Oops! Missed One Fix — Windows Attacks Under Way 292
CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"
I don't understand (Score:5, Interesting)
Re:I don't understand (Score:5, Funny)
I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp
Re: (Score:3, Informative)
Re: (Score:2, Funny)
Re:I don't understand (Score:5, Informative)
How can code in the wordpad text editor leave a machine vulnerable?
It can be used to execute a malicious program that makes the system vulnerable. Wordpad just works as a launcher for the malicious program.
Re:I don't understand (Score:5, Informative)
It's easier to get someone to open a .wri or .doc file than a .exe file.
Re:I don't understand (Score:4, Informative)
TextEdit can read and write word docs too. It supports rich text.
You know you are too much of a geek... (Score:2)
... when this:
Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.
makes you ask "what has all this have to do with the OS kernel?"
Re: (Score:2)
Erm I have seen Notepad crash before. That puzzled me somewhat. :P
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Find/replace in notepad on large files makes it looks like I'm *really* busy on my computer at work. :-)
Re: (Score:3, Interesting)
Reminds me of my favorite notepad pseudo-easter egg. Type the words below in a new instance of Notepad, save it, close it, re-open it in Notepad and see what it does...
this app can break
Re:I don't understand (Score:4, Informative)
Re:I don't understand (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
If anyone at this point doesnt get that you dont open anything, from anybody, no matter what, then you will probably learn that Darwin is harsh even to the innocent.
That's different from saying they deserve it. These people are victims of malicious intent. That's like saying anyone who helps a stranger on the street deserves to be robbed. It might happen and 'Darwin is harsh', like you said, but that doesn't make it deserved.
The logic of 'they deserve it' also lets the criminal off the hook. If someone gets what they deserve, it's hard to see why the person who perpetrated that is guilty of anything in a moral sense.
Since this sequence (embedding a virus and changing the name to .wri) pretty much requires malicious intent, then to be infected you'd be opening a .wri file from an unknown source.
You mean like a worm email that comes from a friend's
Re:I don't understand (Score:4, Insightful)
This attitude is why Microsoft products have such a poor record for stability and security.
Computers SHOULD be designed for people who have no knowledge of the intricacies of operating systems.
Computers SHOULD be designed to be safe for beginners to use.
Computers SHOULD be designed so an unintended error does not result in a compromised system.
Computers SHOULD be designed to be robust enough to use without fear.
Operating system progress has virtually halted for more than a decade because of the Windows monopoly. THAT is the problem here, not users trying to come to grips with a needlessly complicated and inconsistent tool.
I HATE the way Microsoft's evangelists have switched to this "Blame the user" mentality to try shift attention from their failures. It's hypocritical, dishonest, and most of all, it allows them to sit on their laurels and continue serving up variations of the same stale OS they've been facelifting for the past 15 years.
Re: (Score:3, Insightful)
Computers SHOULD be designed for people who have no knowledge of the intricacies of operating systems.
Depends on what they are going to do with them. See below.
Computers SHOULD be designed to be safe for beginners to use.
Yes, to use. But they will always need knowledgeable people to manage them, and any attempt to overcome this fundamental law of nature is doomed to cause lots of people to be infected by lots of malware.
Re:I don't understand (Score:5, Informative)
Re:I don't understand (Score:5, Funny)
This information is in the article, BTW.
In the what, now?
Re:I don't understand (Score:5, Informative)
The attacker sends you a .wri file in an email. By default this will be opened using WordPad. WordPad will attempt to decode the Word97 content of the .wri file and in doing so will trigger some sort of attack code (the article and security advisory are vague about this part).
Basically, don't open weird files that you find on the internet.
Re: (Score:3, Interesting)
Is it just me or would this attack be impossible if Windows used mime types correctly.
E.g. On Linux it generally doesnt matter what the file extension is, it always opens in the correct program due to the mime type being used to determine the program and not the file extension.
Re:I don't understand (Score:5, Funny)
It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.
Re:I don't understand (Score:5, Funny)
Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.
Re: (Score:2, Insightful)
Wordpad is like Notepad, except it can actually parse UNIX line endings :) :)
Sigh, I tried to brighten up the situation. Yes, you're right, both are crappy and annoying as hell :)
Re: (Score:3, Informative)
Yeah, but it changes them to DOS format when you save, with no option to keep the UNIX line endings :(
Good thing vim has a windows version.
Re: (Score:3, Funny)
There, corrected that for you.
Re:I don't understand (Score:4, Informative)
Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.
Don't drop the files into the 'document area', drop them onto the 'menu bar' area and they'll open.
I f*cking hate wordpad, but it's the only thing that recognizes and saves unix line-endings and is installed on every windows box since the beginning of time.
Re: (Score:3, Insightful)
Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext
What do you expect? Wordpad is 13 years old now. Things can be very confusing at that age.
I would have expected a degree of maturity with age, rather than confustion. Like Linux and Solaris, both a little older than Wordpad and a damn sight more mature.
That's good thinking... (Score:5, Insightful)
Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.
Clever.
Re:That's good thinking... (Score:5, Informative)
Re:That's good thinking... (Score:5, Interesting)
Not at all. You see - exploits are only developed by analyzing patches. What you have here is a very advanced malware developer. For they had gazed on the patch and, instead of seeing the vulnerabilities being patched, they saw the one that was not. It's all very Zen.
Actually - it's not the first time [com.com] Microsoft's patch cycle has been gamed.
Re: (Score:2)
MS is really serious about Patch Tuesday? E.g. if a hotfix to that issue found, will they wait until Tuesday to release it? They fixed that server service issue before, outside normal patching time, about weeks ago.
no problem (Score:5, Funny)
::yawn:: nothing to see here, as usual. (Score:5, Informative)
From the article (i know I know, slashdot...), Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable. I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003 (which is quite popular), but for people at home, if your machine is up to date, you're fine.
So seriously, whats the big deal?
Re:::yawn:: nothing to see here, as usual. (Score:4, Insightful)
exploiting the weak link in the chain: your average user
Re:::yawn:: nothing to see here, as usual. (Score:5, Insightful)
I wouldn't really think long before opening a .wri file. I must admit. .wri doesn't have script etc. capability to start with.
I am sure most admins didn't set policies about .wri attachments like they did for .doc stuff either. It makes it a big threat since for most people, wri (or RTF) is basically styled text file, nothing else.
Re:::yawn:: nothing to see here, as usual. (Score:5, Informative)
Well, considering that like many businesses that rely on specialized pieces of software to function (mine in particular being a law firm), we have held off on deploying both XP SP3 and not even put thought into Vista because our document management software and change-tracking/metadata scrubbing software are incompatible with anything above XP SP2 for the moment.
We can't keep entirely up to date because it breaks the software my firm relies on, and replacing them isn't an option. From my experience at the law firms I've worked at, they move at one of two speeds: slowly or not at all.
Re: (Score:2)
Meh... just set your server to block all e-mails with .wri attachments and you should be ok as far as this particular exploit is concerned.
Re: (Score:2)
Re: (Score:2)
How many businesses do you estimate are still using this one particular format on their business-critical communications?
Re: (Score:2)
Quite a few. HP does, I know for a fact.
Re: (Score:3, Funny)
He did specify .wri attachments you know, but the axe thing is equally good in my books.
execution of arbitrary code via network .. (Score:2)
'Impact [securitytracker.com]: Execution of arbitrary code via network, User access via network'
"I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003", Shados
'"limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter
Re: (Score:2)
Well I didn't miss it, people must not just think too much of us x64 folks, not only did I read the article but I had to read the security advisory to find out.
Affected Software - Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Re: (Score:2)
So it doesn't affect Windows 2000 (is there a 2k 64 bit? and if there is, does it have more than 3 drivers?). So basically, it affects non-updated 64 bit versions of XP, and Windows Server 2003...
So, an non-updated version of an OS that doesn't see much use because until recently, its driver support sucked (its quite good now, but back then, ouch), and a version of Windows on which you shouldn't be spending time reading random documents (and it doesn't mention Windows Server 2003 R2...so its possible that e
Re: (Score:2)
Re:::yawn:: nothing to see here, as usual. (Score:4, Informative)
If you have servers that old that you can't upgrade, thats fine (I mean, Win2k Server is still supported until 2010 I think? So thats fair).
Just be careful about what you do while you're logged in (as you always should on a server anyway). I agree it IS unacceptable for something like this to happen on a supported OS, but my original post merely pointed out that its not like everyone will get hacked by doing nothing tomorrow. It only affects 2 versions of Windows if you're up to date, and only if you touch a malicious file. The people using these 2 versions still probably know what they're doing (I don't think grandma is using WinServer 2003)
Perhaps not, but... (Score:2, Funny)
I don't think grandma is using WinServer 2003
My grandmother still uses Windows ME. I have suggested she update, even offered to do it for her, but she resists, laboring under the delusion that the entire interface would change as drastically as the last time when she switched from an old Mac (and I mean old) to her current machine. I would insist, but at her current rate of adoption she won't actually connect it to the internet before the sun burns down to an ember... All that aside, my gran still uses an outdated version of Windows you insensitive cl
Re: (Score:2)
Details to come... (Score:5, Funny)
WordPad? (Score:2)
Are .rtf files now unsafe on Windows?
Re: (Score:2)
Re: (Score:3, Informative)
Actually it's .wri files, which haven't been savable in Windows since 3.1.
You can rename or Save As to whatever.wri in any version of Windows. .doc extension, but only if you don't have Word installed (which is not vulnerable). To broaden the susceptible audience, .wri will likely be used an attack because it is always associated to the
Inferring from the content of the advisory at http://www.microsoft.com/technet/security/advisory/960906.mspx [microsoft.com] , the extension and format really doesn't matter, except to the extent you can get Wordpad to open the file. It would also work with a
Re: (Score:2, Interesting)
Are .rtf files now unsafe on Windows?
Btw, the answer is yes, they are unsafe on Windows, if you want to keep them safe move your .rtf files to a Linux machine asap. But they are not vulnerable to this exploit.
Re: (Score:2)
Re: (Score:2)
Are .rtf files now unsafe on Windows?
Probably not. The article specifically mentions renaming Word documents to have a .wri extension. Sounds like the formats are the same, and it takes no stretch of the imagination to think that a Word documents might house malicious code.
The formats are not the same. The flaw is in the code that converts the Word doc to a format that WordPad can understand. The exploit only requires getting the user to open the file in WordPad.
You don't "have" to give it a .wri extension. Giving it the .wri extension just makes it easier since the windows file associations will cause explorer to choose WordPad instead of relying on the user to do it.
Corrupt Memory, and it works on server 2003 (Score:4, Informative)
The info page shows that it does indeed affect Server 2003, one of the more populat versions out there, as noted by another comment
Re:Corrupt Memory, and it works on server 2003 (Score:5, Informative)
If you have an MSDN Subscription and are a developer, thats actually your best bet (well, now its Windows Server 2008, which is superior in every way, but...)
Windows Server editions have been better desktops than their actual "home" or "professional" editions for a while. The only drawback is they are harder to setup initially (2003 and 2008 are fairly locked down by default), and that they have higher hardware requirements (but use the hardware better). Oh, and the price, of course (but if you use it for development purpose, you can use the MSDN version. Even without that, its expensive, but its not 10 grands either)
Add that some stuff only works on Windows Server (let say, Sharepoint), and unless you feel like running Windows XP or Vista, only to spend 99% of your time in a VM, Windows Server is a vastly superior option.
OMG! RLY? How will the human Race Survive?!?!?11 (Score:3, Informative)
Control Panel - Folder Options - File Types - WRI - Edit - Open - Change to Microsoft Word.
Problem solved.
Next!
Re:OMG! RLY? How will the human Race Survive?!?!?1 (Score:2)
Will you pay MS Office price to people who doesn't have it installed?
Re: (Score:2)
In that case, I hear OO.org can open .wri files.
Re: (Score:3, Informative)
I'd recommend Abiword for "Wordpad" fans.http://www.abisource.com/download/ , it is not a "build from source" thing, it is tiny and comes with a installer. Of course, it is a full feature Word processor, not a crippled "Write".
MS figured people happily uses Write for their everyday stuff and even offices so they crippled it and shipped "Wordpad", the naming itself is like "This is like Notepad, use real Word for writing things".
Just install all of the plugins package, it does open and even save them.
This is an exploit for IE (Score:2)
AFAI understood this is an IE exploit. So you expect ppl. that use IE to do that?
ALL versions of Windows? (Score:2)
Not according to the article. From the second paragraph:
In an advisory posted yesterday, Microsoft said that "limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. The flawed converter handles Microsoft Word 97 files on Windows 2000 Service Pack 4 (SP4), XP SP2, Server 2003 SP1 and SP2. Newer versions of Windows -- XP SP3, Vista and Server 2008 -- are not vulnerable to the bug, however.
Re: (Score:2)
It would seem I've been beat to the punch, but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.
Re: (Score:2)
but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.
Well, if you think the submitter and editors are halfway smart and cynical, then you would think they knew that the vast majority if Windows users are not even at risk but put up the story anyway because it fits their agenda.
On the other hand, if you think they truly are drooling idiots, then the submitter probably only read the headline of the article, and the editors only half-read the submission before posting it instead of articles that are likely much more interesting.
Lame excuse for not doing my homework ... (Score:2)
So tomorrow, instead of telling my teacher, "the dog ate my homework," I can tell her, "WordPad ate my homework, and had the rest of my computer for dessert!"
It didn't work with, "the cat ate my gym suit" either.
Like This Was a Shock. (Score:2)
Now the hackers really do have Microsoft on their side!
Here's the Exploit Code (Score:2, Interesting)
It's all about the timing (Score:3, Insightful)
Re:WordPad exploitable? (Score:4, Informative)
Send a specially crafted word document (i.e. code embedded) and trick the user into opening it with WordPad (i.e. using the .wri file extension).
Re:WordPad exploitable? (Score:5, Informative)
Its not remotely exploitable. From the article, a user has to open a maliciously crafted file. So its just the fairly typical exploit where a document viewer poorly handles documents it can open.
It needs user interaction to work, someone has to open a file that they don't trust (I guess it MAY be possible to trick a user into opening the file from the web, since there is a Word viewer that potentially use the same file converter that is responsible for the exploit).
Also, XP SP3, Vista and WinServer 2008 aren't vulnerable at all.
Re:WordPad exploitable? (Score:5, Insightful)
People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.
For data files like .jpg or .wri, neither the user or the system probably consider the file dangerous. So these type of exploits should be considered more dangerous than the completely-idiotic "e-mail people virus executables".
Especially considering many of these viruses propagate through address books (ie: trusted contacts)
But yes, at least it's not a completely automatic remote exploit.
Re: (Score:2)
People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.
Which people are you referring to then? Surely not the average user.
Re:WordPad exploitable? Just click (Score:4, Funny)
You mean all someone has to do is click on an attachment called "biggest breasts ever.wri"? Oh, NOBODY would be that dumb!
Re: (Score:3, Informative)
No. Someone has to click an attachment called "biggest breasts ever.wri" while, at the SAME TIME, running a non-updated version of Windows, Windows 2000, or Windows Server 2003. You reduce your attack vector by a significant amount here.
Re: (Score:3, Funny)
... while, at the SAME TIME, running a non-updated version of Windows, Windows 2000, or Windows Server 2003.
Does it have to be with the same hand?
j/k
Re:WordPad exploitable? Just click (Score:5, Funny)
I'd put a notice at the top of the file. "This naughty image is only compatible with the following versions of Windows: ..."
I'm sure many victims would kindly downgrade as needed to make my exploit work.
Re: (Score:2)
Yeah...you DO have a point there...
Re:WordPad exploitable? (Score:4, Insightful)
IIRC Wordpad can handle some embeded objects in .rtf (and other??) files. I'm guessing the exploit takes advantage of a vulnerability with one of those embedded types or the handling of them.
Just a guess, and I'm posting before reading.
Re: (Score:2)
"do you send them a malformed .txt file?" .txt files.
Yes.
Windows 2000 and I think some versions of XP had a way to get a BSOD using type and a malformed text file so why not?
Actually I think you have to send a malformed DOC or RTF since it is in the file converter utility but I am not sure.
Doesn't effect me since I have OO for docs and RTF and Notepad++ for
Re: (Score:2)
Nothing happened...
Re: (Score:2)
It doesn't do anything. I was expecting something a little more fun than deleting a file.
Re: (Score:2)
In that case, run cmd and type the following:
debug
a
int 18
int 3
(blank line)
g
It's a little more fun than deleting a file, and I bet you've never seen that error before.
Re: (Score:2)
*blink*
I don't have a Windows box to test on so....
This generates a "Privileged Instruction" error, followed by triggering a hardware breakpoint?
Re: (Score:3, Informative)
This type of bug relies on "glitches" in the memory management (simplifying it a bit...) of the program, not on any high-level misses in the actual mechanisms of the code. Any program written in a programming language without automatic memory management can be exploited in this way, if the programmer "misses his step" somewhere. They can also be devilishly hard to find, because data can be structured and handled in memory in very complex and abstract ways.
Re:WordPad exploitable? (Score:5, Informative)
Word files are not binary executables. They are (pre OOXML) binary file formats. I don't know what the exact exploit is (probably some sort of buffer overflow) but the idea is to craft a Word document such that it contains executable code and exploits the flaw in wordpad that causes the executable code to execute.
Re:WordPad exploitable? (Score:5, Informative)
Wordpad does not have the capability to execute those macros, because it does not have an embedded VBA interpreter. The macros are binary gibberish without the VBA runtime, much like a Perl file is just text without the Perl interpreter.
Re: (Score:2)
FTFY
Re: (Score:2)
It's probably the buffer overflow condition that Java Pimp described.
Re: (Score:2, Insightful)
No, it must be a buffer overflow that results from reading the file. Applications can't be made to do things they were not designed to do, but they can be used as tangential attack vectors [wikipedia.org] by forcing them to interact with malicious data.
Don't open email unrequested attachments from strangers and stop running Windows under an admin account and you'll effectively eliminate the chances of being hit by something like this. These "attacks" are mostly social engineering anyway.
Re: (Score:2)
Properly implement sudo (kdesudo, etc.) in a version of Windows that doesn't suck and I might.
Fedora bug .. (Score:2)
You must be the only one, I googled on it and got only the one hit [linuxquestions.org]
"Fedora Core people, are you listening ?!"
Was it you that posted the question ?
Re: (Score:2)
I found the same link, and it helpfully tells you to edit xml in certain places. As root. It's not that I can't do it, it's just that it reminds me of how 2009 isn't going to be the year of Linux on the desktop (again).
Re:Fedora bug .. (Score:4, Informative)
That's a lot more userfriendly than Windows.
Linux: "There's a problem. If you're technically able, here is a fix."
Windows: "There is a problem. You're boned, sorry."
Re:Terrorist computer virus infects hospitals (Score:4, Informative)
They don't have such chance to make it non vulnerable unless they scrap entire backwards compatibility.
A more mad solution would be the thing Apple did. Run the older OS in a virtual machine in its own thread (trublue, MacOS Classic support).
MS can't take such big decisions so, anything claimed for Windows 7 is a joke. If one can run Wordpad from XP in Windows 7, it is not secure.
Re: (Score:3, Funny)
You programmers better go back to school and start figuring out how to write code that doesn't fucking suck!
I'll get right on that chief. And I asked you to hold the pickles on this burger.
Re: (Score:3, Insightful)
To be fair, this comes from a legacy component of Windows, that was not only written long ago, but is also not vulnerable in the latest versions. So they DID learn, just too late.
It does remind me of the Twilight Princess exploit on the Wii though. With all the trouble game companies go to DRM their shit to hell and beyond, one of their programmers didn't check bounds while reading the save file (not checking bounds when reading a fucking FILE, WHAT THE FUCK), and it got pwned. So Nintendo defeated its own
Re: (Score:3, Funny)
It's 2009 where you live? What timezone is that?!