Microsoft Warns of Zero-Day Attacks 165
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
Already there (Score:5, Funny)
Don't they already put that warning on the box?
Re: (Score:2)
It's not on the box... it's in the EULA!
(On the box.. sheesh... Not enough room for the warnings on there...)
Re: (Score:3, Insightful)
Re:Already there (Score:4, Interesting)
I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists. .exe files that can harm you. Instead
Its main purpose is to enforce a huge blacklist of
of keeping track of million of apps that are evil, why not just apply some least privilege
principles and sandboxing already so that we can run an application without granting it
access to all our resources?
It comes as no surprise that everything gets moved to the web nowadays. One can safely
open a website without worrying that all his personal data can be accessed (such as Firefox
stored passwords). On the other hand, opening an application requires complete trust in the author,
which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
and be easily accessible whenever you want, as opposed to having to go through a browser. They
generally have less overhead and are more powerful. If Windows had a decent package manager
and proper privilege separation we would probably be living in a different world today.
For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/ [xkcd.com]
Re:Already there (Score:5, Informative)
You just described Windows RT.
Re: (Score:3)
It's called code-signing, and every time someone suggests it, the /. crowd are up in arms about how you're not free to run what you want on your own computer, conveniently disregarding the idea that you can sign code yourself.
And yes, it's the only real solution.
Re: (Score:2)
Code signing ? This does not remove exploitable holes in that cleanly signed (but shitty) code.
Re: (Score:2)
Re: (Score:3)
Antiviruses are blacklisting, code signing is whitelisting. Both bad solutions in a world
where we have so many apps that keeping track of all of them is very difficult.
Besides, code signing does not solve the problem of too relaxed permissions. In the
situation presented in the article, MS Office is a signed piece of software.
Re: Already there (Score:2)
Re: (Score:2)
Code signing is far from a panacea. It only works well in a world where there is a clear divide between things that are programs and things that are data. It doesn't help if you sign your interpreter (for Python, VBA, JavaScript, whatever), if there's no requirement that you also sign all of the inputs.
And code signing would do nothing to prevent vulnerabilities of this nature, where a bug in a library permits arbitrary code execution. This can be prevented with fine-grained sandboxing (if every TIFF im
Re: Already there (Score:2)
Re: (Score:2)
Re: Already there (Score:2)
Re: (Score:2)
Nah, of course it's not a panacea, but it does provide reliable "whitelisting" If you were to combine it with application sandboxing, then at least any vulnerability in the app is contained within the sandbox, and you know the code hasn't changed since it was signed.
Some of the more advanced malware inspection engines now (e.g., FireEye) do full VM execution of incoming content and post-mortem analysis before giving a pass or fail.
Re: (Score:2)
Re: (Score:2)
Anti-virus is mostly just for fixing "stupid".
People demand that they have full control of their machines, Microsoft be damned.
The same people click "OK" no matter what pops up, even if it says "Clicking OK will destroy your computer".
Hence, anti-virus has become the politically correct way of saying anti-stupid program.
Re: (Score:2)
Yes, this is a major issue, but I don't believe it to be one without a solution, should one really bother
to come up with a good implementation.
On a mobile phone, you (as an application) can refuse to run if an user does not grant access to
a resource (such as webcam), because you know for sure that every phone has an webcam.
This blackmailing procedure may not be so successful on a PC, where if the owner refuses to grant
access to his webcam to an app, the OS can make it such that it is impossible for
the app t
Re: (Score:2)
Re: (Score:2)
As you said, it is the all-or-nothing that concerns me. I am not claiming that sandboxing
would magically solve all problems and that successful exploits would never be able to do
any harm. But being able to mount an attack such as "someone using MS Office somewhere might use it
to open sensible data, which we can steal" is not the same as mounting an attack like "we can use MS Office
to collect all stored passwords from all browsers and send them to us. And to spawn a keylogger". The MS Office
should have no bu
Re: Already there (Score:2)
Re: Already there (Score:2)
Re: (Score:2)
Re: (Score:2)
Creating a secure system would need a different architecture to begin with. the way stack is handled in x86 is just asking for buffer overflow exploits.
Re: (Score:2)
Re: (Score:3)
It's funny, just yesterday I was having a slashdot conversation with someone who was talking about Microsoft's "superior QA", a day after the slashdot story about W8.1 breaking mice and other stuff.
I clicked on the story expecting to see a Windows problem (I still have W7 on this notebook, too lazy to install kubuntu) and it turns out I'm safe; I don't use IE or MS Office (I'm using Oo to write my books).
Re: (Score:2)
This is why MS wants to move everyone to Metro and phase out win32.
Re:Already there (Score:4, Informative)
Why only pick on Windows? http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/ [arstechnica.com]
Because we picked on apple for that one on August 29th [slashdot.org] and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, MS could have had better security from day 1. But it's also true that most of the blame lays with lazy developers who did the quick-and-dirty, instead of actually understanding the system they were developing for. Which of course MS has to support in later versions of Windows, in order to keep their customer base.
Re: (Score:2)
Lots of applications require to run as administrator? Really? Name "lots", please.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Windows is fine if you don't read emails or browse the web.
Use Linux. (Score:2)
Microsoft Warns of Zero-Day Attacks
Use Linux.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Considering an image in a .pdf is typically a tiff with all the .pdf "goodness" wrapping around it, it shouldn't be surprising.
Re: (Score:2)
WOW (Score:4, Insightful)
so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?
I bet NSA is pissed, because one of their favorite pwnage tools is now public :(
Re: (Score:3)
No, the advisory said that it affects Vista and Server2008.
It explicitly says that Win7, Win8, Win8.1, WinRT, Server2008-R2 and Server2012 are unaffected.
Caveat: although I work at Microsoft, I know nothing about this alert other than what I read in TFA.
Re: (Score:2)
Unless you are using Office or Lync which have their own copy of GDI+. Office 2010 only uses their own copy when running under XP though unlike older versions and 2013 don't support XP at all so they don't have their own copy anymore.
Re: (Score:2)
So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?
Re: (Score:2, Informative)
So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?
You are not affected, you are not software. Your OS, Windows 7, is not affected, as explicitly stated. One of your programs, Office 2010, is affected, as explicitly stated.
Re: (Score:2)
And how many people do you know that still open emails from unrecognised strangers? Before you can get people to open a malicious email you have to get past their spam filters (or, at least the filters their mail server uses) and make the recipient think it's a valid email. (Yes, I know that there are people who just open everything that comes in, but I think you get my point.) However, from what
Re: (Score:2)
From the summary:
So all that is really necessary is to setup a web server and post something enticing in forums like Slashdot.
https://en.wikipedia.org/wiki/Pwn [wikipedia.org]
Once that is accomplished then the cracker waits for web hits. Once you've been cracked he would search your computer for anything resembling an email address and attempt t
Re: (Score:2)
but with most email programs, even when you select the message it automatically shows in the preview pane. So if I select it in order to delete it, it shows in the preview and BAM. Or if I delete the ajoining message, the focus shifts to that message, and BAM. It's not all about (l)users here.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
maybe a good compromise is an email client feature that shows you text-only previews of messages. then you can see what the message says without getting exposure to any of this junk. thoughts?
Re: (Score:3)
Re: (Score:2)
there's some merit to your argument, but the fact that Windows has images and fonts that can own your system is beyond absurd.
A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?
Re: (Score:2)
but the fact that Windows has images and fonts that can own your system is beyond absurd.
It is absurd, but let's not pick on Windows. Both OS X and *NIX systems have suffered from similar vulnerabilities in libtiff, libpng (lots!), libjpeg (almost as many) and FreeType (too many to count). The problem was that all of these were written with the assumption that you could trust the input data and that performance was the primary concern. Now, computers are so fast that no one would notice a 50% slowdown in most of these (although they would in an H.264 decoder, which is another popular vector)
Re: (Score:2)
I got burned by the font rendering bug last time (Score:2)
I'm getting awfully tired of exploits from MicroSquishy that I can't do anything to block. If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines.
Fortunately I don't *trust* Windows at all after the last time I got burned, so I do *all* my surfing with Linux/Debian. The *only* time I ever hit the internet from the Windows box is to download software updates or installs.
Re: (Score:3, Informative)
Re: (Score:2)
Had this been a Linux bug, the patches would have been out tonight.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The differences are that 1) Linux actually tries to be secure and 2) Linux isn't running unnecessary services you don't need and 3) The patch comes out much more rapidly for Linux, as stated, this is a proven fact. Don't pretend that Windows has parity with Linux, because it doesn't.
Re: (Score:2)
Re: (Score:2)
I'm not saying Linux is invulnerable to exploits. But it *is* more secure by design.
Were there a font rendering bug that could be picked up by my browser, the worst it could do is damage my user data and cause the browser or maybe even the desktop to crash (presuming the attack knew which desktop API to target.)
Font and image rendering does not occur in kernel space under Linux.
My bigger point, though, is that Linux vulnerabilities get patched and shipped a *lot* faster than they do for Windows or O
Re: (Score:2)
Re: (Score:2)
Considering that every time a Linux attack appears on Slashdot, it turns out that the user has to purposely install something with elevated privileges beforehand, I'm not too worried.
Re: (Score:2)
That's because as far as normal users go there are virtually no Linux users to target
So it's the user and not the operating system then? Because Linux has a lot of installs.
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Summary [wikipedia.org]
Re: (Score:2)
" If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines. "
Google "Digital River Windows 7 ISOs".
Re: (Score:2)
Mod parent "Informative".
Thanks. Downloading now. I've been half-panicked for almost a year that I don't have install media.
Re: (Score:2)
If you liked that, you'll like to know that you can remove the ei.cfg file from the iso to convert it into a universal iso. There are multiple tools for it, but I've just used rm in the past (granted, the media I used was a USB stick). Here's one such tool: http://code.kliu.org/misc/winisoutils/ [kliu.org]
Note that your license still has to match the type you select during installation. I have no idea why Microsoft insists on having so many different isos when they could just have one universal iso...
So... (Score:4, Insightful)
They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?
Kudos. That's the laziest response to a vulnerability I've ever heard of.
Re: (Score:3)
I'm much more concerned that to disable a codec, you have to create a new registry key for GDIPlus, then add "DisableTIFFCodec" specifically to disable Windows-wide the built-in TIFF rendering.
There's not a whitelist so that you can search for what's enabled - there's a hidden key that is queried every time a Microsoft application *starts* so that if it is already running making the change has no effect.
That it is called "DisableTIFFCodec" - I'm not even sure what the words are to properly object to that.
In related news (Score:2)
Also, water is wet and the sky is blue (Score:2)
Microsoft and zero-day attacks go together like .... 2 things that go together really well.
Re: (Score:2)
Re: (Score:2)
The best is still to come (Score:2)
With the shape of security in the IT industry right now, I expect the patch to address this will end up bricking 20% of the servers that apply it.
No problem, then (Score:3)
"To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."
Thankfully it's proven difficult over the years to get a Windows user to do any of those things....
Re: (Score:2)
Re: (Score:2)
I guess you heard a loud whoosh and didn't know what it was.
Just today.. (Score:2)
Mint 15 and damn happy.
Translated summary (Score:5, Funny)
"Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."
Enhanced Mitigation Experience Toolkit (Score:2)
Re: (Score:2)
Using EMET provides additional layers of protection against this kind of thing.
So does not running Windows. If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.
Re: (Score:2)
Using EMET provides additional layers of protection against this kind of thing.
So does not running Windows.
Ah, the predictable refrain of a MAC/Linux fan...
If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.
I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.
Re: (Score:2)
Ah, the predictable refrain of a MAC/Linux fan...
Any system which is working properly is predictable.
I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.
Windows is already not compatible with every Windows application. If it requires more technical knowledge to deploy than antivirus software, then Microsoft isn't working hard enough on it. Is this another product they bought from someone and ruined, like say wolfpack?
Re: (Score:2)
Look, I'm just pointing out a lesser-known resource that's available for people who might be interested. I'm not interested in partaking in yet another tedious bout of Windows bashing on Slashdot. Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.
.
Re: (Score:2)
Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.
Right. Many of us object to any closed-source operating system for this among other reasons.
Re:New Attack? 0 Day? (Score:5, Informative)
It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.
Re:New Attack? 0 Day? (Score:5, Interesting)
TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).
Re: (Score:2)
It's "Yet Another Back Door", which they might get around to disclosing if enough non-MS and non-Gov't exploits are published. It's no different from the DX9 kernel modules looking for MP3s with executable streams.
The crackers don't have to compromise MS products, they just have to find the existing back doors and use them.
Re: (Score:2)
Exactly how many engineered back doors have actually been found and exploited?
Re: (Score:2)
Because they do not separate code and data.
Re:New Attack? 0 Day? (Score:5, Insightful)
Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.
For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.
So why everyone still uses C-style buffers? (Score:2)
I would have expected, in this day and age, where computers are supposed to be much more powerful than needed for the majoirty of users, that C-style management of buffers would have been a thing of the past, especially in major software like Office and browsers.
But, judging from your post, it seems that is not the case. People still use raw buffers without bounds checking.
The principle "peformance first, safety second" has not done good. The majority of problems like this come from the programming language
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
+1 you must work in my IT department.
Re: (Score:2)