• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Exploits & Vulnerabilities › How to block Microsoft Word vulnerability, recommended defenses.

How to block Microsoft Word vulnerability, recommended defenses.

Myantispyware team May 23, 2006     No Comment    

Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let’s think a bit beyond the next couple of days on how to defend your network.

  • User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. “What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document”. Teach users to double check out of band. “Do not open the document before calling the customer”.
  • Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
  • Limit users’ privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
  • Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying “honey tokens”, files with interesting names that contain a particular signature your IDS will detect.
  • Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
  • Limit data on desktops. Try to teach users to limit data they store “in reach”. This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.

Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.

There are also some rather more radical “solutions” possible if you absolutely need to be sure that you can continue working independently of this vulnerability (and the inevitable variants to follow soon):

  • consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF. Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.
  • consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

Another option might be to use the Microsoft Office viewer applications instead as your default, such as Word Viewer. You can get more information about and download the viewer programs from Microsoft. The Word Viewer application is not vulnerable to this specific exploit.

Thanks to Internet Storm Center

Exploits & Vulnerabilities

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Lilola Recliner Scam text
Lilola Recliner Scam Text Explained
goog.uthyforemplo.xyz malicious
Track Click Crystal pop-up redirect (Virus removal guide)
Datingsecret.top Click Allow Scam
Datingsecret.top Virus Removal Guide
SaveFrom Video Downloader
Is Savefrom.net Safe? Savefrom.net Virus Removal Guide
Pharmaddscompany.com Click Allow Scam
Pharmaddscompany.com Virus Removal Guide

Follow Us

Search

Useful Guides

browser redirect virus
How to remove Browser redirect virus [Chrome, Firefox, IE, Edge]
Iphone Calendar virus spam
Iphone Calendar Virus/Spam 2022 (Removal guide)
This setting is enforced by your administrator (Removal guide)
Malwarebytes won’t install, run or update – How to fix it
Best free malware removal tools
Best Free Malware Removal Tools 2020

Recent Posts

Found exploit using new Microsoft Word vulnerability
How to remove Spyware Sheriff and Antispylab
How to remove Spyware Soft Stop
New rogue antispyware – SpywareSheriff
New ransomware found

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.