Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Are we over-complicating plain text files, with disastrous results ?


  • Please log in to reply
24 replies to this topic

#1 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 03:26 AM

Hey All, I wondered if anyone could help me understand why we have such a massive (and increasing) problem with infected documents or, more to the point, with specially-crafted documents.
 
First of all, it's becoming a larger problem, which means it was a smaller problem previously. And I would acknowledge upfront that that's probably a factor in why it hasn't had a more serious treatment.
 
But just to put this in perspective, let's compare a TXT file, an RTF file and one of the files that runs in WORD.
 
Can a notepad file be used as a vector for running arbitrary code ?
 
Can a wordpad file be used as a vector for running arbitrary code ?
 
Can a WORD file ... Yes, I know that one :)
 
And let me just say, I like the application WORD. I've used it a great deal. However I only ever use a small fraction of its capabilities and I think many other users are the same. Therefore this question also occurs to me:
 
What advantage accrues to the majority of WORD users to have all that functionality available to them, if it also exposes them to attack vectors ?
 
In a lot of cases a Rich Text document is perfectly adequate. For example, let's say that you want to send someone your CV or post it online. You could use Wordpad and produce a very nice-looking CV.
 
So I wonder if we've become complacent about how we process our (essentially) plain text documents..... leaving millions of users exposed to attack vectors, uneccesarily.

Edited by palerider2, 13 June 2014 - 04:41 AM.


BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:29 AM

Posted 13 June 2014 - 08:36 AM

Ease of use is the main reason to user an advanced word processor.  Sure you can create your CV in Wordpad, but it is much easier in Word.

 

From this video there is "technically" a remote code execution possible in Notepad, but the actual issue was with the Help function.  No one can say if there is a vulnerability for any specific piece of software, we can only say if there is a known vulnerability.  Look at OpenSSL, it had a vulnerability for over two years before the Heartbleed issue was found.

 

Basically complexity is the enemy of security.  The more complex something is, the more difficult it is to secure.  This is closely followed by Security is not convenient.  The more convenient something is, the more difficult, if not impossible it is to secure.



#3 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:01:29 AM

Posted 13 June 2014 - 10:12 AM

 If you use Notepad or Wordpad, you don't get a spell checker for starters.  And there're a lot of other features in Word that're mighty handy and productive as Kilroy points out.  If you use a currently supported version of Office, and keep it up to date with MS updates, you can do pretty well security wise.  And I have to say of all the problems I see reported in the forums, I see very few reports of folks getting problems from .DOCX format files.  


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#4 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 03:42 PM

Ease of use is the main reason to user an advanced word processor.  Sure you can create your CV in Wordpad, but it is much easier in Word.

 

From this video there is "technically" a remote code execution possible in Notepad, but the actual issue was with the Help function.  No one can say if there is a vulnerability for any specific piece of software, we can only say if there is a known vulnerability.  Look at OpenSSL, it had a vulnerability for over two years before the Heartbleed issue was found.

 

Basically complexity is the enemy of security.  The more complex something is, the more difficult it is to secure.  This is closely followed by Security is not convenient.  The more convenient something is, the more difficult, if not impossible it is to secure.

 

But Notepad is such a simple program, so surely an editor can be written that doesn't have vulnerabilitiies. Maybe there's one somewhere in Freeware. This makes me wonder whether the vulnerabilities, in some cases, are due to the compiler, rather than code written by the software author.

 

I don't know if I have I understood buffer overflow correctly. But is that where the application makes an empty buffer for the data file, loads from the file but the data file is larger than it said it was meant to be ? Then the application continues reading from the file, thus over-writing part of it's own code with malware. Then executes from just after the end of the buffer.

 

I can see why complex programs are harder to secure and, especially so, if part of the issue is out of the hands of the author. I'm a bit unsure about the convenience issue though. Would you be able to say a bit more please Kilroy ? EDIT: Maybe you mean that convenience makes it easier for vulnerabilities to be exploited. If the vulnerabilities were dealt with the convenience issue would also go away.

 

 If you use Notepad or Wordpad, you don't get a spell checker for starters.  And there're a lot of other features in Word that're mighty handy and productive as Kilroy points out.  If you use a currently supported version of Office, and keep it up to date with MS updates, you can do pretty well security wise.  And I have to say of all the problems I see reported in the forums, I see very few reports of folks getting problems from .DOCX format files.  

 

That's true about spell-checker. It wouldn't be hard to change though, if there was a useful result coming out of it e.g. create a mini version of WORD, including spell-checker, that had no vulnerabilities.

 

Keeping up to date with the updates does not fix the problem, just ask a victim of cryptolocker.

 

The problem is that people click and open files that are of any document type, though it's possible that DOCX files are less susceptible. (Either that or they just haven't been targetted.)

 

Maybe someone can make a general comment on what's needed in order eliminate the vulnerabilities. Certainly simpler seems to be a factor. Personally I'd happily accept something that's far less complex, if that was needed.

 

If I understood buffer overflow correctly, a solution would be to stop loading from file once the buffer was full and then throw an error. And hence no attack vector. But that doesn't happen in reality, so maybe there's more to it .....

 

Thanks for those replies.


Edited by palerider2, 13 June 2014 - 03:54 PM.


#5 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 04:39 PM

http://www.techsupportalert.com/best-free-text-editor.htm

 

Gizmo's list.

 

Some of these are small. Some support rich text. Some have spell-checker.

 

It doesn't solve the problem though if your default editor/WP has vulnerabilities.

 

EDIT: just as a guide to complexity, on my PC

 - notepad.exe     about 200 KB

 - wordpad.exe    about 4.0 MB


Edited by palerider2, 13 June 2014 - 04:53 PM.


#6 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 07:01 PM

The ideal solution would perhaps be along these lines

- a small, totally secure DOC, DOCX, RTF viewer

- is the default app used when the above extensions are present

- doesn't support all the features of WORD

- warns the user if extended features are present in the source file

- but displays some or all of the plain text

 

The solution would also, ideally, be distributed by MS. But if there was a third-party source, IT managers would be on to it fairly quickly.

 

I'd welcome comments on any of the above but especially: 'small, totally secure'



#7 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:01:29 AM

Posted 13 June 2014 - 07:46 PM

 I did a Google search for windows "word processor" and got over 10 million hits.  Let us know when you finish reading about them all.   :rolleyes:


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:29 PM

Posted 13 June 2014 - 09:37 PM

Open Office (www.openoffice.org) is my choice. http://en.wikipedia.org/wiki/OpenOffice.org
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 09:46 PM

 I did a Google search for windows "word processor" and got over 10 million hits.  Let us know when you finish reading about them all.   :rolleyes:

 

Haha. Won't be doing that. Don't want to stand on Gizmo's toes  :cowboy:

 

But you've got to think one of them either is or could be the answer with a little tweaking.

 

EDIT: What about this: http://www.syncdocs.com/2011/07/view-desktop-files-using-syncdocs/

"For one, you are protected from viruses and malware that can lurk in Microsoft Office and .pdf documents. The files are safely opened on the Google server, not on your PC."

 

 

Open Office (www.openoffice.org) is my choice. http://en.wikipedia.org/wiki/OpenOffice.org

 

It's very large as well though. Any comment on the reputation it has for security ? I haven't researched that yet.


Edited by palerider2, 13 June 2014 - 09:55 PM.


#10 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 13 June 2014 - 11:46 PM

The ideal solution would perhaps be along these lines

- a small, totally secure DOC, DOCX, RTF viewer

- is the default app used when the above extensions are present

- doesn't support all the features of WORD

- warns the user if extended features are present in the source file

- but displays some or all of the plain text

 

The solution would also, ideally, be distributed by MS. But if there was a third-party source, IT managers would be on to it fairly quickly.

 

I'd welcome comments on any of the above but especially: 'small, totally secure'

 

MS do have a document viewer application.

http://www.microsoft.com/en-us/download/details.aspx?id=4

 

So this meets some of the requirements. It's been provided for a different reason - it allows users to open, print and copy a large range of documents.

 

If MS were to cut down the functionality and reduce the application from 24 MB to something much smaller, then maybe they could make it bullet-proof.

 

A document viewer wouldn't need to have a spell-checker, for example.

 

EDIT: Here's a small DOCX viewer, size is less than 1.5 MB

http://www.docxreader.com/

and another which is 600 KB in size

http://www.epingsoft.com/docx/docxv.asp

 

This freeware opens a large range of document types and is 4 MB in size

http://officeviewers.com/

 

If some of the document types were excluded one presumes further size reductions would follow.

 

And here is AntiWord, with a size of 241KB (zipped)

I unpacked the zip file which generated 650 KB of data but the exe is 239 KB.

http://www-stud.rbi.informatik.uni-frankfurt.de/~markus/antiword/

The author's site : http://www.winfield.demon.nl/

"Antiword converts the binary files from Word 2, 6, 7, 97, 2000, 2002 and 2003 to plain text and to PostScript TM."

so it's not up to date, but it gives an idea of what can be achieved.

Whether it's immune to vulnerabilities who knows but you'd think something that small can be made pretty tough to break.

 

What do people think ?


Edited by palerider2, 14 June 2014 - 12:33 AM.


#11 Kilroy

Kilroy

  • BC Advisor
  • 3,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:29 AM

Posted 14 June 2014 - 01:26 PM

The problem is that software is written by humans and humans aren't perfect.

 

A buffer overflow is basically putting more information into the buffer than it was configured to hold.  This can result in overwriting code with your own code that can be executed later.  Steve Gibson explains it very well in Security Now! - Episode 39 - Buffer Overruns.

 

The most secure computer sits in a locked vault with no power, keyboard, mouse or monitor.  While it is secure, it isn't very useful.  Each step you make towards making the computer useful is a step that makes it less secure.  The same applies for software.  Every feature you add to a program is another opportunity to make a mistake that can be exploited.  As shown by the help feature being used to expliot Notepad.

 

Change and complexity are the enemies of security.  Changes made to fix a problem may introduce a new problem.  Every new feature has the opportunity to become a new flaw.



#12 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 14 June 2014 - 09:55 PM

The problem is that software is written by humans and humans aren't perfect.

 

A buffer overflow is basically putting more information into the buffer than it was configured to hold.  This can result in overwriting code with your own code that can be executed later.  Steve Gibson explains it very well in Security Now! - Episode 39 - Buffer Overruns.

 

The most secure computer sits in a locked vault with no power, keyboard, mouse or monitor.  While it is secure, it isn't very useful.  Each step you make towards making the computer useful is a step that makes it less secure.  The same applies for software.  Every feature you add to a program is another opportunity to make a mistake that can be exploited.  As shown by the help feature being used to expliot Notepad.

 

Change and complexity are the enemies of security.  Changes made to fix a problem may introduce a new problem.  Every new feature has the opportunity to become a new flaw.

 

Thanks very much for digging out that link to Buffer Overrun, Kilroy. I hadn't seen the full explanation, so now I see how the problem arises.

 

In the context of this thread what the developer would need to do is write this proposed safe document viewer from scratch or from a library of functions that contained none of the signed/unsigned INT mismatch errors. And you have to adhere to the API of any function that you call.

 

The discussion therefore moves to the next logical step. The question that arises :

 

Is it ever worth writing a bullet-proof application (with the manpower that's involved to avoid all buffer overruns) ?

 

If yes, is a safe document viewer for Windows of significant enough value to warrant doing that ?

 

How large would that application need to be ?

 

Without actually answering those questions (I seek opinions), I would call out these relevant points:

- maybe patches may have been released which neutralise the vulnerabilites that were used by CryptoLocker etc but other vulnerabilities will probably be found in WORD, so the whole cycle could restart at any time

- WORD is so prevalent on PCs that the number of possible victims remains huge

- lots of people use WORD for really simple everyday things

 

So there's still a huge potential problem around the corner. Maybe...

 

I must now confess that I haven't read all of the comments in the CryptoLocker etc threads and that's simply because they are really large. So I may have missed some useful fact e.g. another measure that's been put in place to mitigate the damage if anyone tried a stunt like CryptoLocker again.

 

Once again, thanks for bringing that Gibson archive to my attention. :)



#13 Kilroy

Kilroy

  • BC Advisor
  • 3,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:29 AM

Posted 15 June 2014 - 09:40 PM

The viruses that used to exist aren't what we have going on these days.  A virus had to be able to transfer from machine to machine, back in the day this was done by infecting the files and disks.  Then once networks became popular network vulnerabilities were used.  Starting with Windows XP SP2 the Windows Firewall was turned on by default making network attacks much less successful.  Now were are onto social engineering and making users open infected e-mail or going to infected web pages.  Most malware today uses social engineering or compromised websites to infect people.  Everyone used to think that porn sites were how people got infected, that is no where near the truth.  Sites that people trust CNN, Yahoo, and many more.

 

I don't think you can write a bullet proof application, especially if it has to run on an operating system.  You can make your code as safe as possible, but maybe there is an issue with the API library you are using.  Our systems are too complex to make them 100% secure, we can only do a best effort.



#14 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 16 June 2014 - 02:25 AM

  Now were are onto social engineering and making users open infected e-mail or going to infected web pages.  Most malware today uses social engineering or compromised websites to infect people.  Everyone used to think that porn sites were how people got infected, that is no where near the truth.  Sites that people trust CNN, Yahoo, and many more.

Thanks for that, Kilroy. Yep, my problems started in 2009 with exactly the scenario you describe: social engineering and infected web pages. I was using IE at the time, unaware of any security issues. I wish I'd been following SecurityNow since 2006. What a lot of great information in those articles ! 

 

I don't think you can write a bullet proof application, especially if it has to run on an operating system.  You can make your code as safe as possible, but maybe there is an issue with the API library you are using.  Our systems are too complex to make them 100% secure, we can only do a best effort.

 

Surely, the size of the application is a factor though. And for a small application you might still have a vulnerability or two but you probably wouldn't have so many that you didn't bother fixing them until they were discovered. That seems to be the approach being taken with WORD. So maybe there is a case for a minimal DOC viewer which could be made secure over a relatively short period.

 

I noticed in the Gibson archive several interesting discussions. One of them discusses the TCP/IP stack which MS re-wrote before launching Vista.

 

As for being able to protect the PC, Chrome used to issue a warning if you elected to download a PDF. Now Chrome displays PDF files. One presumes Google is confident that this can be done safely. Probably because of the sandbox but I'm guessing.

 

I also stumbled across Data Execution Prevention in the Gibson archive. They reckon it would prevent all buffer overrun attacks if it was turned on.

 

I checked my 'surfing' PC and discovered that DEP was turned on for essential windows programs and services only. I changed it to All programs and services. I presume that the default setting doesn't cover Office but it would be interesting to know. That seems a really useful prevention feature.

 

In MS bulletins where buffer overrun is being dealt with, why doesn't it say something like 'Users who run their PCs with DEP fully turned on would not be affected by this specific attack' ? 


Edited by palerider2, 16 June 2014 - 02:26 AM.


#15 Kilroy

Kilroy

  • BC Advisor
  • 3,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:29 AM

Posted 16 June 2014 - 08:54 AM

The problem with DEP is that it prevents poorly written programs from working.  When those programs are business critical you have no choice but to turn of DEP protection.

 

Sure, size is a factor.  The bigger something is, the more complex it is, and as stated previously complexity is an enemy of security.  My question to you is, how do you fix a vulnerability that hasn't been discovered?  You write the code, you debug the code, you test the code, and everything is working as intended as far as you are concerned.  Then along comes someone who does something that you hadn't even thought of doing, like entering two megabytes of information in the first name field.  The problem with finding problems with code is doing all of the unexpected things that may break it.

 

While you might create a basic DOC file reader, however if it doesn't render the things that people want no one will use it, and so the feature creep begins.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users