Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Internet Explorer Microsoft Operating Systems Software The Internet Windows

Oops! Missed One Fix — Windows Attacks Under Way 292

Posted by timothy
from the don't-blame-microsoft-alone dept.
CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"
This discussion has been archived. No new comments can be posted.

Oops! Missed One Fix — Windows Attacks Under Way

Comments Filter:
  • I don't understand (Score:5, Interesting)

    by veganboyjosh (896761) on Wednesday December 10, 2008 @03:36PM (#26065399)
    How can code in the wordpad text editor leave a machine vulnerable? Can someone explain this in a way that's not super technical? Faulty code in a browser, or similar, I can understand.
    • by Anonymous Coward on Wednesday December 10, 2008 @03:40PM (#26065463)

      I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp

      • Re: (Score:3, Informative)

        Surely not a remote exploit, must be some sort of password retrieval (siw.exe) or something used to compromise a network or else it would not be so "critical". Now would be a good time to peek at the leaked Windows NT code from 2004...
    • by V!NCENT (1105021) on Wednesday December 10, 2008 @03:41PM (#26065481)

      How can code in the wordpad text editor leave a machine vulnerable?

      It can be used to execute a malicious program that makes the system vulnerable. Wordpad just works as a launcher for the malicious program.

    • by show me altoids (1183399) on Wednesday December 10, 2008 @03:45PM (#26065547)
      It has to trick the user into opening a Word 97 file with Wordpad, which can be done by changing the extension of the file to .wri. So as long as you don't open any attachments to bogus email, you'll be OK. This information is in the article, BTW.
    • by Anonymous Coward on Wednesday December 10, 2008 @03:46PM (#26065583)

      The attacker sends you a .wri file in an email. By default this will be opened using WordPad. WordPad will attempt to decode the Word97 content of the .wri file and in doing so will trigger some sort of attack code (the article and security advisory are vague about this part).

      Basically, don't open weird files that you find on the internet.

      • Re: (Score:3, Interesting)

        by cheater512 (783349)

        Is it just me or would this attack be impossible if Windows used mime types correctly.

        E.g. On Linux it generally doesnt matter what the file extension is, it always opens in the correct program due to the mime type being used to determine the program and not the file extension.

    • by Anonymous Coward on Wednesday December 10, 2008 @04:14PM (#26065979)

      It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.

  • by Loibisch (964797) on Wednesday December 10, 2008 @03:36PM (#26065401)

    Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

    Clever.

    • by moderatorrater (1095745) on Wednesday December 10, 2008 @04:38PM (#26066347)
      They've been doing this for over a year now at least. It's the greatest weakness in patch tuesday and shows how monopolies are often caught between a rock and a hard place. Corporations demand a set cycle for patches, but if you do that then the attackers can optimize their attacks so that they arrive one month from when the next patches come out. It's a lose-lose situation for them.
    • by _Sprocket_ (42527) on Wednesday December 10, 2008 @04:47PM (#26066467)

      Not at all. You see - exploits are only developed by analyzing patches. What you have here is a very advanced malware developer. For they had gazed on the patch and, instead of seeing the vulnerabilities being patched, they saw the one that was not. It's all very Zen.

      Actually - it's not the first time [com.com] Microsoft's patch cycle has been gamed.

    • by Ilgaz (86384)

      MS is really serious about Patch Tuesday? E.g. if a hotfix to that issue found, will they wait until Tuesday to release it? They fixed that server service issue before, outside normal patching time, about weeks ago.

  • no problem (Score:5, Funny)

    by gEvil (beta) (945888) on Wednesday December 10, 2008 @03:37PM (#26065419)
    Pffff. What could possibly happen in only a month?
  • by Shados (741919) on Wednesday December 10, 2008 @03:39PM (#26065451)

    From the article (i know I know, slashdot...), Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable. I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003 (which is quite popular), but for people at home, if your machine is up to date, you're fine.

    So seriously, whats the big deal?

    • by ed.mps (1015669) on Wednesday December 10, 2008 @03:49PM (#26065627) Homepage

      Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file -- most likely delivered as an e-mail attachment.

      exploiting the weak link in the chain: your average user

    • by AGSHender (696890) on Wednesday December 10, 2008 @03:50PM (#26065629) Homepage

      Well, considering that like many businesses that rely on specialized pieces of software to function (mine in particular being a law firm), we have held off on deploying both XP SP3 and not even put thought into Vista because our document management software and change-tracking/metadata scrubbing software are incompatible with anything above XP SP2 for the moment.

      We can't keep entirely up to date because it breaks the software my firm relies on, and replacing them isn't an option. From my experience at the law firms I've worked at, they move at one of two speeds: slowly or not at all.

      • Meh... just set your server to block all e-mails with .wri attachments and you should be ok as far as this particular exploit is concerned.

        • by Detritus (11846)
          Why not just take an axe to the office router? Not accepting mail with attachments would have the same effect in many businesses.
          • ... to block all e-mails with .wri attachments ...

            How many businesses do you estimate are still using this one particular format on their business-critical communications?

          • Re: (Score:3, Funny)

            by jaxtherat (1165473)

            He did specify .wri attachments you know, but the axe thing is equally good in my books.

    • "Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable", Shados That's two out of four not affected ..

      'Impact [securitytracker.com]: Execution of arbitrary code via network, User access via network'

      "I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003", Shados

      '"limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter .. If exploited, a hacker could gain the same rights on a PC as
    • by Mashiki (184564)

      Well I didn't miss it, people must not just think too much of us x64 folks, not only did I read the article but I had to read the security advisory to find out.

      Affected Software - Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

      • by Shados (741919)

        So it doesn't affect Windows 2000 (is there a 2k 64 bit? and if there is, does it have more than 3 drivers?). So basically, it affects non-updated 64 bit versions of XP, and Windows Server 2003...

        So, an non-updated version of an OS that doesn't see much use because until recently, its driver support sucked (its quite good now, but back then, ouch), and a version of Windows on which you shouldn't be spending time reading random documents (and it doesn't mention Windows Server 2003 R2...so its possible that e

  • by Anonymous Coward on Wednesday December 10, 2008 @03:40PM (#26065467)
    I will shortly be posting more details on this exploit in Wordpad format. Stay tuned!
  • Are .rtf files now unsafe on Windows?

    • Actually it's .wri files, which haven't been savable in Windows since 3.1.
      • Re: (Score:3, Informative)

        by Madball (1319269)

        Actually it's .wri files, which haven't been savable in Windows since 3.1.

        You can rename or Save As to whatever.wri in any version of Windows.
        Inferring from the content of the advisory at http://www.microsoft.com/technet/security/advisory/960906.mspx [microsoft.com] , the extension and format really doesn't matter, except to the extent you can get Wordpad to open the file. It would also work with a .doc extension, but only if you don't have Word installed (which is not vulnerable). To broaden the susceptible audience, .wri will likely be used an attack because it is always associated to the

    • Re: (Score:2, Interesting)

      by MiniMike (234881)

      Are .rtf files now unsafe on Windows?

      .rtf? RTFA!

      Btw, the answer is yes, they are unsafe on Windows, if you want to keep them safe move your .rtf files to a Linux machine asap. But they are not vulnerable to this exploit.

  • by nathan.fulton (1160807) on Wednesday December 10, 2008 @03:57PM (#26065735) Journal
    When you're running everything as root, everything can be exploitable. And it looks like this is a character set or file format converter, which is considerably more than simple typing and copy/paste (the extend.) From the Security Focus [securityfocus.com] page (disucssion tab), it looks like it could be a buffer overflow ("prone to a remote code-execution vulnerability because of...corrupted memory.")

    The info page shows that it does indeed affect Server 2003, one of the more populat versions out there, as noted by another comment
  • by Real1tyCzech (997498) on Wednesday December 10, 2008 @04:14PM (#26065989)

    Control Panel - Folder Options - File Types - WRI - Edit - Open - Change to Microsoft Word.

    Problem solved.

    Next!

    • Will you pay MS Office price to people who doesn't have it installed?

      • In that case, I hear OO.org can open .wri files.

        • Re: (Score:3, Informative)

          by Ilgaz (86384)

          I'd recommend Abiword for "Wordpad" fans.http://www.abisource.com/download/ , it is not a "build from source" thing, it is tiny and comes with a installer. Of course, it is a full feature Word processor, not a crippled "Write".

          MS figured people happily uses Write for their everyday stuff and even offices so they crippled it and shipped "Wordpad", the naming itself is like "This is like Notepad, use real Word for writing things".

          Just install all of the plugins package, it does open and even save them.

    • AFAI understood this is an IE exploit. So you expect ppl. that use IE to do that?

  • Not according to the article. From the second paragraph:

    In an advisory posted yesterday, Microsoft said that "limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. The flawed converter handles Microsoft Word 97 files on Windows 2000 Service Pack 4 (SP4), XP SP2, Server 2003 SP1 and SP2. Newer versions of Windows -- XP SP3, Vista and Server 2008 -- are not vulnerable to the bug, however.

    • It would seem I've been beat to the punch, but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.

      • but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.

        Well, if you think the submitter and editors are halfway smart and cynical, then you would think they knew that the vast majority if Windows users are not even at risk but put up the story anyway because it fits their agenda.
        On the other hand, if you think they truly are drooling idiots, then the submitter probably only read the headline of the article, and the editors only half-read the submission before posting it instead of articles that are likely much more interesting.

  • So tomorrow, instead of telling my teacher, "the dog ate my homework," I can tell her, "WordPad ate my homework, and had the rest of my computer for dessert!"

    It didn't work with, "the cat ate my gym suit" either.

  • So many people saw this coming when Microsoft announced monthly updates. Hackers were obviously going to wait until patch Wednesday to start using new exploits because they now know that they're going to have a full month to use it before MS patches --- and to make things even worse, Microsoft is going to soft-pedal the severity of the attacks so that users don't get too worried.

    Now the hackers really do have Microsoft on their side!

  • by Radhruin (875377)
    Here's the exploit code referenced in the article update... The second one apparently works on Vista, too. http://www.milw0rm.com/exploits/7403 [milw0rm.com] http://www.milw0rm.com/exploits/7410 [milw0rm.com]
  • by rderr (539778) <robjderr.yahoo@com> on Wednesday December 10, 2008 @10:27PM (#26070071)
    Patch Tuesday, exploit Wednesday. -Rob

If you're not careful, you're going to catch something.

Working...