same answer. :)What you should do is consider talking to your friend before opening the document to find out what it's about. Is your friend available on IM? Go ahead and shoot him an instant message . . . . or give him a call or maybe e-mail him about it (but I'd rather have you contact him 'out of band' for obvious reasons).
Now is the answer to what you should do the same for everyone? Of course not if you are say an employee at some government / military / research / corporate facility that houses sensitive data that bad guys would want access to and you are exchanging Office documents via plain text un-signed / un-encrypted e-mails internally or with external partners - perhaps its time for a new organizational policy no? Maybe your management chain needs to be made aware of this threat / attack vector (its entirely possible there are still CxO's that do not know about this type of attack) and implement policies and procedures to address it in a top down fashion to reduce the risk / exposure of your organization to these types of attacks? Maybe that policy mandates that all e-mail communications will be signed (S/MIME / PGP - whatever just do it) or even better yet *encrypted* and signed. Maybe that policy mandates that you no longer share Office documents via e-mail - maybe you use some internal portal site like a SharePoint site or a file share where Office documents are kept and you e-mail links to the documents as opposed to the documents themselves? Maybe the policy even goes so far as to state that employees caught opening random file attachments out of email will be dismissed on the spot if caught doing it.
In my opinion, if there is anything 2006 will be known for when we look back and reflect on the events of this year - I think overall 2006 will be known by many as the year of the targeted attack making use of the 0-day exploit. This year we saw an unprecedented number of very targeted attacks making use of 0-day vulnerabilities in our products and this is just the latest instance of such an attack. Scarier still is the unprecedented number of 0-day vulnerabilities that were reported or publicly disclosed that (to my knowledge) haven't been used in attacks (yet).
In closing lot of information can be gleaned or inferred about the targeted attack from this sentence:"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."
We know that the person or organization who was attacked probably received an e-mail from a *trusted* source - someone they knew or interacted with on a daily basis. We know that the person probably received a Word document attached to that e-mail from the *trusted* source and we know that the Word document exploited a previously unknown (to us) vulnerability in Word that allowed the attacker to gain control of execution inside the WINWORD.EXE process running in the context of the logged on victim (i.e. probably logged on with 'administrator' level credentials) causing it to run the shellcode of the attackers choice. This shellcode could be of the HTTP download & execute variety to install a backdoor / rootkit on the machine so that the attacks could continue within this organization.
One final thing that I would like to point out is that this is NOT a *Microsoft* problem. You can take that sentence in italics above and replace 'Word files' with just about any other sufficiently complex file format. Any sufficiently complex file format - that has to be parsed by a sufficiently complex program - is capable of sending you down the same 'code execution' path my friends - this is NOT a situation confined to Office. This could have just as easily been a security advisory from Adobe about PDF files e-mailed to someone. This could have just as easily been a security advisory from Apple warning people about malformed QuickTime movies e-mailed as attachments. You can even exploit file formats as simple as image formats (BMP / GIF / JPG / PNG etc.) which is why I read all incoming e-mail as plain-text and don't render images / HTML by default. Think about it.
Yes this is truly scary stuff but what makes it scary is that this is not mere speculation or warnings over what could happen - this is warnings about what has happened . . . unfortunately this is the Internet in which we now live. Welcome to Web 2.0. It's probably going to get worse with other vendors falling victim to similar targeted 0-day attacks before it gets better.