Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Warns of Zero-Day Attacks

Soulskill posted about 10 months ago | from the welcome-to-tuesday dept.

Security 165

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

cancel ×

165 comments

Sorry! There are no comments related to the filter you selected.

Already there (4, Funny)

suso (153703) | about 10 months ago | (#45342011)

Don't they already put that warning on the box?

Re:Already there (1)

the_skywise (189793) | about 10 months ago | (#45342033)

It's not on the box... it's in the EULA!

(On the box.. sheesh... Not enough room for the warnings on there...)

Re:Already there (2, Insightful)

GoodNewsJimDotCom (2244874) | about 10 months ago | (#45342065)

It is like Microsoft Windows doesn't even try to be secure. It isn't too incredibly hard for executables to be unable to hammer system files if a modicum of sandboxing was involved. An example would be if applications couldn't touch things outside their installed directory. There would be a specific protocol for communication between different installed aps. This should have been done back in the win98 era. Because applications are not secure, everyone is paranoid about downloading an untrusted .exe. If Windows was made for the Internet, you should be able to download any application and it be harmless.

Re:Already there (0)

Anonymous Coward | about 10 months ago | (#45342083)

You're the one still stuck in the Win 98 era. Since Windows 2000, if you're not logged in as admin, the attacker wouldn't be able to hammer system files.

quote: "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user."

Re:Already there (0)

Anonymous Coward | about 10 months ago | (#45343537)

Haha, sure. Last time i checked, admin permissions were one consent-UI-click away, with no need to enter any password.

Re:Already there (3, Interesting)

mstefanro (1965558) | about 10 months ago | (#45342143)

I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists.
Its main purpose is to enforce a huge blacklist of .exe files that can harm you. Instead
of keeping track of million of apps that are evil, why not just apply some least privilege
principles and sandboxing already so that we can run an application without granting it
access to all our resources?

It comes as no surprise that everything gets moved to the web nowadays. One can safely
open a website without worrying that all his personal data can be accessed (such as Firefox
stored passwords). On the other hand, opening an application requires complete trust in the author,
which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
and be easily accessible whenever you want, as opposed to having to go through a browser. They
generally have less overhead and are more powerful. If Windows had a decent package manager
and proper privilege separation we would probably be living in a different world today.

For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/ [xkcd.com]

Re:Already there (5, Informative)

recoiledsnake (879048) | about 10 months ago | (#45342645)

You just described Windows RT.

Re:Already there (2)

smash (1351) | about 10 months ago | (#45342805)

It's called code-signing, and every time someone suggests it, the /. crowd are up in arms about how you're not free to run what you want on your own computer, conveniently disregarding the idea that you can sign code yourself.

And yes, it's the only real solution.

Re:Already there (2)

stooo (2202012) | about 10 months ago | (#45343073)

Code signing ? This does not remove exploitable holes in that cleanly signed (but shitty) code.

Re:Already there (1)

smash (1351) | about 10 months ago | (#45343109)

No, but it does stop exploitable code from being used to set up un-signed executables to run on boot, etc. Sure, the code can be exploited in memory, but if you try and modify any executable on disk, the signature will break and the code won't run by default. Makes it much harder for a virus to set itself up permanently on the machine, and much more difficult to spread via infecting executables.

Re:Already there (2)

mstefanro (1965558) | about 10 months ago | (#45343375)

Antiviruses are blacklisting, code signing is whitelisting. Both bad solutions in a world
where we have so many apps that keeping track of all of them is very difficult.
Besides, code signing does not solve the problem of too relaxed permissions. In the
situation presented in the article, MS Office is a signed piece of software.

Re:Already there (1)

fuzzyf (1129635) | about 10 months ago | (#45343221)

Actually, if I remember correclty, you can change a dll after it has been signed. At least for everything in .net.

As shown by Jon Mccoy here:
http://vimeo.com/43536532 [vimeo.com]

Re:Already there (1)

10101001 10101001 (732688) | about 10 months ago | (#45342811)

Instead of keeping track of million of apps that are evil, why not just apply some least privilege principles and sandboxing already so that we can run an application without granting it access to all our resources?

Probably because it won't help? As the xkcd comic demonstrates, once you've gained access to the sandbox, it makes little difference in most cases that you're unable to leave it. In the current Zero-Day Attack, the issue is an exploit in the TIFF library. Hence, any application that uses said library is potential vulnerable.

If we lived in a sandboxed world, all those MS Office applications that are now vulnerable would still be vulnerable. "Ah," you say. "But MS Office wouldn't have internet access so it couldn't do any real damage." And I retort, "The exploit would propagate through infected MS Office files, slurping up as much financial information as it could along the way, until either (a) the malicious agent got a document from you and could extract out the data or (b) wait until the one MS Office machine that *does* have internet access enabled and push all the data out then.

Or, maybe we could try to sandbox out the TIFF library in some fashion. Great idea there, but how do you actually pull that off? The actual broker for what is a TIFF file has to be invulnerable to a bug before it can be passed off to the TIFF encoder/decoder. And then the displayer has to be invulnerable as well. And the file loader. And any of the transfer agents. In short, any step along the way could just as well be buggy as it is now, so splitting it up into parts just means it's a separate cog still with most, if not all, of the same access to said data and with said ability to manipulate the data (stuffing data into TIFF comments, for example) for some malicious end.

This, of course, isn't say it's not worthwhile to try to have better sandboxing as appropriate. But, there's no real magic bullet to such problems when it all comes down to having program logic that's flawed. It reminds me of people scoffing at software designed to continue running properly on hardware that might, due to ever increasing die shrinking, be known to have defects. Well, sandboxing as you speak of it falls upon the same problem with software with known defects. In honest, the best thing that can be done is code audits and fixing bugs and releasing fixes ASAP. Oh, and avoiding things like writing in turing complete languages into things since, again, even if contained in a sandbox programs can do bad things.

PS - The real problem with UAC is (a) too many programs ask for (or require) Admin access when they really shouldn't and (b) it's too much of an all-or-nothing approach to addressing the question of security without providing remotely enough information to the user to make an informed choice on the matter. I don't think more piece-meal approaches really help--Android apps are too guilty of (a)--and sandboxing doesn't help much either--programs that refuse to run and don't infect you also don't do their job either. There's no magic fix and trust is a very high essential part of use of almost all programs.

Re:Already there (1)

mstefanro (1965558) | about 10 months ago | (#45343397)

As you said, it is the all-or-nothing that concerns me. I am not claiming that sandboxing
would magically solve all problems and that successful exploits would never be able to do
any harm. But being able to mount an attack such as "someone using MS Office somewhere might use it
to open sensible data, which we can steal" is not the same as mounting an attack like "we can use MS Office
to collect all stored passwords from all browsers and send them to us. And to spawn a keylogger". The MS Office
should have no business accessing the sensible data of other applications or their memory space for that matter.
I don't believe that the fact that Windows allows everything to stick its head where it does not belong is really an unsolvable problem.

Re:Already there (0)

Anonymous Coward | about 10 months ago | (#45343171)

The problem is that some software really does need more privileges, and every time people have tried a sandbox-and-let-apps-ask-for-privileges system, applications routinely ask for all the privileges they can get. (Look at the smartphone world for example.) And users are happy to oblige, if only for no other reason than that they (feel that) they have no choice.

Re:Already there (1)

mstefanro (1965558) | about 10 months ago | (#45343359)

Yes, this is a major issue, but I don't believe it to be one without a solution, should one really bother
to come up with a good implementation.

On a mobile phone, you (as an application) can refuse to run if an user does not grant access to
a resource (such as webcam), because you know for sure that every phone has an webcam.
This blackmailing procedure may not be so successful on a PC, where if the owner refuses to grant
access to his webcam to an app, the OS can make it such that it is impossible for
the app to distinguish between "the PC has no webcam" and "the PC has an webcam but
you do not have access to it". Doing this for most resources should make it a lot more difficult
for apps to trick users into granting more permissions than they need.

Re:Already there (0)

Anonymous Coward | about 10 months ago | (#45342895)

Why only pick on Windows?
http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

Re:Already there (3, Informative)

TheP4st (1164315) | about 10 months ago | (#45343075)

Because we picked on apple for that one on August 29th [slashdot.org] and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.

Re:Already there (1)

ruir (2709173) | about 10 months ago | (#45343015)

Why should they, killing the lucrative AV industry?

Re:Already there (2)

fuzzyf (1129635) | about 10 months ago | (#45343271)

The real problem is with the x86 architecture. As long as it's possible to hijack threads and inject code to running processes it doesn't matter what the filesystem allows or not.

Creating a secure system would need a different architecture to begin with. the way stack is handled in x86 is just asking for buffer overflow exploits.

TIFF (0)

Anonymous Coward | about 10 months ago | (#45342353)

TIFF - Nuf sed.

Re:TIFF (2)

smash (1351) | about 10 months ago | (#45342843)

Problem is, most email to fax gateways use either TIFF or PDF, and most of them are TIFF. Though PDF isn't any better (in fact, historically it is much worse, security wise) given that most people seem to use adobe reader to open them.

Re:Already there (2)

ArsonSmith (13997) | about 10 months ago | (#45342671)

Windows is fine if you don't read emails or browse the web.

Re:Already there (0)

Anonymous Coward | about 10 months ago | (#45343087)

Windows is fine as long as it is not used as an operating system

Re:Already there (1)

MobSwatter (2884921) | about 10 months ago | (#45342839)

NSA: It's not a bug, it's a feature.

Use Linux. (2)

stooo (2202012) | about 10 months ago | (#45343013)

Microsoft Warns of Zero-Day Attacks
Use Linux.

New Attack? 0 Day? (0)

Anonymous Coward | about 10 months ago | (#45342031)

I love the terminology. But what the hell? How does processing an image lead to code execution? And it affects software from a decade ago. Makes you wonder about what vulnerabilities might be out there. Makes you wonder about who knows, and uses them.

Re:New Attack? 0 Day? (5, Informative)

Timothy Hartman (2905293) | about 10 months ago | (#45342067)

Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.

Re:New Attack? 0 Day? (0)

Anonymous Coward | about 10 months ago | (#45342613)

TIFF gets scary as some of the JPeG header and EXIF struucture is heavily "borrowed" from the TIFF spec and layout. Most people dealing with TIFF files would be publishing professionals, not Joe Average.

Re:New Attack? 0 Day? (5, Interesting)

Anonymous Coward | about 10 months ago | (#45342657)

TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).

Re:New Attack? 0 Day? (0)

Anonymous Coward | about 10 months ago | (#45343249)

TIFF isn't a huge vector because, for the most part, it's a "write-only" format, whereas attackers rely on files being read. The purpose of TIFF is for interchange, so you can have many programs that write TIFF files, but only a few that can read them and convert them to whatever other format suits your purposes.

Re:New Attack? 0 Day? (1)

Anonymous Coward | about 10 months ago | (#45343279)

Or at least that's what the would be the case if GDI+ didn't add TIFF reading for everything.

Re:New Attack? 0 Day? (0, Offtopic)

dc29A (636871) | about 10 months ago | (#45342081)

Technically it's not zero day because they collaborate with NSA and give them the exploit before they warn the public.

Re:New Attack? 0 Day? (0)

noh8rz10 (2716597) | about 10 months ago | (#45342317)

maybe it was a zero day, but no longer?

Re:New Attack? 0 Day? (1)

dltaylor (7510) | about 10 months ago | (#45342119)

It's "Yet Another Back Door", which they might get around to disclosing if enough non-MS and non-Gov't exploits are published. It's no different from the DX9 kernel modules looking for MP3s with executable streams.

The crackers don't have to compromise MS products, they just have to find the existing back doors and use them.

Re:New Attack? 0 Day? (1)

cavreader (1903280) | about 10 months ago | (#45342659)

Exactly how many engineered back doors have actually been found and exploited?

Re:New Attack? 0 Day? (1)

Salafrance Underhill (2947653) | about 10 months ago | (#45343035)

Exactly how do you tell the difference between an accidentally introduced vulnerability facilitating a back door and a back door engineered to look like the former?

There's a phrase you should google: 'plausible deniability'.

Re:New Attack? 0 Day? (1)

Gothmolly (148874) | about 10 months ago | (#45342129)

Because they do not separate code and data.

Re:New Attack? 0 Day? (4, Insightful)

Michalson (638911) | about 10 months ago | (#45342241)

Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address. By changing the return address you can point it back at the buffer, which when the CPU tries to read those bytes as code instead of data it turns out they do bad things.

Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.

For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.

So why everyone still uses C-style buffers? (1)

master_p (608214) | about 10 months ago | (#45343305)

I would have expected, in this day and age, where computers are supposed to be much more powerful than needed for the majoirty of users, that C-style management of buffers would have been a thing of the past, especially in major software like Office and browsers.

But, judging from your post, it seems that is not the case. People still use raw buffers without bounds checking.

The principle "peformance first, safety second" has not done good. The majority of problems like this come from the programming language C which does not mandate bounds-checked array access.

Re:New Attack? 0 Day? (1)

smash (1351) | about 10 months ago | (#45342807)

Flaw in the image processing code.

Re:New Attack? 0 Day? (1)

TheP4st (1164315) | about 10 months ago | (#45343125)

It's not the first time it happens on Windows [microsoft.com] but similar issues have also affected Linux [eweek.com] and most likely OSX too.

WOW (3, Insightful)

noh8rz10 (2716597) | about 10 months ago | (#45342037)

so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?

I bet NSA is pissed, because one of their favorite pwnage tools is now public :(

Re:WOW (2)

ljw1004 (764174) | about 10 months ago | (#45342281)

No, the advisory said that it affects Vista and Server2008.

It explicitly says that Win7, Win8, Win8.1, WinRT, Server2008-R2 and Server2012 are unaffected.

Caveat: although I work at Microsoft, I know nothing about this alert other than what I read in TFA.

Re:WOW (1)

yuhong (1378501) | about 10 months ago | (#45342381)

Unless you are using Office or Lync which have their own copy of GDI+. Office 2010 only uses their own copy when running under XP though unlike older versions and 2013 don't support XP at all so they don't have their own copy anymore.

Re:WOW (1)

mjm1231 (751545) | about 10 months ago | (#45342395)

So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

Re:WOW (1)

techno-vampire (666512) | about 10 months ago | (#45342341)

I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned.

And how many people do you know that still open emails from unrecognised strangers? Before you can get people to open a malicious email you have to get past their spam filters (or, at least the filters their mail server uses) and make the recipient think it's a valid email. (Yes, I know that there are people who just open everything that comes in, but I think you get my point.) However, from what I can tell, if you're running Windows and you open it, you're toast. I'm not saying that that Macs and Linux are safe because I don't know enough, but I'm fairly sure that this is not only Windows specific, it's aimed more at Outlook than anything else simply because of its market share.

Re:WOW (1)

khasim (1285) | about 10 months ago | (#45342471)

From the summary:

To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content.

So all that is really necessary is to setup a web server and post something enticing in forums like Slashdot.

https://en.wikipedia.org/wiki/Pwn [wikipedia.org]

Once that is accomplished then the cracker waits for web hits. Once you've been cracked he would search your computer for anything resembling an email address and attempt to send malicious emails to those addresses pretending to be from a different address that was found on your computer.

And that's not counting your FaceBook login and other social media sites.

Re:WOW (1)

noh8rz10 (2716597) | about 10 months ago | (#45342577)

but with most email programs, even when you select the message it automatically shows in the preview pane. So if I select it in order to delete it, it shows in the preview and BAM. Or if I delete the ajoining message, the focus shifts to that message, and BAM. It's not all about (l)users here.

Re:WOW (1)

smash (1351) | about 10 months ago | (#45342847)

I would suggest that probably 99.9% of the non-nerd population open emails from unrecognised strangers. Especially when you include those with a spoofed return address or other obfuscation.

Re:WOW (2)

smash (1351) | about 10 months ago | (#45342851)

Additionally, to delete a message within outlook you must click on it first. Which means if you have the preview window displayed, it will be parsed and displayed in the preview window.

Re:WOW (1)

noh8rz10 (2716597) | about 10 months ago | (#45342919)

maybe a good compromise is an email client feature that shows you text-only previews of messages. then you can see what the message says without getting exposure to any of this junk. thoughts?

Re:WOW (0)

Anonymous Coward | about 10 months ago | (#45343449)

Seems like a reasonable feature. All e-mail clients I use already ask before loading remote images (because they are used for tracking), but that doesn't stop the attack from just including the image as an attachment.

Preview pane is evil (2)

asifyoucare (302582) | about 10 months ago | (#45342783)

Anyone who uses Outlook preview pane can be infected by any image or font based vulnerability without even opening the infected e-mail. The preview pane is a huge security hole and it should be removed as a feature, or at least disabled by policy.

Re:Preview pane is evil (1)

noh8rz10 (2716597) | about 10 months ago | (#45342835)

there's some merit to your argument, but the fact that Windows has images and fonts that can own your system is beyond absurd.

A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?

Re:Preview pane is evil (1)

znrt (2424692) | about 10 months ago | (#45343119)

A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?

that has been a feature in every half-decent mail client for ages, now. surprisingly, a notable absence in thunderbird, but then thunderbird can at least be told never to open images directly in the preview or views and not to render any html. that people still accepts/uses html in email, after decades of exploits and scams, somehow shows to what extent safe communications are a lost battle.

here's another compromise solution, at least for business communications: instead of those absolutely irrelevant 10 lines of pompous and pointless disclaimer that every company likes to include at the end of each and every email, they could write one that explicitly disallows any malicious parsing of embedded images, voilà. that surely would scare the shit out of those nasty exploiters!

that reminds me of the famous "gallician" virus that circulated a while ago. it was a text-only virus, which informed you that by reading it you had just been pwned, appealing to your honor for duely destroying your windows registry after having manually resent the virus to your contacts.

Re:Preview pane is evil (1)

Anonymous Coward | about 10 months ago | (#45343253)

I've been using Thunderbird for years now. The default behavior is to not show images or any other potentially harmful material. I'm not sure what you've done wrong but maybe you should reset your settings to default.

I got burned by the font rendering bug last time (1)

msobkow (48369) | about 10 months ago | (#45342041)

I'm getting awfully tired of exploits from MicroSquishy that I can't do anything to block. If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines.

Fortunately I don't *trust* Windows at all after the last time I got burned, so I do *all* my surfing with Linux/Debian. The *only* time I ever hit the internet from the Windows box is to download software updates or installs.

Re:I got burned by the font rendering bug last tim (2, Informative)

theshowmecanuck (703852) | about 10 months ago | (#45342087)

I guess Linux has never and never will [arstechnica.com] have any security exploits possible against it. So yeah, good luck with that [google.ca] . And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.

Re:I got burned by the font rendering bug last tim (1)

msobkow (48369) | about 10 months ago | (#45342109)

Had this been a Linux bug, the patches would have been out tonight.

Re:I got burned by the font rendering bug last tim (1)

theshowmecanuck (703852) | about 10 months ago | (#45342169)

Guess you didn't read the first link.

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45343157)

Guess you didn't read the first link.

Why all the sensationalism and mock dismay? This Linux vuln is nothing like as severe as the Windows one.

In fact, the perf exploit was just a local privilege escalation vulnerability that was patched in the Linux kernel when it was identified (back in May). In addition, any admin who was concerned about it could load a kernel module patch immediately.

In any event, I tested the supposed exploit on several 64 bit machines with various kernel versions here and got kernel oops but no root.

Re:I got burned by the font rendering bug last tim (1)

theshowmecanuck (703852) | about 10 months ago | (#45343203)

It's in response to someone once again making like Linux is invulnerable. It isn't. I'm not a Microsoft nor Linux nor Mac fanboy. I have used all three (and OS/2) at work and at home. I don't make any assumptions that any of them are bullet proof like many others here seem to. I think anyone who does is a fool. Especially moderator fanboys who mod me down for pointing out that Linux has its moments too. And I still use all three OSs. My laptop runs Kubuntu by the way... which broke touchpad functionality on its latest upgrade. Just saying that it isn't bullet proof yet again. But I didn't delete it off the laptop, I plugged in a mouse. Stop hating on people who point out the truth of things ... even if you don't want to believe it.

Re:I got burned by the font rendering bug last tim (1)

drinkypoo (153816) | about 10 months ago | (#45343601)

The differences are that 1) Linux actually tries to be secure and 2) Linux isn't running unnecessary services you don't need and 3) The patch comes out much more rapidly for Linux, as stated, this is a proven fact. Don't pretend that Windows has parity with Linux, because it doesn't.

Re:I got burned by the font rendering bug last tim (-1)

Anonymous Coward | about 10 months ago | (#45342197)

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45342529)

Why is this modded down? People need to know what an NSA backdoor riddled piece of shit Linux really is!

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45342123)

Maybe so. The only thing I can tell you is that I have been heavily using Linux on the Internet since the late 90s, on several boxes connected to the Internet, and the number of times any of those boxes has been broken into is exactly 0. No system is safe, but some systems are a joke, when it comes to being exploited. Linux is not one of them.

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45342221)

Maybe so. The only thing I can tell you is that I have been heavily using Linux on the Internet since the late 90s, on several boxes connected to the Internet, and the number of times any of those boxes has been broken into is exactly 0. No system is safe, but some systems are a joke, when it comes to being exploited. Linux is not one of them.

That's because as far as normal users go there are virtually no Linux users to target, adoption of Linux as a desktop operating system is a joke but malware runs rampant on Android.

Re:I got burned by the font rendering bug last tim (1)

tibman (623933) | about 10 months ago | (#45342575)

That's because as far as normal users go there are virtually no Linux users to target
So it's the user and not the operating system then? Because Linux has a lot of installs.
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Summary [wikipedia.org]

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45342443)

If everyone used Linux, then malware would target linux. And I find it hard to believe your linux box has always worked perfectly. Never had to muck around in configs? Or found out your hardware isn't supported easily? Linux has it's issues too. Not that windows is perfect, but they each have their uses.

Re:I got burned by the font rendering bug last tim (0)

Anonymous Coward | about 10 months ago | (#45342527)

... and the number of times any of those boxes has been broken into is exactly 0.

That you know of.

Re:I got burned by the font rendering bug last tim (1)

couchslug (175151) | about 10 months ago | (#45342519)

" If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines. "

Google "Digital River Windows 7 ISOs".

Office 2000! (0)

Anonymous Coward | about 10 months ago | (#45342049)

Office 2000 bitches! I knew being too cheap to upgrade would pay off!

Re:Office 2000! (1)

noh8rz10 (2716597) | about 10 months ago | (#45342333)

+1 you must work in my IT department.

So... (3, Insightful)

msobkow (48369) | about 10 months ago | (#45342091)

They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

Kudos. That's the laziest response to a vulnerability I've ever heard of.

Re:So... (0)

Anonymous Coward | about 10 months ago | (#45342171)

They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

Kudos. That's the laziest response to a vulnerability I've ever heard of.

The NSA has a few more boxes to hose first, they have to wait.

Re:So... (0)

Anonymous Coward | about 10 months ago | (#45342273)

There is probably some large company who uses tiff via word to run their business. Arbitrarily changing this without extensive testing may cause that company to have more "issues". But you probably don't care about this issue.

Re:So... (2)

Bite The Pillow (3087109) | about 10 months ago | (#45342509)

I'm much more concerned that to disable a codec, you have to create a new registry key for GDIPlus, then add "DisableTIFFCodec" specifically to disable Windows-wide the built-in TIFF rendering.

There's not a whitelist so that you can search for what's enabled - there's a hidden key that is queried every time a Microsoft application *starts* so that if it is already running making the change has no effect.

That it is called "DisableTIFFCodec" - I'm not even sure what the words are to properly object to that. If someone wants to disable TIFF, they have to know what it's called. And a registry watcher is going to note the GDIPlus failure, and it won't even try to check the actual values so you will never know they exist unless you create a key for every failure and see what else is queried.

I'm sure this is a short circuit optimization to test fewer keys. I'm just as sure there is a better solution. With dynamic linking, couldn't I just remove a file and let the loader eat the error? System files which are properly protected sound like the obvious answer to these sorts of enable/disable toggles.

To actually have a workaround, I have two choices. One, let some binary from Microsoft run. They have never had problems with patches, right? Wrong. Or to view the details, I have to have JavaScript enabled because the page loads as display:hidden which sucks. Or of course view source which is always slightly painful.

It's obscure and arcane and just dirty.

And at this point, the attack surface is so huge and ingrained, they have an officially supported "Enhanced Mitigation Experience Toolkit " which, I assume, adds precautions that cause degraded performance or incompatibility in some applications. So you have to choose between things working and being insecure.

It's like a reverse Metasploit. But even that requires a commandline:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\Office application filename.exe"

The decisions that were made were probably reasonable independently. In fact I can probably argue for each one without knowing specifics. But someone has to answer to the monstrosity this has become.

I'm not worried about the amount of time the patch will take, because I would rather it work, and testing the various combinations and ensuring it works right takes time. The amount of third party software that might rely on this is probably a huge impact - they can't break Adobe or Mozilla or Google products, and the huge amount of business-critical COTS software that does strange things has to be a headache. I saw a list years ago of all the titles that Windows specifically has hacks to support, and I'm sure it has only grown, even with throwing old titles off the list. But even without that, this should be disturbing.

All the more reason... (1)

optical_phiber (587033) | about 10 months ago | (#45342105)

I am glad I am moving our businesses away from proprietary sofware! Feel free to welcome us back into the fold... Cheers, phiber

In related news (1)

gmuslera (3436) | about 10 months ago | (#45342111)

NSA agents have been busy last month sending Word documents to the critical staff of major foreing companies.

Also, water is wet and the sky is blue (1)

Gothmolly (148874) | about 10 months ago | (#45342117)

Microsoft and zero-day attacks go together like .... 2 things that go together really well.

Re:Also, water is wet and the sky is blue (1)

smash (1351) | about 10 months ago | (#45342859)

strcpy() and buffer overflows?

So better pay for an upgrade now then..... (0)

Anonymous Coward | about 10 months ago | (#45342149)

The current versions of Microsoft Windows and Office are not affected by the issue (as I read on the BBC website).

Nice way to get all those IT managers to pay out for an expensive upgrade in a panic if they want to keep their jobs I guess.

Re:So better pay for an upgrade now then..... (0)

optical_phiber (587033) | about 10 months ago | (#45342183)

Don't pay. Spend a nickel and get a real OS... Cheers, phiber

Re:So better pay for an upgrade now then..... (0)

Anonymous Coward | about 10 months ago | (#45342439)

They can just disable the tiff codec for now.

Re:So better pay for an upgrade now then..... (1)

smash (1351) | about 10 months ago | (#45342863)

Not really, given that I guarantee probably 70-80 percent of enterprises have at least one scanner or fax-to-email gateway that uses TIFF. And even if they switch that to PDF.... well, let's just say that if you compare the security history of PDF and TIFF, it's like a race in the special olympics, but TIFF would probably actually win.

The best is still to come (1)

asmkm22 (1902712) | about 10 months ago | (#45342185)

With the shape of security in the IT industry right now, I expect the patch to address this will end up bricking 20% of the servers that apply it.

Re:The best is still to come (1)

optical_phiber (587033) | about 10 months ago | (#45342195)

Mwahahahaha!!!!!!!!!!

Re: The best is still to come (0)

Anonymous Coward | about 10 months ago | (#45342553)

If the server is running windows, it might as well be a brick anyway!

No problem, then (2)

Trailer Trash (60756) | about 10 months ago | (#45342255)

"To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."

Thankfully it's proven difficult over the years to get a Windows user to do any of those things....

Re:No problem, then (1)

smash (1351) | about 10 months ago | (#45342871)

Preview turned on. Click message to delete it. Outlook parses it and displays in the preview window.

Just today.. (1)

SuperCharlie (1068072) | about 10 months ago | (#45342347)

Just today I was telling someone you would have to pay me to go back to Windows.

Mint 15 and damn happy.

this tiff attack, does it effect osx at all? (0)

Anonymous Coward | about 10 months ago | (#45342507)

this morning i was browsing some porn during the morning fap and my mouse went fucking bezerk even rebooting didn't fix it, switching mice didn't fix it, i was like WTF is happening, this made no sense. i got mad and slam the keyboard and it fixed it. i have no idea what the fuck happened but it was sketchy as fuck.

Translated summary (4, Funny)

Gravis Zero (934156) | about 10 months ago | (#45342583)

"Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."

So bad development quality (0)

lapm (750202) | about 10 months ago | (#45342685)

I'm wondering, considering the massive amounts of money Microsoft has, the army of developers they have, just the sheer size of corporation, how the heck they cant write a single piece of software that does not have some exploitable vulnerability in it. With that massive amount of resources at its disposal and they write still crappy software... Almost like hey, lets hide all these deliberate backdoors in all these software we ship...

ASLR and NX not working? (0)

Anonymous Coward | about 10 months ago | (#45342795)

It sounds like a typical stack buffer overflow bug. Why couldn't ASLR and NX nullify it?

I am a user (1)

greggster (1712144) | about 10 months ago | (#45342955)

and I did not warned.. (But I use Unix all day)

Enhanced Mitigation Experience Toolkit (1)

nuckfuts (690967) | about 10 months ago | (#45342987)

Using EMET [microsoft.com] provides additional layers of protection against this kind of thing.

Re:Enhanced Mitigation Experience Toolkit (1)

drinkypoo (153816) | about 10 months ago | (#45343605)

Using EMET provides additional layers of protection against this kind of thing.

So does not running Windows. If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.

Zero-Day (0)

Anonymous Coward | about 10 months ago | (#45343049)

Sure this is one? With the time MS normally takes to patch these things, a hundred-day attack would probably have been equally effective.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>