It should be common sense by now not to download and run an executable from an untrusted source. A Windows .exe file can do anything: delete files, erase hard drives, even exfiltrate data to an attacker. Even if it masquerades as the hot new timesucker (e.g. Tetris, Angry Birds, Fruit Ninja, etc.), while you're slashing virtual fruit with virtual katana, it could be acting like a dishonorable ninja and leaking real data in the background.

What is not common sense lately is to beware of other types of files. Documents and even images can allow an attacker to gain absolute access to your computer. It may be by inserting code into the file itself (e.g. VBScript), or taking advantage of a vulnerability in an application with a malformed file, as you'll see below.

Please note, this is not meant to pick on Microsoft or its Office suite. There are many vulnerabilities in such open-source software like Apache OpenOffice as well. This Word exploit is simply a convenient example.

Today you'll learn how easy it is to compromise Windows using a Word document. For many people, such as those in HR and employment recruiting, this should be cause to think twice before opening a resume someone sent you. (Although accepting resumes in PDF format is no better; Adobe Reader has its share of vulnerabilities as well.)

This attack involves little doing. First we'll look at what the target sees, then what the attacker did to make it happen.

"Oh, what a lovely morning. Look, here's the resume I asked that promising software engineer who just graduated at the top of her class for. I'll save it to my Desktop so I don't lose it....

"Okay, now I'm ready to take a look at...

"Oh no, there's just garbage in the document. I'll have to ask her to re-send it. I wonder if she's using an old version of Word; they never do make these things backward-compat--

"What's this?!? Word crashed and I've been infected!"

In order for this exploit to do its dirty work, a few things have to be true:

• The target has to not only open the document, but also scroll down to the last page (Word doesn't execute the exploit code until then). Most people probably wouldn't bother scrolling once they saw junk on the page.
• Windows and Word must not be up-to-date; this attack was successful against Windows 7 SP1 and an unpatched Office 2010. Turning off automatic updates and ignoring all pop up warnings about uninstalled updates are great ways to allow attackers into your computer. This attack failed against Office 2010 with Service Patch 1.
• Microsoft's Security Essentials can't be actively scanning. SE readily catches this exploit and handles it by deleting the file before Word can open it:
  

Just how much work was done to get Word to execute an unauthorized application? The answer depends on whether the exploit has already been discovered. It takes a lot of work to figure out an exploit, involving some fuzzing and some reverse engineering. Once the hard work is done, the results are frequently uploaded to web sites such as Offensive Security's Exploit DB. It's a trivial matter for anyone to search for exploits for a target environment after that. The current example's exploit can be found here.

A lazy attacker would search for an appropriate exploit, download the code, then run it per the instructions. In most cases, it's as easy as following a recipe. For this example, the exploit code is in Python, and simple to run:

Then the attacker sends the file to the target, and waits for the target to run the code. In a real-world attack, this might include making the target computer open a connection to the attacker's computer, allowing the attacker to gain control of the target to download sensitive files or gain a foothold to pivot deeper into the target's network.

This demonstration glosses over a number of details, which will be covered in subsequent articles. My purpose was to stress just how easy exploitation is, the importance of keeping your computer up to date, and safe computer use.