[tags]vulnerabilities,microsoft word, email attachments[/tags]
So far this year, a number of vulnerabilities in Microsoft’s Word have been discovered.  Three critical (“zero day”) vulnerabilities have been discovered—and as yet, unpatched—this month.  (Vulnerability 1, Vulnerability 2, and Vulnerability 3.)  These are hardly the first vulnerabilities reported for Word.  There has actually been quite a history of problems associated with Word documents containing malformed (or maliciously formed) content.

For years now, I have had my mailer configured to reject Word documents when they are sent to me in email and also send back an explanatory “bounce” message.  In part, this is because I have not had Word installed on my system, nor do I normally use it.  As such, Word documents sent to me in email have largely been so much binary noise.  Yes, I could install some converters that do a halfway reasonable job of converting Word documents, or I could install something like OpenOffice to read Word files without installing Word itself, but that would continue to (tacitly) encourage dangerous behavior by my correspondents.

People who send me Word documents tend to get a bounce message that points out that Word:

1. Is not a document interchange format—it is not designed for document transport
2. Is not installed on everyone’s machine, nor available for everyone’s machine
3. Not all versions of Word are compatible with each other
4. Results in huge, bloated, files for tiny content (such as memos)
5. And of course, Word is commonly a vector of viruses and malicious hacks.

If you want more details on this, including links to other essays, see my explanatory bounce text, as cited above.

The US-CERT has warned that people shouldn’t open unexpected Word documents in email.  As general policy, they actually warn not to open email with attachments such as Word documents appearing to be from people you know.  This is because malicious software may have infected an acquaintance’s machine and is sending you something infected, or the return address is faked—it may not be from the user you think!

If there was a mad bomber sending out explosives in packages, and you got a box with your Aunt Sally’s name on it, would you possibly pause before opening it?  Most people would, but inexplicably, those same people exhibit no hesitation in opening Word documents (and other executable content), thereby endangering their own machines—and often everyone in the same enterprise.

There is almost no reason to email Word documents!!  They certainly should be used in email FAR LESS than they currently are.

If you need to send a simple memo or note in email, use plain text (or RichText or even HTML).  It is more likely to be readable on most kinds of platform, is compact, and is not capable of carrying a malicious payload.

If you need to send something out that has special formatting or images, consider PDF.  It may not be 100% safe (although I know of no current vulnerabilities), but it is historically far safer than Word is or has been.  Putting it as an image or PDF on a local WWW site and mailing the URL is also reasonable.

If you must send Word documents back and forth (and there are other word processing systems than Word, btw), then consider sending plain RTF.  Or arrange a protocol so all parties know what is being sent and received, and be sure to use an up-to-date antivirus scanner!  (See the CERT recommendations.)

The new version of Word 2007 uses XML for encoding, and this promises to be safer than the current format.  That remains to be seen, of course.  And it may be quite some time before it is installed and commonplace on enough machines to make a difference.

You can help make the community safer—stop sending Word messages in email, and consider bouncing back any email sent to you in Word!  If enough of us do it, we might actually be able to make the Internet a little bit safer.

An additional note

So, what do I use for word processing?  For years, I have used TeX/LaTeX for papers.  Before that I also used troff on Unix.  I have used FrameMaker on both Mac and Unix, and wrote several books (including all three editions of Practical Unix Security et al.) with it.  I used ClarisWorks on the Mac for some years, and now use Apple’s Pages for many of my papers and documents.

I have installed and used Word under two extraordinary circumstances.  Once was for a large project proposal I was leading across 5 universities where there was no other good common alternative that we could all use—or that everyone was willing to use.  The second case was when I was on the PITAC and was heavily involved in producing the Cyber Security report.

However, I am back to using Pages on the Mac (which can import RTF and, I am told, Word), and LaTeX.  I’ve written over 100 professional articles, 5 books, and I don’t know how many memos and letters, and I have avoided Word.  It can be done.

Note that I have nothing against Microsoft, per se.  However, I am against getting locked into any single solution, and I am especially troubled at the long history of vulnerabilities in Word…which are continuing to occur after years and years of problems.  That is not a good record for the future.

[posted with ecto]