Database Engine Flaw Makes Word Attachments Dangerous

Don’t open that Word file attached to your e-mail; it might contain malware.

And don’t click on that e-mail or Web site links from strangers. Heck, don’t even open Word e-mail attachments from trusted sources unless you’re expecting them.

Attackers are embedding malware in Word documents that causes a buffer overflow in their victims’ computers, letting them take over the computers.

Data is stored in fixed-length buffers, and a buffer overflow causes applications to try to store data beyond the boundaries of those buffers.

This could create a system crash or, as in this case, software vulnerabilities that let an attacker take over your computer.

Where You’re Safe — and Unsafe

Computers running Windows Server 2003 Service Pack (SP) 2, Windows Vista, and Windows Vista SP 1 are not vulnerable to the buffer overrun, Microsoft told TechNewsWorld.

However, those running Microsoft Word 2000 SP 3, Microsoft Word 2002 SP 3, Microsoft Word 2003 SP 2, Microsoft Word 2003 SP 3, Microsoft Word 2007, and Microsoft Word 2007 SP 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 SP 1 are open to attack.

The vulnerable software uses an older version of Microsoft’s Jet Database Engine — which shares data between Microsoft Office products and other applications — that is open to this sort of attack. Ironically, the much-maligned Windows Vista is not vulnerable to the attack because it uses an updated version of the Jet Database Engine.

Just Another Microsoft Flaw

This particular flaw was first reported in November of 2007 on Bugtraq by Frank Ruder.

At that time, he said Access 2003 SP 3 on the Chinese-language version of Windows XP SP 2 was affected, but warned other versions of Windows could also be affected.

He quoted Microsoft as saying that Microsoft considers the MDB file type unsafe and that Internet Explorer and Outlook will automatically block these files.

In December 2007, the US-CERT Computer Emergency Readiness Team warned about the same problem. Don’t open attachments from unsolicited e-mail messages; and block high-risk file attachments at e-mail gateways, it said.

If Microsoft itself considers the MDB file format unsafe, why doesn’t it re-engineer the silly thing?

Because it’s not all that simple. “Changing the file format would entail many other changes,” Dr. Chenxi Wang, principal analyst of security and risk management at Forrester Research, told TechNewsWorld. “There are applications written using this, there are driver files written using this, so it’s not so easy a change as the click of a button.”

Precautions to Take

“Enable a firewall, apply all software updates and install anti-virus and anti-spyware software,” Microsoft said.

You can find additional information here.

Microsoft believes the risk from these attacks to be limited “because customers have to take several steps in order for the attacks to be successful.”

For example, one attack uses a safe Word file and a malicious Access file sent together as e-mail attachments. The victim must save both files in one folder and open the Word file first; this contains code that will look for the malicious Access file and open it.

Few people will actually be impacted by these attacks. For one thing, “there are some very specific conditions” that must be met for this type of attack to succeed,” Wang said.

And it’s not really Microsoft’s fault, either. “Writing these database engines is incredibly complex, and when an error combination arises where a very specific set of conditions has to be met, it’s easy to miss because there are so many possible scenarios,” Wang said.

Having studied Microsoft’s internal software security practices in depth, “there isn’t another company that has such comprehensive and in-depth software security practices,” Wang added.

Your best bet is to never open e-mail attachments, especially if you don’t know the sender.

Remember what Mom said about not taking candy from strangers?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels