The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Word documents being used in new attacks


I have repeatedly pointed out (e.g., this post) to people that sending Word files as attachments is a bad idea. This has been used many, many times to circulate viruses, worms, and more. People continue to push back because (basically) it is convenient for them. How often have we heard that convenience trumps good security (and good sense)?

Now comes this story of yet another attack being spread with Word documents.

There are multiple reasons why I don’t accept Word documents in email. This is simply one of the better reasons.

If you want to establish a sound security posture at your organization, one of the things you should mandate is no circulation of executable formats—either out or in. “.doc” files are in this category. I am unsure if the new “.docx” format is fully immune to these kinds of things but it seems “.rtf” is.



Posted by Dr. InfoSec
on Wednesday, December 17, 2008 at 04:15 PM

Actually Gene, even RTFs are not safe. In the past week, Microsoft has warned of new attacks aimed at Wordpad and is said to be investigating.

See MS Bulleting MS08-072 and advisory 960906

Posted by Security the Monkey
on Wednesday, December 17, 2008 at 05:31 PM

Are you joking? No Word documents in or out?

Any security guy saying that at work would be a laughing stock.

How do you suggest we move documents around?

Security is there to support the needs of the business it is not an end in itself.

Posted by spaf
on Wednesday, December 17, 2008 at 09:11 PM

Actually, not joking at all.  Within the enterprise there are other ways to exchange documents, and many exchanges are unnecessary.

So long as we continue to believe that bad practice are necessary, we can’t progress on fixing them.

Posted by Andy Steingruebl
on Thursday, December 18, 2008 at 12:29 PM


What risk are you trying to counter? 

- People sharing executable content?
- People opening executable content from unsafe sources?
- The inherent risks of certain file formats?

Seems to me that banning all emailing of Word docs but then allowing something like a web portal for sharing Word docs still has the potential for passing around infections, right?

Switching to non-executable file formats sounds all well and good, and I’m sure people will adopt this as soon as these file formats work well enough to handle all of types of data sharing they want to do.

Sure we could all use a Wiki to share all of our data, but I’m not sure that would pass muster.

What threat are you trying to mitigate here?  It really isn’t clear what you’re proposing as a workable solution.

Leave a comment

Commenting is not available in this section entry.