Word Bug Shows Trend In File Format Hacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:57 PM

Word Bug Shows Trend In File Format Hacks

The vulnerability in Microsoft Word is only the latest in a spreading trend that's seeing hackers probe for foibles and failings in file formats, a security firm says.

The vulnerability in Microsoft Word is only the latest in a spreading trend that's seeing hackers probe for foibles and failings in file formats, a security analyst from the company which first uncovered the Word bug said Wednesday.

"We're starting to see a trend in vulnerability discovery where people are going after file format vulnerabilities," said Michael Sutton, the director of iDefense Labs, the research arm of Reston, Va.-based security intelligence firm iDefense.

"There have been numerous vulnerabilities found in image file formats and multimedia file formats," Sutton went on. "Actually, the vulnerabilities don't exist in the files themselves, but in the programs that read and interpret them."

That's the case with the Word vulnerability that Microsoft disclosed Tuesday. According to Microsoft's security bulletin and iDefense's own analysis, a specially-crafted Word file (in .doc format) containing extra-long font data can cause Word 2000 and Word 2002 to fail, and give the attacker complete access to the machine.

"If everyone plays by the [file format] rules, everything works fine," said Sutton. "But what happens if I don't follow that format? Does it crash the machine? That's what hackers are asking."

The reason why attackers are increasingly looking for file format processing flaws, said Sutton, is that users are leery about accepting executable files, and most enterprises have blocked them from arriving as incoming e-mail attachments. But the file formats now under attack -- such as .doc, .jpg, and .png -- are widely trusted and traded, and generally not blocked.

Although an exploit for this vulnerability will probably be trickier than usual and require some sort of social engineering angle -- since users will have to be talked into opening a .doc file -- Sutton doesn't think either are barriers to hackers.

"Most people are very comfortable with the .doc format, so a message saying something like 'review this file and get back to me' would probably get them to bite, especially if it was a targeted message and supposedly came from someone they knew," added Sutton.

Solutions to the file format problem won't be quick or easy, Sutton said, because they'd involve the application owners, such as Microsoft, paying closer attention to possible misuse and recoding their software, or companies blocking ever more file formats from reaching users, or anti-virus vendors developing scanning technologies that examining document and image files for evidence of maliciousness.

Short term, said Sutton, users can expect even more such vulnerabilities as hackers shift from finding flaws through manual hit-or-miss techniques to tool-assisted searches that are partially automated.

For now, the best defense is the often-repeated advice to be wary when opening files, even from trusted sources. Anything more aggressive likely will do more damage than add to defenses.

"There's only so much you can do to block file formats like these," said Sutton. "Show me a company in the world that doesn't use Office. Blocking .doc would defeat the purpose of using e-mail for a lot of users."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll