Secunia Defends its Word Worm Rating
The chief technology officer of security firm Secunia, which issued an "extremely critical" rating for a worm exploiting a previously undiscovered Word 2000 vulnerability, is defending his company's policies in the face of competitors who have rated the severity of the worm as "very low." He told BetaNews the warning was indicative of how severe the worm could be if it infected a user's system.
Secunia's Thomas Kristensen said the risk rating of a worm should not be confused with the critical rating of its vulnerability. Since a worm is not a virus, by design, it cannot propagate itself widely. As a result, he said, when one examines the world's networking environments as a whole, damage assessments from any worm become more limited, "in turn causing anti-virus companies to give it a fairly low rating."
"However, looking at the vulnerability itself," Kristensen continued, "the risk for the person or company with a vulnerable setup (Word 2000) is high, as it only requires a very limited amount of social engineering to encourage the average user to open a Word or Office document - the file can be disguised as other Office documents and still exploit the vulnerability. Furthermore, the exploit is available and is very easy to alter to serve a particular malicious purpose."
Viewed in that light, he said, such a vulnerability should not be treated as "alleged" or "possible." "There is a very good reason why other sources don't want to draw any conclusions," Kristensen stated. "They simply haven't tested the issue and analyzed the exploit."
A Microsoft spokesperson told BetaNews yesterday the company is currently studying the severity of the exploit, and advises users to follow its ongoing guidance plan, called "Protect Your PC." But Kristensen takes issue with Microsoft's oft-repeated contention that it should be difficult for users to be persuaded to open any Microsoft Office document they haven't seen before, or whose source cannot be verified.
These users have learned not to open executable files, he said, the filename extensions for which are many. Meanwhile, a malicious Office file cannot be recognized by its filename extension, so it becomes up to security policy to determine whether certain documents can or cannot be opened, which for both technical and social reasons is difficult for businesses to implement and enforce.
"In other words, anyone with this exploit could convince nine out of ten [users] to open a malicious Office document," said Kristensen, "and thereby compromise the client system, and bypass the corporate perimeter defense systems. Hence the rating of 'extremely critical.'"
Yesterday, a reader of the popular independent Internet Storm Center blog posted an update on the Trojan.MDropper.Q worm. The posting prompted the blog's author to write, "Generally my advice to users is not to open files that they are not expecting even if they know the person that sent the file, but this one has made me curious, what do other system admins recommend to their users? Do you have a policy on e-mail attachments? Is this policy automatically enforced?"