3 min read

Word Bug Shows Trend In File Format Hacks

The vulnerability in Microsoft Word is only the latest in a spreading trend that's seeing hackers probe for foibles and failings in file formats, a security firm says.
The vulnerability in Microsoft Word is only the latest in a spreading trend that's seeing hackers probe for foibles and failings in file formats, a security analyst from the company which first uncovered the Word bug said Wednesday.

"We're starting to see a trend in vulnerability discovery where people are going after file format vulnerabilities," said Michael Sutton, the director of iDefense Labs, the research arm of Reston, Va.-based security intelligence firm iDefense.

"There have been numerous vulnerabilities found in image file formats and multimedia file formats," Sutton went on. "Actually, the vulnerabilities don't exist in the files themselves, but in the programs that read and interpret them."

That's the case with the Word vulnerability that Microsoft disclosed Tuesday. According to Microsoft's security bulletin and iDefense's own analysis, a specially-crafted Word file (in .doc format) containing extra-long font data can cause Word 2000 and Word 2002 to fail, and give the attacker complete access to the machine.

"If everyone plays by the [file format] rules, everything works fine," said Sutton. "But what happens if I don't follow that format? Does it crash the machine? That's what hackers are asking."

The reason why attackers are increasingly looking for file format processing flaws, said Sutton, is that users are leery about accepting executable files, and most enterprises have blocked them from arriving as incoming e-mail attachments. But the file formats now under attack -- such as .doc, .jpg, and .png -- are widely trusted and traded, and generally not blocked.

Although an exploit for this vulnerability will probably be trickier than usual and require some sort of social engineering angle -- since users will have to be talked into opening a .doc file -- Sutton doesn't think either are barriers to hackers.

"Most people are very comfortable with the .doc format, so a message saying something like 'review this file and get back to me' would probably get them to bite, especially if it was a targeted message and supposedly came from someone they knew," added Sutton.

Solutions to the file format problem won't be quick or easy, Sutton said, because they'd involve the application owners, such as Microsoft, paying closer attention to possible misuse and recoding their software, or companies blocking ever more file formats from reaching users, or anti-virus vendors developing scanning technologies that examining document and image files for evidence of maliciousness.

Short term, said Sutton, users can expect even more such vulnerabilities as hackers shift from finding flaws through manual hit-or-miss techniques to tool-assisted searches that are partially automated.

For now, the best defense is the often-repeated advice to be wary when opening files, even from trusted sources. Anything more aggressive likely will do more damage than add to defenses.

"There's only so much you can do to block file formats like these," said Sutton. "Show me a company in the world that doesn't use Office. Blocking .doc would defeat the purpose of using e-mail for a lot of users."