Forgot your password?
typodupeerror
Security Bug Graphics Microsoft Windows

Microsoft Warns of Zero-Day Attacks 165

Posted by Soulskill
from the welcome-to-tuesday dept.
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
This discussion has been archived. No new comments can be posted.

Microsoft Warns of Zero-Day Attacks

Comments Filter:
  • by suso (153703) * on Tuesday November 05, 2013 @10:30PM (#45342011) Homepage Journal

    Don't they already put that warning on the box?

    • It's not on the box... it's in the EULA!

      (On the box.. sheesh... Not enough room for the warnings on there...)

    • Re: (Score:3, Insightful)

      It is like Microsoft Windows doesn't even try to be secure. It isn't too incredibly hard for executables to be unable to hammer system files if a modicum of sandboxing was involved. An example would be if applications couldn't touch things outside their installed directory. There would be a specific protocol for communication between different installed aps. This should have been done back in the win98 era. Because applications are not secure, everyone is paranoid about downloading an untrusted .exe.
      • Re:Already there (Score:4, Interesting)

        by mstefanro (1965558) on Tuesday November 05, 2013 @10:58PM (#45342143)

        I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists.
        Its main purpose is to enforce a huge blacklist of .exe files that can harm you. Instead
        of keeping track of million of apps that are evil, why not just apply some least privilege
        principles and sandboxing already so that we can run an application without granting it
        access to all our resources?

        It comes as no surprise that everything gets moved to the web nowadays. One can safely
        open a website without worrying that all his personal data can be accessed (such as Firefox
        stored passwords). On the other hand, opening an application requires complete trust in the author,
        which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
        platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
        and be easily accessible whenever you want, as opposed to having to go through a browser. They
        generally have less overhead and are more powerful. If Windows had a decent package manager
        and proper privilege separation we would probably be living in a different world today.

        For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/ [xkcd.com]

        • Re:Already there (Score:5, Informative)

          by recoiledsnake (879048) on Wednesday November 06, 2013 @12:56AM (#45342645)

          You just described Windows RT.

        • by smash (1351)

          It's called code-signing, and every time someone suggests it, the /. crowd are up in arms about how you're not free to run what you want on your own computer, conveniently disregarding the idea that you can sign code yourself.

          And yes, it's the only real solution.

          • by stooo (2202012)

            Code signing ? This does not remove exploitable holes in that cleanly signed (but shitty) code.

            • by smash (1351)
              No, but it does stop exploitable code from being used to set up un-signed executables to run on boot, etc. Sure, the code can be exploited in memory, but if you try and modify any executable on disk, the signature will break and the code won't run by default. Makes it much harder for a virus to set itself up permanently on the machine, and much more difficult to spread via infecting executables.
            • Antiviruses are blacklisting, code signing is whitelisting. Both bad solutions in a world
              where we have so many apps that keeping track of all of them is very difficult.
              Besides, code signing does not solve the problem of too relaxed permissions. In the
              situation presented in the article, MS Office is a signed piece of software.

          • Code signing is far from a panacea. It only works well in a world where there is a clear divide between things that are programs and things that are data. It doesn't help if you sign your interpreter (for Python, VBA, JavaScript, whatever), if there's no requirement that you also sign all of the inputs.

            And code signing would do nothing to prevent vulnerabilities of this nature, where a bug in a library permits arbitrary code execution. This can be prevented with fine-grained sandboxing (if every TIFF im

            • It certainly *is* feasible. The problem is mostly embedded executable code. Not interpreted code, but machine code. Bad scripts are a minor irritation in comparison. A process is already *supposed* to be a sandbox. It would help tremendously if executable pages weren't mutable. There are alternatives for things like JIT. And yes, these things aren't free. But they're well understood and have been used for decades in security sensitive applications. These days that category should include desktop computing.
              • Even if a process were a complete sandbox, this kind of attack would barely be mitigated, because an exploit in a library allows running arbitrary code (you might want to look up return oriented programming, if you think avoiding code generation helps you). At this point, the person who has sent you an email with a .tiff attachment now has complete control of your mail client.
                • All these things have existing solutions. These exploits usually get triggered by buffer overruns. Don't put buffers on the stack. Stack smashing etc. require the ability to manipulate the stack. Having a separate call stack and local variable stack solves many of these exploits. Seriously, I'm sure the iSeries was never penetrated. Windows and other popular OSes could be much more robust.
            • by smash (1351)

              Nah, of course it's not a panacea, but it does provide reliable "whitelisting" If you were to combine it with application sandboxing, then at least any vulnerability in the app is contained within the sandbox, and you know the code hasn't changed since it was signed.

              Some of the more advanced malware inspection engines now (e.g., FireEye) do full VM execution of incoming content and post-mortem analysis before giving a pass or fail.

        • Anti-virus is mostly just for fixing "stupid".

          People demand that they have full control of their machines, Microsoft be damned.
          The same people click "OK" no matter what pops up, even if it says "Clicking OK will destroy your computer".
          Hence, anti-virus has become the politically correct way of saying anti-stupid program.

      • by ruir (2709173)
        Why should they, killing the lucrative AV industry?
      • by fuzzyf (1129635)
        The real problem is with the x86 architecture. As long as it's possible to hijack threads and inject code to running processes it doesn't matter what the filesystem allows or not.

        Creating a secure system would need a different architecture to begin with. the way stack is handled in x86 is just asking for buffer overflow exploits.
        • And what's to stop someone writing code injection for x64/ARM/MIPS/PPC/68k/others? What's to prevent implementing the x86 stack behaviour on x64/ARM/MIPS/PPC/68k/others?
      • by mcgrew (92797) *

        It's funny, just yesterday I was having a slashdot conversation with someone who was talking about Microsoft's "superior QA", a day after the slashdot story about W8.1 breaking mice and other stuff.

        I clicked on the story expecting to see a Windows problem (I still have W7 on this notebook, too lazy to install kubuntu) and it turns out I'm safe; I don't use IE or MS Office (I'm using Oo to write my books).

      • This is why MS wants to move everyone to Metro and phase out win32.

    • by ArsonSmith (13997)

      Windows is fine if you don't read emails or browse the web.

    • Microsoft Warns of Zero-Day Attacks
      Use Linux.

      • Right, because libtiff (and libpng and libjpeg) have never had security issues on Linux that allow a maliciously crafted image to execute arbitrary code. (Hint for those that don't get sarcasm: search the CVE database for any of those and filter by arbitrary code execution vulnerability)
  • WOW (Score:4, Insightful)

    by noh8rz10 (2716597) on Tuesday November 05, 2013 @10:36PM (#45342037)

    so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?

    I bet NSA is pissed, because one of their favorite pwnage tools is now public :(

    • by ljw1004 (764174)

      No, the advisory said that it affects Vista and Server2008.

      It explicitly says that Win7, Win8, Win8.1, WinRT, Server2008-R2 and Server2012 are unaffected.

      Caveat: although I work at Microsoft, I know nothing about this alert other than what I read in TFA.

      • by yuhong (1378501)

        Unless you are using Office or Lync which have their own copy of GDI+. Office 2010 only uses their own copy when running under XP though unlike older versions and 2013 don't support XP at all so they don't have their own copy anymore.

      • by mjm1231 (751545)

        So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

        • Re: (Score:2, Informative)

          by Anonymous Coward

          So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

          You are not affected, you are not software. Your OS, Windows 7, is not affected, as explicitly stated. One of your programs, Office 2010, is affected, as explicitly stated.

    • I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned.

      And how many people do you know that still open emails from unrecognised strangers? Before you can get people to open a malicious email you have to get past their spam filters (or, at least the filters their mail server uses) and make the recipient think it's a valid email. (Yes, I know that there are people who just open everything that comes in, but I think you get my point.) However, from what
      • by khasim (1285)

        From the summary:

        To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content.

        So all that is really necessary is to setup a web server and post something enticing in forums like Slashdot.

        https://en.wikipedia.org/wiki/Pwn [wikipedia.org]

        Once that is accomplished then the cracker waits for web hits. Once you've been cracked he would search your computer for anything resembling an email address and attempt t

      • by noh8rz10 (2716597)

        but with most email programs, even when you select the message it automatically shows in the preview pane. So if I select it in order to delete it, it shows in the preview and BAM. Or if I delete the ajoining message, the focus shifts to that message, and BAM. It's not all about (l)users here.

      • by smash (1351)
        I would suggest that probably 99.9% of the non-nerd population open emails from unrecognised strangers. Especially when you include those with a spoofed return address or other obfuscation.
        • by smash (1351)
          Additionally, to delete a message within outlook you must click on it first. Which means if you have the preview window displayed, it will be parsed and displayed in the preview window.
      • by noh8rz10 (2716597)

        maybe a good compromise is an email client feature that shows you text-only previews of messages. then you can see what the message says without getting exposure to any of this junk. thoughts?

    • Anyone who uses Outlook preview pane can be infected by any image or font based vulnerability without even opening the infected e-mail. The preview pane is a huge security hole and it should be removed as a feature, or at least disabled by policy.
      • by noh8rz10 (2716597)

        there's some merit to your argument, but the fact that Windows has images and fonts that can own your system is beyond absurd.

        A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?

        • but the fact that Windows has images and fonts that can own your system is beyond absurd.

          It is absurd, but let's not pick on Windows. Both OS X and *NIX systems have suffered from similar vulnerabilities in libtiff, libpng (lots!), libjpeg (almost as many) and FreeType (too many to count). The problem was that all of these were written with the assumption that you could trust the input data and that performance was the primary concern. Now, computers are so fast that no one would notice a 50% slowdown in most of these (although they would in an H.264 decoder, which is another popular vector)

        • by smash (1351)
          They've still had exploitable bugs in the HTML parser, which would need to run through the email to convert it into text if it was not a plaintext email.
  • I'm getting awfully tired of exploits from MicroSquishy that I can't do anything to block. If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines.

    Fortunately I don't *trust* Windows at all after the last time I got burned, so I do *all* my surfing with Linux/Debian. The *only* time I ever hit the internet from the Windows box is to download software updates or installs.

    • Re: (Score:3, Informative)

      I guess Linux has never and never will [arstechnica.com] have any security exploits possible against it. So yeah, good luck with that [google.ca]. And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.
      • by msobkow (48369)

        Had this been a Linux bug, the patches would have been out tonight.

        • Guess you didn't read the first link.
      • Considering that every time a Linux attack appears on Slashdot, it turns out that the user has to purposely install something with elevated privileges beforehand, I'm not too worried.

    • by couchslug (175151)

      " If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines. "

      Google "Digital River Windows 7 ISOs".

      • by msobkow (48369)

        Mod parent "Informative".

        Thanks. Downloading now. I've been half-panicked for almost a year that I don't have install media.

        • by Menkhaf (627996)

          If you liked that, you'll like to know that you can remove the ei.cfg file from the iso to convert it into a universal iso. There are multiple tools for it, but I've just used rm in the past (granted, the media I used was a USB stick). Here's one such tool: http://code.kliu.org/misc/winisoutils/ [kliu.org]

          Note that your license still has to match the type you select during installation. I have no idea why Microsoft insists on having so many different isos when they could just have one universal iso...

  • So... (Score:4, Insightful)

    by msobkow (48369) on Tuesday November 05, 2013 @10:49PM (#45342091) Homepage Journal

    They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

    Kudos. That's the laziest response to a vulnerability I've ever heard of.

    • I'm much more concerned that to disable a codec, you have to create a new registry key for GDIPlus, then add "DisableTIFFCodec" specifically to disable Windows-wide the built-in TIFF rendering.

      There's not a whitelist so that you can search for what's enabled - there's a hidden key that is queried every time a Microsoft application *starts* so that if it is already running making the change has no effect.

      That it is called "DisableTIFFCodec" - I'm not even sure what the words are to properly object to that.

  • NSA agents have been busy last month sending Word documents to the critical staff of major foreing companies.
  • Microsoft and zero-day attacks go together like .... 2 things that go together really well.

  • With the shape of security in the IT industry right now, I expect the patch to address this will end up bricking 20% of the servers that apply it.

  • by Trailer Trash (60756) on Tuesday November 05, 2013 @11:22PM (#45342255) Homepage

    "To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."

    Thankfully it's proven difficult over the years to get a Windows user to do any of those things....

  • Just today I was telling someone you would have to pay me to go back to Windows.

    Mint 15 and damn happy.
  • by Gravis Zero (934156) on Wednesday November 06, 2013 @12:40AM (#45342583)

    "Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."

  • Using EMET [microsoft.com] provides additional layers of protection against this kind of thing.
    • by drinkypoo (153816)

      Using EMET provides additional layers of protection against this kind of thing.

      So does not running Windows. If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.

      • by nuckfuts (690967)

        Using EMET provides additional layers of protection against this kind of thing.

        So does not running Windows.

        Ah, the predictable refrain of a MAC/Linux fan...

        If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.

        I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.

        • by drinkypoo (153816)

          Ah, the predictable refrain of a MAC/Linux fan...

          Any system which is working properly is predictable.

          I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.

          Windows is already not compatible with every Windows application. If it requires more technical knowledge to deploy than antivirus software, then Microsoft isn't working hard enough on it. Is this another product they bought from someone and ruined, like say wolfpack?

          • by nuckfuts (690967)

            Look, I'm just pointing out a lesser-known resource that's available for people who might be interested. I'm not interested in partaking in yet another tedious bout of Windows bashing on Slashdot. Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.

            .

            • by drinkypoo (153816)

              Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.

              Right. Many of us object to any closed-source operating system for this among other reasons.

Kleeneness is next to Godelness.

Working...