Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Word 0-day, recommended defenses. InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Word 0-day, recommended defenses.

Published: 2006-05-19
Last Updated: 2006-05-22 22:47:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
The diary about the targeted attacks using a zero-day exploit against Word triggered a lot of questions about how to defend against such an attack. We understand that many organizations can not do without Word documents, so here a few ideas on how to defend against these attacks.

Note that this is not a temporary situation that will blow over soon. Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let's think a bit beyond the next couple of days on how to defend your network.

  • User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. "What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document". Teach users to double check out of band. "Do not open the document before calling the customer".
  • Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
  • Limit users' privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
  • Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying "honey tokens", files with interesting names that contain a particular signature your IDS will detect.
  • Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
  • Limit data on desktops. Try to teach users to limit data they store "in reach". This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.
Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.

There are also some rather more radical "solutions" possible if you absolutely need to be sure that you can continue working independently of this 0-day (and the inevitable variants to follow soon):
  • consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF.  Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.
  • consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.
Contributors: Johannes, Marc, Arrigo.


Another option might be to use the Microsoft Office viewer applications instead as your default, such as Word Viewer.  You can get more information about and download the viewer programs from Microsoft. The Word Viewer application is not vulnerable to this specific exploit.
0 comment(s)
Diary Archives