Microsoft Security Bulletin for - get this - Wordpad

[Flatline]

Just helped out a coworker with his home machine, and the new update caught my eye...my first reaction was "how bad can it be...it's frigging Wordpad!" Turns out that the update is for a remote code execution vulnerability in Wordpad. WORDPAD!!

Oh, well. Install the update and move on, I guess.

 

[Nothinman]

Strings are one of the hardest things to deal with and wordpad's primary job is string manipulation.

 

[Flatline]

Hey, don't spoil my fun 😛

 

[DaFinn]

What's next... Notepad???

 

[Nothinman]

What's next... Notepad???

Depends, probably not since it's a lot less intelligent. It's basically a big buffer with nothing fancy, Wordpad adds a bunch of text formatting options so there's more to get right.

 

[kylef]

Note that it doesn't say "remote code execution".

Basically, this is a pretty run-of-the-mill app data overflow. If you happen to be able to run Wordpad as Administrator (or LocalSystem), then you can attain administrative privileges on the box.

But in most cases, if local security is important, you'd never be running apps as Administrator anyway, so this exploit is not really all that significant.

 

[Flatline]

Actually, it DOES say remote code execution (see the "impact of vulnerability" field)



Microsoft Security Bulletin MS04-041


Vulnerability in WordPad Could Allow Code Execution (885836)


Issued: December 14, 2004
Version: 1.0


Summary


Who should read this document: Customers who use Microsoft Windows


Impact of Vulnerability: Remote Code Execution


Maximum Severity Rating: Important


Recommendation: Customers should install the update at the earliest opportunity.


Security Update Replacement: None


Caveats: Nonehttp://forums.anandtech.com/me...threadid=1466275&f

 

[kylef]

Originally posted by: Flatline
Actually, it DOES say remote code execution (see the "impact of vulnerability" field)

If you read the Technet bulletin in detail, you'll see the following:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.

• An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.

• WordPad is vulnerable to this issue through .wri, .rtf, and .doc file name associations. By default, if any supported version of Microsoft Word is installed, through the .rtf and .doc file associations, these document types will open in Microsoft Word instead of WordPad. Microsoft Word does not contain this vulnerability. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.

A true "remote vulnerability" means that the box is vulnerable without a user sitting there doing things to enable the attack in realtime.

This is more like a spoofing attack or trojan horse: get the user to open a malicious .doc or .rtf using WordPad as an Administrator. Unless all of those conditions are met, it won't work.

 

[Nothinman]

A true "remote vulnerability" means that the box is vulnerable without a user sitting there doing things to enable the attack in realtime.

Not really, all it means is that it can be exploited remotely.

This is more like a spoofing attack or trojan horse: get the user to open a malicious .doc or .rtf using WordPad as an Administrator. Unless all of those conditions are met, it won't work.

Which is pretty easy considering you can just send people the malicious document in an email. Hell people have been known to extract password protected zip files to run trojans.

 

[kylef]

Originally posted by: Nothinman
Not really, all it means is that it can be exploited remotely.

Hmmm... by that definition, then just about every virus and trojan fit the description. I don't know of any virus writer that had to sneak into a user's house to run the virus. It was all done using various means of injecting the virus code onto the host machine from a remote location. Whether that was through a floppy disk, or e-mail attachment, the remote code ended up running on the user's system. That seems to fit your description equally well.

In my mind, the distinction for remote exploits is that it takes NO local action for the system to be vulnerable: the exploit can be TOTALLY executed remotely. This is clearly not the case here. The user has to put the virus/trojan onto the computer in the first place for it to be exploitable. The machine, sitting by itself, is not vulnerable to this exploit.

This is more like a spoofing attack or trojan horse: get the user to open a malicious .doc or .rtf using WordPad as an Administrator. Unless all of those conditions are met, it won't work.

Which is pretty easy considering you can just send people the malicious document in an email. Hell people have been known to extract password protected zip files to run trojans.[/quote]

I shudder to think that users still 1) run as administrator, 2) opening attachments in their email without looking to see who they're from, 3) using an E-mail client that does not support attachment virus scanning (which are already updated to spot this type of attack), 4) on an unpatched Windows box.

But you're probably right: users probably still do all of these things.

Well, at least if they have Sp2, they're safe unless they've specifically performed the steps necessary to enable the Word 6.0 Converters. (They're off by default now).

 

[Nothinman]

That seems to fit your description equally well.

Isn't the english language fun?

I shudder to think that users still 1) run as administrator,

MS doesn't give a lot of choice. Many games require it, generic administration tasks like bringing up/taking down a network interface don't work well with "Run As...", etc.

2) opening attachments in their email without looking to see who they're from,

That's getting better, probably largely due to MS blocking pretty much every file extension in outlook except for .dat.

3) using an E-mail client that does not support attachment virus scanning (which are already updated to spot this type of attack),

That's irrelevant, to run the attachment any email client will first save the attachment to a temporary directory so an on-access scanner will catch it.

4) on an unpatched Windows box.

But didn't you know that XP SP2 slows down games?

 

[VirtualLarry]

Originally posted by: kylef

• WordPad is vulnerable to this issue through .wri, .rtf, and .doc file name associations. By default, if any supported version of Microsoft Word is installed, through the .rtf and .doc file associations, these document types will open in Microsoft Word instead of WordPad. Microsoft Word does not contain this vulnerability. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.

Wow, that's really funny. All this time, I thought that it was Word that was more-or-less vulnerable to these sorts of things, and that WordPad, due to its smaller size and feature-set, wasn't. It always did bother me though, in the back of my mind, downloading .doc files and reading them on my box. Hmm. 🙁

Guess I'll have to cross off a few more file extensions from my "presumed safe to open" list, thanks to MS. (There really aren't too many left, any more. What's next - infected .TXT files??!?!? Wait, don't answer that.)

Originally posted by: kylef
A true "remote vulnerability" means that the box is vulnerable without a user sitting there doing things to enable the attack in realtime.

No, that's a "remote network vulnerability".

Originally posted by: kylef
This is more like a spoofing attack or trojan horse: get the user to open a malicious .doc or .rtf using WordPad as an Administrator. Unless all of those conditions are met, it won't work.

And we all know how truely difficult it is to get a user to click on a potentially-malicious URL... and how totally unlikely it is for an end-user to be running with Admin privs, especially since MS makes it so easy to run without, especially on XP Home. 😛 I mean, most of these MS vulns., are totally not even an issue! I mean, people reporting them must simply just be hating on MS, jealous of all of BillG's bling-bling, ya know?

 

[Flatline]

Well, honestly, who isn't a bit jealous of Bill's bling-bling? 😉