Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Duqu Installer Exploits Windows Kernel Zero Day

Unknown Lamer posted more than 2 years ago | from the windows-industrial-control-edition dept.

Microsoft 164

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

Sorry! There are no comments related to the filter you selected.

First post (3, Funny)

GameboyRMH (1153867) | more than 2 years ago | (#37920416)

Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER

How would a Windows virus infect a Nintendo game? (1)

tepples (727027) | more than 2 years ago | (#37920524)

With a name like "game boy" and a comment about "SMB shares", I think for half a second about this kind of SMB share [google.com] .

Re:How would a Windows virus infect a Nintendo gam (1)

gl4ss (559668) | more than 2 years ago | (#37921470)

if it infected ds roms, that would be friggin brilliant.

Re:First post (1)

LordLimecat (1103839) | more than 2 years ago | (#37922274)

Well, its a good thing the network protocol sanitizes the files you share with it. Its very reassuring that the virus cant simply place that infected document onto NFS and spread that way.

Seriously, do you really think that has any relevance to the issue?

Word document for a remote exploit? (2, Interesting)

kervin (64171) | more than 2 years ago | (#37920434)

I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

Re:Word document for a remote exploit? (0)

denis-The-menace (471988) | more than 2 years ago | (#37920462)

to access undocumented APIs.

MS has been known to used them.

Re:Word document for a remote exploit? (2)

0100010001010011 (652467) | more than 2 years ago | (#37920464)

1) Word document exploits hole.
2) Exploited hole now allows remote code execution.
[3) Pictures of exploited hole now show up constantly on new website "Slashdot"]

Reverse the exploited hole (1, Funny)

tepples (727027) | more than 2 years ago | (#37920586)

But how do you reverse such a hole? Like this [cheezburger.com] .

Re:Reverse the exploited hole (0)

hedwards (940851) | more than 2 years ago | (#37920666)

lol reverse goatse.

Re:Word document for a remote exploit? (0)

Anonymous Coward | more than 2 years ago | (#37920662)

That's OK, Slashdot won't become a vector for the exploit, because Slashdotters instinctively avoid pictures of exploited holes.

Yeah. You know exactly what picture I mean.

Re:Word document for a remote exploit? (0)

Anonymous Coward | more than 2 years ago | (#37920988)

Been coming here since 5digit users, and have yet to see said hole. I plan to keep it that way too!

Re:Word document for a remote exploit? (1)

hesaigo999ca (786966) | more than 2 years ago | (#37921730)

Depends what type of hole you are talking about, I have been here since you have, and seen plenty of Aholes!

Re:Word document for a remote exploit? (4, Informative)

The MAZZTer (911996) | more than 2 years ago | (#37920530)

It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

Re:Word document for a remote exploit? (4, Funny)

ArhcAngel (247594) | more than 2 years ago | (#37920818)

How long until this is used to create a script to jailbreak windows so we can install what we want on it?

Re:Word document for a remote exploit? (0)

Anonymous Coward | more than 2 years ago | (#37921762)

I need to sign up for this /. thing so I can upvote your answer.

Re:Word document for a remote exploit? (0)

Anonymous Coward | more than 2 years ago | (#37921804)

Re:Word document for a remote exploit? (0)

Anonymous Coward | more than 2 years ago | (#37920864)

That would be the most stupid definition of "remote code execution" ever.

Re:Word document for a remote exploit? (1)

rb12345 (1170423) | more than 2 years ago | (#37922046)

It could be another WMF-style exploit, too.

Re:Word document for a remote exploit? (1, Flamebait)

billcopc (196330) | more than 2 years ago | (#37920590)

What, you don't open ports to your passwordless MS terminal server ?

It's a Word document, which means it exploits a weakness in MS word to deliver the payload.

But seriously, what is this, Digg ? Who is this "Unknown Lamer" and why doesn't he go fuck himself ? We used to have standards around here...

Article is FUD. Requires user running as root. (0, Informative)

Anonymous Coward | more than 2 years ago | (#37921070)

"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executable—the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duqu’s activities and may allow certain behaviors to bypass some security
products."

Boot to Recovery Console, use DISABLE (-1)

Anonymous Coward | more than 2 years ago | (#37921376)

Command there, on the driver9s) it uses cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys. This will stop their operations upon next reboot (assuming they do NOT protect the registry init. area that is - I haven't read if they do, or don't: Someone provide proof of that please one way or the other, & thanks).

As to the injected DLL(s), if it is OLE type, unregister it!

Otherwise, delete it (& if held open by another process? Simply use ProcessExplorer.exe to freeze/halt the parent calling process, & then destroy the dll on disk - you will need to have the DLL pane view active, & highlite exe's running to see what dll's they using (or other libs) & "paralyze away" as noted above...).

* Should take care of that end of it, "lickety-split, no shit" - DONE!

(Be aware of the tools you have as Windows users already, from your installation media, as they can do a hell of a job on rootkits too!)

APK

P.S.=> If anyone has any other ideas, or weaknesses in this plan? Let me know, we'll discuss it, & figure out more "work-arounds" (if need be)...

... apk

Re:Article is FUD. Requires user running as root. (1)

rabbit994 (686936) | more than 2 years ago | (#37921668)

By root you mean Administrator privileges and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

I wonder if this bug is XP only or XP/Vista/7. If it Vista/7, will UAC stop it?

This article is light on details and doesn't give Admins alot to work with. Microsoft generally will release KB articles describing the exploit and workaround/prevention methods to prevent it.

Re:Article is FUD. Requires user running as root. (3, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#37921872)

and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.

On XP, you are right, but I believe the XP marketshare is getting smaller every day.

Re:Article is FUD. Requires user running as root. (1)

hairyfeet (841228) | more than 2 years ago | (#37922034)

Well if it needs root that pretty much leaves out Vista and 7, unless you have a user that is dumb enough to click yes on "Hey you didn't try to install anything but this (insert huge random number) wants to have admin rights, yes or no" which if they click yes you have worse problems. I'm also gonna assume that Office 2K10 does like 2K7 and by default disables scripting and running code unless you specifically enable it (since TFA is seriously light on any details more than "ZOMG weesa gonna die!") so that removes Office 2K7 and 2K10.

So you are looking at XP users, running as root, accepting Word docs and having Word 2k or 2K3. Not a small number but most businesses shouldn't be letting users run as root and should have all incoming docs scanned for malware so that should seriously cut down the numbers. I wouldn't be surprised if a lot of their infections can't be traced down to luring the suckers, using age old tricks like "Free porn passwords.doc" or "Free WoW keys.doc" or some other classic social engineering trick. Most of the infection I see nowadays can be traced straight to PEBKAC, either wanting something for nothing, ala "New_Hit_Pop_Song.mp3.exe" or trying to see teh boobies ala "Free porn passwords.doc". In the end there is only so much you can do about stupid and still let them have control over their machines.

Is it really? (1)

DeadCatX2 (950953) | more than 2 years ago | (#37922290)

The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.

Word document?! (0)

masternerdguy (2468142) | more than 2 years ago | (#37920444)

Once again, don't open email attachments from unknown senders.

Re:Word document?! (5, Insightful)

Anonymous Coward | more than 2 years ago | (#37920736)

This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.

This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).

The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.

Re:Word document?! (-1, Flamebait)

Synerg1y (2169962) | more than 2 years ago | (#37920888)

Worse things exist in opening attachments from remote senders than malware, http://www.pcworld.com/article/103992/the_worlds_worst_viruses.html [pcworld.com]

On that note, people need to stop telling others to not open attachments from unknown senders, let natural selection separate the users who know how to use computers (aka maintain their machine in a working state) and those who do not, it's just not fair to have to fix some dumbshit's machine cause s/he is too dumb to apply common sense.

Re:Word document?! (1)

Darkinspiration (901976) | more than 2 years ago | (#37921084)

Right, So evolution will decide if my servers are going to get hacked or not ? No thanks. I'm so glad i'm running Novell OES right now.

Re:Word document?! (1)

bmo (77928) | more than 2 years ago | (#37921268)

Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.

--
BMO

Re:Word document?! (-1)

Anonymous Coward | more than 2 years ago | (#37921178)

that is too lose/insecure

Lose vs. Loose. You dumb motherfuckers just can't get this right, can you? Oh no, they look a little similar so now you have to constantly confuse them.

At least this was one where "loose" finally would have been the correct word. Normally you functionally illiterate types write "loose" where you should have written "lose" but not you!

Re:Word document?! (5, Insightful)

bmo (77928) | more than 2 years ago | (#37920850)

>Once again, don't open email attachments from unknown senders.

>unknown senders

If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

The "From:" header can be anything, Anon, and it can be trivially set.

Go ahead, blame the victim. It doesn't make you any less of a douche.

--
BMO

Ooh! I have a solution for this one! (1)

DeadCatX2 (950953) | more than 2 years ago | (#37921198)

Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.

Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.

Re:Word document?! (1)

sootman (158191) | more than 2 years ago | (#37921276)

Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.

Re:Word document?! (1)

mikechant (729173) | more than 2 years ago | (#37922302)

I might know it's a fake if there were grammatical errors

In most companies, you'd know it was bogus if it came from the CEO and *didn't* contain grammatical errors...

Re:Word document?! (1)

Anonymous Coward | more than 2 years ago | (#37921372)

>Once again, don't open email attachments from unknown senders.

>unknown senders

If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

The "From:" header can be anything, Anon, and it can be trivially set.

Go ahead, blame the victim. It doesn't make you any less of a douche.

-- BMO

The "victim" who runs an insecure and widely-targeted system and then won't learn the most basic things about how to secure it?

Yeah. Totally absurd to think anyone would mess with them. Hey I know. Let's tell them they are total victims. Let's tell them the decisions they make have absolutely no bearing on what they experience. They are merely giant leaves carried by the wind with zero control over their lives. Let's embrace total fatalism just because there are bad people! Nope, no free will here, we rejected that because it might mean telling somebody to wise up and quit being such a wide-open target in the face of well-known threats.

Let's do it in an irritable emotional way that can't resist doing some name-calling, you douche, because disagreement with me is the definition of being a douche. People who approach it that way are always the ones with the truth, dontcha know that from their impeccable logic?

Article is FUD. Requires user running as root. (0)

Anonymous Coward | more than 2 years ago | (#37921086)

"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executableâ"the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duquâ(TM)s activities and may allow certain behaviors to bypass some security
products."

Re:Word document?! (1)

Vicarius (1093097) | more than 2 years ago | (#37921318)

Once again, don't open email attachments from unknown senders.

Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.

Why / How? (0)

Anonymous Coward | more than 2 years ago | (#37920526)

Why / How can a *Word Document* exploit a kernel vulnerability?

I mean really.

Re:Why / How? (1, Insightful)

Megane (129182) | more than 2 years ago | (#37920592)

It's Windows. Why should you be surprised?

Re:Why / How? (1)

RightSaidFred99 (874576) | more than 2 years ago | (#37920802)

You guys don't know much about computers, do you? You laughably seem to think only privileged processes have access to kernel calls and can exploit bugs in them.

Re:Why / How? (1)

X0563511 (793323) | more than 2 years ago | (#37920922)

I hope that was sarcasm.

Re:Why / How? (1)

RightSaidFred99 (874576) | more than 2 years ago | (#37921170)

It wasn't. Go take an OS course, please.

Re:Why / How? (1)

h4rr4r (612664) | more than 2 years ago | (#37921050)

I think the better question is why does it have to be word, as opposed to any other user space unprivileged process. My guess would be because of all the macros/scripting and other bad ideas in word.

Re:Why / How? (1)

RightSaidFred99 (874576) | more than 2 years ago | (#37921156)

Probably because it's easier to get someone to open a Word document than e.g. an executable, and yes because Word has limited code execution capabilities.

Re:Why / How? (1)

bsDaemon (87307) | more than 2 years ago | (#37920834)

Because of binary file formats, binary fonts, etc. All data is just data, including code. A is the same as \x41 which is the op code for INC EAX, for example. That's effectively a NOP as far as shell code is concerned, though. Others do other things, of course. It's the same reason you can do exploits in PDF or other file format attacks.

Re:Why / How? (0)

Anonymous Coward | more than 2 years ago | (#37920904)

If you don't know, just say so.

Re:Why / How? (1)

masternerdguy (2468142) | more than 2 years ago | (#37921058)

If you don't know, just say so.

The anonymous coward computer security experts are coming out of the woodwork for this one.

Re:Why / How? (1)

228e2 (934443) | more than 2 years ago | (#37921090)

^what he said . . . . geez . . . .

Re:Why / How? (1, Insightful)

ConceptJunkie (24823) | more than 2 years ago | (#37922232)

This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.

Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could ever compete was to build secret doors into Windows that would allow their apps to do things their competitors couldn't.

Although MS has gotten better about these sorts of criminally incompetent things, they were all built in from the ground floor, so they'll never be completely eliminated until we get Windows "NTNT".

Must say... (1)

ackthpt (218170) | more than 2 years ago | (#37920528)

I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.

Re:Must say... (1)

hedwards (940851) | more than 2 years ago | (#37920692)

Well, that can mean anything except one thing. Today isn't opposite day.

Re:Must say... (4, Insightful)

johnthorensen (539527) | more than 2 years ago | (#37921068)

I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

Re:Must say... (1)

Riceballsan (816702) | more than 2 years ago | (#37921954)

More like they actually have competition making them sweat a bit (no I'm not talking about the hypothetical year of the linux desktop, I'm talking about the actually approaching significant decline in use of the home PC). I still have to say I'm a bit nervous on them going after botnets directly, not because I don't want those scumbags shut down and/or put behind bars, but because corporations playing vigilantes in general is a bit nerve-wracking. What we approve for one company in one circumstance, is approved for all companies in all circumstances. It is hypocritical to cheer microsoft for shutting down a botnet, and then boo apple for raiding gizmodo, or the RIAA for raiding a teenagers house.

And? (0, Troll)

ledow (319597) | more than 2 years ago | (#37920540)

I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.

This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute directly against the server remotely anyway), then you weren't really doing your job in the first place.

Next you'll be telling me that I shouldn't let filesharing ports open to the world.

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37920764)

You go girl, if the traffic isn't scrutinized from, at least, layer 3 on then you're a zombie waiting to happen.

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37921550)

i have only ever seen one zombie, and it happened after a 136 days of uptime on my firewall/server at the time. i rebooted, the machine kept on plugging until i tried to give it a new hdd. which 6 months later was the kiss of death for that server. my point? don't have 15 amps worth of computers just to chat, game, and read news.

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37920824)

You had windows computers on the internet in 1991? Very cool. I couldnt manage that feat until about 1993 and even then in a very round about way.

The internet of 1991 is *VERY* different from 2011. People believe it or not want people to use their file shares... They even wrote indexers to help you find their files.

Firewalls didnt become vogue until about 1997. *Most* people would plug raw right into the internet. But guess what. There wasnt that many worms out there... Most of those were actual flaws in the TCP stacks (more important to fix right away). It wasnt until some bright spark started putting the drop by default into the minds of most users.

Would I plug my computer today into the 'raw' internet. No thank you. Back then? Didnt think twice about it.

Re:And? (1)

Anonymous Coward | more than 2 years ago | (#37920924)

If you *need* a firewall for security on your border you are doing it wrong.

Re:And? (1)

DarkOx (621550) | more than 2 years ago | (#37921940)

If you don't think you need a firewall on your boarder and you don't have one any way you are doing it wrong. Defense in depth is the only thing that works, think about security at every layer.

Re:And? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#37920838)

You did read the story correctly - right?
You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

MOD PARENT UP (-1)

Anonymous Coward | more than 2 years ago | (#37920902)

That is all

Re:And? (1)

Gilmoure (18428) | more than 2 years ago | (#37922288)

* golf clap *

Re:And? (3, Informative)

X0563511 (793323) | more than 2 years ago | (#37920948)

You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37921414)

I'm pretty sure his main point is about firewall rules, not scanning attachments. If the firewall doesn't allow a network connection, the remote exploit is more or less useless.

Re:And? (1)

X0563511 (793323) | more than 2 years ago | (#37922110)

Yea, and firewalling SMTP is a good way to stop you getting any mail.

Re:And? (2)

couchslug (175151) | more than 2 years ago | (#37920976)

"Next you'll be telling me that I shouldn't let filesharing ports open to the world."

You shouldn't let filesharing ports open to the world.

HTH!

Re:And? (1)

doctorcisco (815096) | more than 2 years ago | (#37921106)

Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all .doc/.docx files from any source, you are vulnerable to something like this.

So ... you do block all possible access to .docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 years old are also already out of date. The game has changed.

doc

Re:And? (1)

adonoman (624929) | more than 2 years ago | (#37921450)

Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?

Re:And? (0)

Anonymous Coward | more than 2 years ago | (#37921598)

Irrelevant to his point. If you don't have ACL's and firewalls setup to block any kinds of connections (ie. remote exploits) you don't want, you aren't really doing your job.

Re:And? (1)

LordLimecat (1103839) | more than 2 years ago | (#37921946)

Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you.

Im not seeing why it follows that kernel vulns do not require root to do their worst. The kernel interacts with userland as much as anything else, right?

Is it really about market share? (-1, Troll)

Anonymous Coward | more than 2 years ago | (#37920566)

There are those who say that the reason OS X has so much less malware is simply because it has a smaller market share.

I'm sorry, that's not the reason at all. The reason is because of crap like this where a word processor document can exploit a kernel vulnerability. The reason is because of crap like Outlook, which is not only happy to execute code for any data type it sees, but does it in the preview pane. (And IE and Excel doing the same thing.) The reason is because it will happily embed crap like Flash into documents, opening up a whole new world of vulnerabilities. The reason is because of crap like ActiveX, where random native code on the internet can be executed on the main CPU, with full access to the API. The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.

Etc.

Re:Is it really about market share? (2)

Amouth (879122) | more than 2 years ago | (#37920800)

so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.

Re:Is it really about market share? (0)

Anonymous Coward | more than 2 years ago | (#37921164)

Apple has fixed the PDF exploits, over and over again. People just keep finding new ones.

And if Appletards believe these exploits are only used for good (jailbreaking) and not evil (spearfishing attacks), they are kidding themselves.

Re:Is it really about market share? (0)

Anonymous Coward | more than 2 years ago | (#37921910)

There are those who say that the reason OS X has so much less malware is simply because it has a smaller market share. I'm sorry, that's not the reason at all. The reason is because of crap like this where a word processor document can exploit a kernel vulnerability.

so explain to me how Apple doesn't do any of these things?

The previous poster overstates it a bit, but does have a point. When your OS vendor is also your word processor vendor and when the two are coupled tightly using undocumented APIs without regard for security concerns... you have a big problem. Apple also makes a word processor, but does not use undocumented APIs and does not have the same level of exposure area to an exploit (although Apple's application security practices are hit and miss based on the project).

...you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device..

This is interesting, but sort of proves the point. On the iPhone Apple makes both the PDF rendering libraries, the reader, and the OS and they are tightly coupled (since PDF is used for all the UI elements of the OS as well).

Re:Is it really about market share? (1)

RightSaidFred99 (874576) | more than 2 years ago | (#37920830)

Get a clue. You don't know what a "kernel vulnerability" is, judging by your rhetoric you seem to think only silly OS's like Windows have them and allow user-land processes to exploit them. Not true. [pcworld.com]

Re:Is it really about market share? (2)

masternerdguy (2468142) | more than 2 years ago | (#37920928)

There are already OSX Trojans that are effective because Mac users feel invincible because they aren't running Windows. The fact that those exist is a warning to Apple that their market share is getting large enough to be targeted, but nobody seems to care about educating their users.

Re:Is it really about market share? (0)

Anonymous Coward | more than 2 years ago | (#37921646)

The most secure operating system in the world is no match for a user with the root password.

You can't protect an operating system 100% against trojans because you can't fix stupid*.

* and you can't fix lack of knowledge because joe public doesn't care as long as his computer keeps doing what he needs.

Re:Is it really about market share? (1)

LordLimecat (1103839) | more than 2 years ago | (#37922136)

Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.

As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.

The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.

If you want to deserve an informative mod, you might want to cite a source on that. Pics, or it didnt happen.

Also, if OSX is so much better, how come at Pwn2Own Every [wikipedia.org] Single [wikipedia.org] Year [wikipedia.org] , OSX / Safari [wikipedia.org] falls first [wikipedia.org] ?
(2010 MIGHT have been a tie, or someone else first, but OSX was done on day 1 regardless-- couldnt find the exact order). You will also note that this is DESPITE Apple's attempt to slip in last-minute fixes prior to the contest.

Listen, if you want to rely on your OS to provide "Security" and "Hacker Prevention", go right ahead. The more folks you convince to use your platform, the more quickly the playing field is leveled, and the quicker we see the reality of the situation with regard to OS security. Hope you have your bootkit removal tools ready.

Borg Bill is gone! (1, Interesting)

Anonymous Coward | more than 2 years ago | (#37920832)

Hey! Where is Borg Bill? Put it back right now!

Re:Borg Bill is gone! (1)

Jeng (926980) | more than 2 years ago | (#37921220)

No, Borg Bill should have been retired long long ago, but I disagree with what has replaced it.

Instead what I would like to see is a dancing monkey throwing chairs.

remote code execution? (1)

SirDice (1548907) | more than 2 years ago | (#37920974)

"A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution." It's an exploit embedded inside a Word document. You can't get more local then that.

HOW the HELL (2, Interesting)

v1 (525388) | more than 2 years ago | (#37920998)

do you have a kernel security bug in a word processor?

Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.

Re:HOW the HELL (1)

Anonymous Coward | more than 2 years ago | (#37921394)

The same way iPhones keep getting jailbroken through PDF viewer vulnerabilities.

The article is short on details, but likely, the exploit is limited to older versions of word that would still actually run macro code on internet-sourced documents. Either that, or someone's given the malware authors a code-signing certificate, which I suppose is possible, but makes the fix as easy as revoking the certificate.

Once you are running a Word macro, it's not that hard to find some exploit that will let you run arbitrary code. Once you're running arbitrary code, any old kernel-privilege escalation exploit will work as a vector for root-kitting an OS.

The article also doesn't comment on whether this applies to Windows 7 / Vista with ASLR and DEP, or whether it requires running as admin.

Re:HOW the HELL (2, Funny)

Anonymous Coward | more than 2 years ago | (#37921466)

do you have a kernel security bug in a word processor?

It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on their systems to catch up with the state-of-the-art from ten years ago, Microsoft is blazing forward, creating new and innovative violations such as drive-by downloads in IE, invisible trojans from downloads, and now even their lowly word processor can cause a complete rooting at the kernel level.

Microsoft. They still lead innovation.

Re:HOW the HELL (5, Informative)

Dr_Barnowl (709838) | more than 2 years ago | (#37921494)

Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

The selection of Word as an attack vector was probably influenced by a combination of...

  • Word is probably the number 1 application that most professionals open after the browser.
  • Word has the extra advantage that it's not received as much hardening as the browser.
  • Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
  • The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.

Re:HOW the HELL (2, Informative)

BitZtream (692029) | more than 2 years ago | (#37921514)

You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?

Your super leet little Linux box works the same way.

All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lifting, but in the end, the video drivers are in the kernel space, and to make any changes to the display, you gotta talk to the kernel.

The kernel delivers your keystrokes to the application.

The kernel plays sound that the application asks it too.

The kernel displays whats on your monitor.

The kernel is the only things that talks to ANY hardware on your machine directly, everything else in useland talks to it via the kernel.

All most all 'kernel exploits' are done via user land code. There are extremely rare exceptions like exploiting kernel netcode and such like the old winnuke, teardrop and all those did. Those directly exploit bugs in the kernel because the kernel is the first thing that handles all network activity in and out of the machine. Otherwise, your two options for exploiting the kernel are userland applications and kernel loadable modules. Well, if you can load a klm, you own the machine anyway, thats a feature, not an exploit.

So basically the only way any exploit happens (or the vast majority of them really) is by using a userland application to make a kernel API call that can be exploited due to a bug. The kernels job is to play police officer and make sure nothing like this happens, but, its not perfect, regardless of what OS you're running, and those bugs get found, someone crafts an exploit and figures out a good vector for delivery. That may be through a network connection via Apache or IIS (these are both userland applications) or in this case, I get you to open a word doc that materializes the exploit. It doesn't even have to be a word problem, could be an image with bad data that gets loaded by the default libraries and something weird happens there, Word is just a way to start the process.

Re:HOW the HELL (1)

tlhIngan (30335) | more than 2 years ago | (#37921806)

In Linux, a kernel exploit from an application is also known as a "priviledge escalation" bug. Basically, a non-root user exploits the kernel in some way and gets root priviledges.

And yes, there have been many of those - usually some combination of oddball flags and little used options leading to an overflow.

And no, forcing the user to do the escalation for you don't count.

Re:HOW the HELL (1)

LordLimecat (1103839) | more than 2 years ago | (#37922208)

So those WinNuke etc network-based attacks are known as "privilege escalation"? In school we were taught that those were categorized as DoS, not escalation.

Re:HOW the HELL (1)

ticktickboom (1054594) | more than 2 years ago | (#37921532)

at least they stopped bundling their browser with the os....back with windows 98 you could get web bugs and never turn IE on...oh, wait, they started that again n/m this post

Re:HOW the HELL (0)

Anonymous Coward | more than 2 years ago | (#37921936)

Sigh, do you really think that they run word in ring0?
The kernel bug can probably be triggered any usermode application where the attacker controls the respective syscall parameter(s).

You don't (1)

samjam (256347) | more than 2 years ago | (#37922174)

You don't have a kernel security bug in the word processor, you have it in the kernel.

The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.

Opening a file and locking a file requires a kernel call.

There is already a fix out: (1)

chomsky68 (1719996) | more than 2 years ago | (#37921076)

wipe your disk and reinstall Windows.

Re:There is already a fix out: (4, Informative)

SadButTrue (848439) | more than 2 years ago | (#37921288)

wipe your disk and reinstall anything but Windows.

FTFY

Re:There is already a fix out: (1)

masternerdguy (2468142) | more than 2 years ago | (#37921314)

ReactOS?

Re:There is already a fix out: (1)

LordLimecat (1103839) | more than 2 years ago | (#37922234)

This just in-- OSX and Linux have no kernel bugs.

Except for the ones used to pwn them every year at pwn2own, of course.

Re:There is already a fix out: (1)

Anonymous Coward | more than 2 years ago | (#37921322)

wipe your disk and [b]don't[/b] reinstall Windows.

There fixed it for you.

Customers' Fault (0)

Anonymous Coward | more than 2 years ago | (#37922224)

If all you people would stop demanding that word processing files have any networking capabilities, this would stop happening.

Microsoft just provided a way to work easier.

Ok, maybe not, but I'm hard pressed to blame MS for many of these features. They just gave us what we demanded as customers.

I guess the old adage to **never** trust anything that a user can enter wasn't part of this code in MS-Office.

Legally Responsible Entity? (1)

BoRegardless (721219) | more than 2 years ago | (#37922334)

So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.

Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?

Or is your company responsible for the total loss of its trade secret intellectual property?

Now who do the aggrieved shareholders sue?

WWOT fp (-1)

Anonymous Coward | more than 2 years ago | (#37922336)

Has ground to a distributions Of a solid dose they 4re Come parts. The current FUTURE AT ALL against vigorous Most people into a
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?