Black Hat Talk Demonstrates New Document Exploits

darthcamaro writes "Remember the days of the viruses embedded in email attachments? They're coming back, according to a pair of researcher talking at Black Hat this week: '"If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel document?" TT asked the audience. "The answer is no."'"

Is this really news?

[Anonymous Coward]

Anybody worth their salt knows that any attachment can be dangerous. You can hide all sorts of things in them. Especially for files that allow arbitrary things to be embedded in them, like Word documents.

Well duh...

[Oxford_Comma_Lover]

Of course it's not safe to open the document. It could be a "Starbuck should be a dude" rant.

Re:

[girlintraining]

"Starbuck should be a dude"

Sir, we're going to have to ask you to leave. Turn in your man card at the front office. You can pick it up on monday at the Men's Rules Enforcement Department off 7th street. You'll need to explain to them why you, as a heterosexual male, asked to replace a hot female actress with a pudgy male one. Depending on your answer, there may be a fine.

Thank You,

The Internetz

Re:

[Oxford_Comma_Lover]

Dear Internetz,

I promise to make it up with lots of Kara/Lee fanfic.

Kisses,

OCL

Re:

[PopeRatzo]

asked to replace a hot female actress with a pudgy male one.

Why he gotta be pudgy? Can't he be a hot Jack Harkness-style Starbuck?

Some of us long for the days when the only women in science fiction were the ones with three breasts on the cover of Del Ray paperbacks.

Three nicely-shaped breasts.

Re:

[JAlexoi]

Are you calling a comma-phile a heterosexual? (Oxford_Comma_Lover)
...you insensitive clod!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ethanol-fueled]

Of course it's not safe to open a document when running Windows. My Ubuntu desktop Linux operating system never gets viruses no matter what I open, because it uses a robust security model with actual file permissions. For example, instead of simply clicking "yes" to everything, I also have to enter my password so I know I give things a second thought before executing them.

Of course, even if Linux just had a Yes/No dialog, I could click "yes" until I'm blue in the face and my system would never get a sin

Re:

[John Bresnahan]

When I tried this, it just said "Permission denied".

I must be doing it wrong.

Re:

[cynyr]

the AC forgot to turn that into a ubuntu style tip...

sudo cat /dev/urandom > /dev/sda

That should do it for the unbuntu people.

for the rest of every body, clearly this needs to run as root.

Re:

[stderr_dk]

sudo cat /dev/urandom > /dev/sda

I don't have an Ubuntu-box (or other "sudo"-using box) at hand, so can't test it myself, but doesn't the shell try to open /dev/sda before trying to execute sudo? In other words: Before you got root permission.

I.e. the same reason sort foo >foo gives you an empty file.

Maybe something like
cat /dev/urandom | sudo tee /dev/sda >/dev/null
would work. I think, I used something like that last time I had to work around the shell opening std{in,out,err} before executing commands.

Re:

[Derek Pomery]

sudo sh -c "cat /dev/urandom > /dev/sda"

There you go.
That's also necessary in ubuntu 11.04 if you need to attach gdb to a running process...

sudo sh -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"

Re:

[Yamioni]

Point of all this silliness is that you can hose your 'puter no matter what the OS is just it is one heck of a lot easier to re- install a linux distro than to install Windows or Mac OS for that matter.

Lacking experience with Mac OS I do not speak for it. However regarding optimized installs (Silent installs using scripts to select all options beforehand and remove user interaction) Windows 7 will install on my home machine in about 20 minutes and Random Linux Distro in 15-20. If you really need that 5 minutes, you probably should have made images and restored from those instead of reinstalling in the first place. I'll concede that Windows played 2nd fiddle to other OSes with regard to install time for p

Re:

[Lord Juan]

Now that is the definition of a self-defeating post.

Re:

[Sulphur]

I'm not connected to the internet. Workaround that!

If you did, then others can.

Re:

[girlintraining]

If you did, then others can.

Well yeah, but it's unlikely others will be able to match the level of stupidity displayed by making a statement on a website stating they don't have internet. I mean, certain customer service representatives, perhaps... like the kind that e-mail you your new password after you tell them you're locked out of your e-mail account. But it's unlikely they'd be able to find slashdot if you gave them the name and set google as their homepage, so YMMV.

Re:

[Anonymous Coward]

I'm not connected to the internet. Workaround that!

USB stick? Do you install software? Play music from CD? Video from DVD? Send posts to /.?

At least you THINK you're safe! :-)

In other news...

[girlintraining]

In other news, embedding executable code into data files still considered stupid. Researchers continue to emphasize that executable code should only exist in (wait for it) -- executable files!

Now, we all understand that Intel and Microsoft had drunken money sex one evening and out of that relationship DOS was born... a retarded child that couldn't tell the difference between its food (the data) and the plate (executable code), and regularly ate both.

I'm just wondering why we're still entertaining this 'prec

Re:

[kvvbassboy]

NSFW image! Mod down!

Re:In other news...

[networkzombie]

Your argument restricting executable code covers a variety of technologies from OLE to html email. The same reason these technologies suck is also why they are so popular. On one hand you can embed stuff and do more! On the other hand they can embed stuff and do more.

Re:In other news...

[SuricouRaven]

A lot of the time that executable code is to do shinystuff, like embed fancy animated charts in documents. One of the worst cases of all is in Windows Media, which will happily run scripts (Exploitable scripts) in media files without prompting or informing the user - and will do this based on magic bytes to identify filetype rather than extension. This lead to the proliferation of fake-mp3 malware on p2p networks. The purpose of the scripts is to allow for updating of the DRM technology and to allow for unauthorised media files to automatically direct the player to a website to purchase a licence.

Re:

[abigsmurf]

I've seen a lot of fake media files require you to purchase a licence you get a "this requires a licence, do you want to retreive it" type yes/no dialogue and only take you to a website on a yes click.

I'm calling BS on your claim it does anything more than this. If MP3s were exploitable outside of encouraging you to visit a questionable site, you'd see a whole lot more malware infected MP3s sent as email attatchments. It's not unthinkable this could be exploited but I doubt it's any easier exploting that

Re:

[SuricouRaven]

I do confess to never having encountered such a file myself, but I have heard from others who have claimed that the file infected them with some form of malware. A likely explanation would be that the website is the true location of the exploit - I imagine WMP would open IE to get the license, which means any scammer not only has a way to lure in visitors but also knows what browser they'll be using and thus what exploits to use.

MP3 files are not the problem ones. It's WMA/WMV/ASF (all the same internally)

Re:

[Anonymous Coward]

In other news, embedding executable code into data files still considered stupid.

Nobody designing data file formats is actually putting in official ways to run executable code. The ability to do that comes entirely from implementation bugs. And no, embedded scripting languages don't count - they're not intended to be able to affect anything outside the document; when they can, it's again always the result of an implementation bug.

Re:

[sjames]

Embedded scripts certainly DO count! You can RUN them can't you? When you do, they do what the writer wanted, don't they?

Of course they're not INTENDED to be able to affect anything outside, but in over 10 years, nobody has yet been able to stop them. That's called a failure. Perhaps it's time to rip that 'feature' out.

Re:

[Carnildo]

Nobody designing data file formats is actually putting in official ways to run executable code.

Nobody? [wikipedia.org]

Re:

[inglorion_on_the_net]

There line between code and data is rather fuzzy. In the end, both are big lumps of bytes that will be processed by some software, which will then cause your computer to take certain actions. The problem is that the software processing the bytes will often happily allow things to happen that would generally be considered undesirable (e.g. sending spam).

In my view, the problem of malware is so persistent, because the vast majority of software vendors have an insecure by default approach. Software is develope

Re:

[nonades]

Will some click ok and run the trojan? Most probably, but that is a different kind of problem for all platforms. If I open a Word document and suddenly IE9 pop ups with an access request to run something, the answer *should* be no thanks.

FTFY

Re:

[Anonymous Coward]

I remember working in a developer support team for a software component company
So we were all programmers, and thus computer literate ...
Strange mails started popping up, so we knew something was wrong ...
Like someone in the non-technical departments was infected opening a mail from an infected friend lol
A guy from the IT help desk comes and says: do not click on the attachments!
Almost everyone answered something like: is it a virus? who got it? and so on ...
Except one guy, who asked with a feeble voice: we

Re:

[man_of_mr_e]

That's why IE8 and 9 (in Vista and 7) have protected mode. It runs the browser in a sandbox that doesn't let the user get attacked in the way you mention (by the way, the phrase "user-mode rootkitting" is an oxymoron. A rootkit requires root access by definition.

Re:

[SuricouRaven]

I work in IT support. The smarter users are able to figure out the abstract concept of a file. Most of them just know that if they go to 'recent documents' all their stuff is in there. Except when it isn't. Then they call me.

Flash?

[unkaggregate]

The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.

Ok Microsoft... why the hell are you allowing Flash inside Word and Excel documents in the first place?!?

Re:

[game kid]

How else do you want Microsoft to support future printable YouTube videos that play right on the paper when you touch them with a pen?

Re:

[WrongSizeGlass]

Ok Microsoft... why the hell are you allowing Flash inside Word and Excel documents in the first place?!?

Because exploits, um, I mean macros via JavaScript & HTML5 [slashdot.org] won't be available until Office 15.

"and there are no 0 day vulnerabilities"

[Anonymous Coward]

Yes... THAT YOU KNOW ABOUT - of course, if you know about them, they're not zero-day vulnerabilities.

What a load of crap. YES there are, probably, vulnerabilities that you don't know about (I.E. zero-day vulnerabilities). NO you can't EVER say "there are no 0 day vulnerabilities", because if there are, you won't know about them until you find them! Who the fuck wrote that, anyway? A 0-day vulnerability is a vulnerability that you DON'T KNOW EXISTS.

Anyone who THINKS that there are no zero-day vulnerabilities