Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Confirms Excel Zero-Day Attack

Zonk posted about 8 years ago | from the 0day-warez-is-fun-to-say-though dept.

199

Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

cancel ×

199 comments

First Post? No way! (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15549196)

could it be?

Solultion? (0, Interesting)

Anonymous Coward | about 8 years ago | (#15549199)

If Criminal orgs are purchasing exploits, why doesn't Microsoft? (it's not like the don't have the money!)

It's part of Microsoft's plan (4, Insightful)

brian0918 (638904) | about 8 years ago | (#15549247)

"If Criminal orgs are purchasing exploits, why doesn't Microsoft? (it's not like the don't have the money!)"

Microsoft lets these exploits run free to keep the cattle in line. They need to keep people upgrading and buying the latest versions of their products to keep the cash flowing. If they released a well-written, stable, secure piece of software, what reason would people have to upgrade?

Re:It's part of Microsoft's plan (4, Funny)

DragonWriter (970822) | about 8 years ago | (#15549318)

If Criminal orgs are purchasing exploits, why doesn't Microsoft?
<tinfoil>

Because, through various cutouts to avoid it being traced back to them, it is Microsoft selling the exploits.

I mean, come on, you ever know Microsoft to pass up such an obvious opportunity to leverage a monopoly in one field (say, Office suites) into a dominant market position in another field (say, exploits for Office suites.)
</tinfoil>

Re:It's part of Microsoft's plan (2, Interesting)

WindBourne (631190) | about 8 years ago | (#15549330)

Funny thing is, that in windows the most secure is the stuff that has been around for a good long time and with all patches (while true of all, this seems to be the most true of MS). Every single new release MS says that this is the most secure item, when in reality it is not. All it really is, is a new version with new features that will always contains LOADS of major bugs across all the LOC.

Re:It's part of Microsoft's plan (0)

Anonymous Coward | about 8 years ago | (#15549806)

Just like in the first part of tommorrow never dies.
"The software is full of holes as requested sir the customers will be upgrading for years to come"

Re:It's part of Microsoft's plan - MOD PARENT UP! (2, Informative)

iamcf13 (736250) | about 8 years ago | (#15549841)

I heartily agree!

But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.

Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) [slproweb.com] does... (His Win32 OpenSSL 'repack' [slproweb.com] was very useful to me on a past project. Here is his 'about me' [slproweb.com] page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)

There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').

(I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )


Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?

[snip]

Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:
// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
 
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{
// Tells the computer to create 256 places in memory _on the stack_ for storage.
  char str[256];
 
// This just tells the user how to use the program.
// Not really important, but useful.
  if (argc < 2)
  {
    printf("Syntax: BadProgram TypeInAReallyLongString");
    exit(1);
  }
 
// This copies the data the _user_ specified into str.
  strcpy(str, argv[1]);
 
// This prints the contents of str.
  printf("%s\n", str);
 
  return 0;
}
(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).

The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is where the danger comes in. The stack is where function calls like "main" are stored. When 1000 memory locations are copied from the user to str, the stack beyond the 256 is overwritten with whatever the user has entered. Typically, this will result in a crash when the function "main" "return"s...however, if those 1000 places in memory are carefully crafted, they can execute arbitrary code when "main" "return"s. This could be anything from a virus to a complete system takeover.

So, what is the solution to this? It should be obvious: Don't put anything the user enters, even remotely related, onto the stack...ever:
// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
 
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{
// Tells the computer to create a place _on the stack_ for
// storage of a pointer to memory _on the heap_.
  char *str;
 
// This just tells the user how to use the program.
// Not really important, but useful.
  if (argc < 2)
  {
    printf("Syntax: BetterProgram TypeInAReallyLongString");
    exit(1);
  }
 
// Allocate space for 256 places of memory _on the heap_.
  str = (char *)malloc(256);
 
// This copies the data the _user_ specified into the area
// of memory _on the heap_ pointed to by str.
  strcpy(str, argv[1]);
 
// This prints the contents of str.
  printf("%s\n", str);
 
// Delete the memory used on the heap.
  free(str);
 
  return 0;
}
Note that this program will still have the problem of crashing, but the user has been effectively cut off from overwriting sections of the stack. (Pointers on the stack are perfectly fine...the user doesn't have access to those). To make this work properly requires determining the size of the user data, allocate it, do stuff with the allocated memory, and then free the memory on the heap when finished:
// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>
 
// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{
// Tells the computer to create a place _on the stack_ for
// storage of a pointer to memory _on the heap_.
  char *str;
 
// This just tells the user how to use the program.
// Not really important, but useful.
  if (argc < 2)
  {
    printf("Syntax: BadProgram TypeInAReallyLongString");
    exit(1);
  }
 
// Allocate space for the exact number of places of memory needed _on the heap_.
  str = (char *)malloc(strlen(argv[1]) + 1);
// Check to see if the memory was actually allocated properly.
  if (str == NULL)
  {
    printf("Error: Unable to allocate required amount of space. Out of memory.");
    exit(1);
  }
 
// This copies the data the _user_ specified into str.
  strcpy(str, argv[1]);
 
// This prints the contents of str.
  printf("%s\n", str);
 
// Delete the memory used on the heap.
  free(str);
 
  return 0;
}
This code won't technically ever crash from an application perspective and the stack is perfectly isolated from the user. If the OS or the compiler is faulty, then, unless the source is available, it will be difficult to fix the problem. For this reason, ProtoNova is only guaranteed that it is free from Buffer Overflow attacks on the stack at the application level.

BTW, I am a very defensive programmer. I have been programming in the style of the third demonstration for over four years now. This should tell you that I know exactly what I'm doing and the people over at Microsoft apparently don't.

In conclusion, ProtoNova is the most secure web server out-of-the-box to date. Its core design is based around security than add-on hacks like CGI and has good design principles instilled in its code base. It is the only web server to actually make a guarantee about the type of bugs you will NEVER find in the web server. That, my friend, is security. That, my friend, is piece of mind. And on that serene note, I'm going to go to bed - it is 2:10 a.m. on a Saturday morning.

© 2000-2003 Shining Light Productions

Parent is +5 Insightfull, how? (0, Troll)

iBod (534920) | about 8 years ago | (#15549916)

Oh boy! Sure!

Do you really think there is a little department at Redmond that is in charge of 'exploits running free'?

Honestly. Sometimes I think slashdotters should get their fucking heads out of their assholes and smell the fresh air!

Re:Solultion? (1)

cmdr_beeftaco (562067) | about 8 years ago | (#15549502)

Tankersley

unnamed business (1, Insightful)

Anonymous Coward | about 8 years ago | (#15549203)

Anyone have any clue what is under attack?

Re:unnamed business (3, Funny)

Anonymous Coward | about 8 years ago | (#15549238)

Yes.

Think about it. It's a company that relies upon Excel. That means it's full of PHBs who keep using Excel to do everything from track projects to design reports.

It's your employer. Yep. That's right. I checked your IP address, I see who you're working for. Your employer works exactly as I describe.

Re:unnamed business (1, Insightful)

cp.tar (871488) | about 8 years ago | (#15549543)

I'm just waiting... waiting for a virus, attack or whatever you will which will simply turn all the threes into eights in every .xls file...

Until something like that happens, no-one will bother learning about security... really learning.

Re:unnamed business (4, Funny)

dark-br (473115) | about 8 years ago | (#15549427)

Yes... I do... Please refer to the attached xls spreadsheet for more info. ;)

first teh prost!!! (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15549206)

woot

Re:first teh prost!!! (-1, Offtopic)

theaddkid.com (983011) | about 8 years ago | (#15549212)

Or should that be Root!!! :)

Hackers can't do it? (4, Funny)

brian0918 (638904) | about 8 years ago | (#15549209)

"...suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

Are you implying that hackers don't have the wherewithal to pull off corporate espionage? Can they do nothing more than crack the latest version of VirtuaGirl?

Re:Hackers can't do it? (4, Insightful)

SatanicPuppy (611928) | about 8 years ago | (#15549259)

Yea, nice way to jump to conclusions. The idea that intellectuals can't be criminals is almost victorian. Or maybe they fell for the stereotype of the happy-go-lucky-non-malicious-but-intellectually-in qusitive hacker who could come up with an exploit, but never use it for EVIL.

Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).

Re:Hackers can't do it? (2, Insightful)

theundergroundman (944494) | about 8 years ago | (#15549411)

If a hacker sold an exploit to someone who uses it for corporate espionage, isn't that using his intellectual ability for "evil" as you put it?

Re:Hackers can't do it? (1)

DigiShaman (671371) | about 8 years ago | (#15549501)

hackers for hire are not uncommon in the world of the mafia. Hell, some of them even are well groomed wearing a suit and tie. Basically, highly educated intellectuals that only give a damn about a phat paycheck.

Re:Hackers can't do it? (5, Funny)

gowen (141411) | about 8 years ago | (#15549628)

The idea that intellectuals can't be criminals is almost victorian

Hey! I resent that!

Love,
Professor James Moriarty.

Re:Hackers can't do it? (2, Insightful)

dotoole (881696) | about 8 years ago | (#15549835)

You're missing the point. It's not that the hackers who find these exploits wouldn't use them - it's that they're smart enough NOT to use them. Undocumented exploits are worth their weight in gold for online criminals. Why use the exploit yourself and risk getting caught when you can sell it off to someone else for a tidy sum and let THEM risk getting caught.

Re:Hackers can't do it? (5, Funny)

IthnkImParanoid (410494) | about 8 years ago | (#15549263)

Can they do nothing more than crack the latest version of VirtuaGirl?

They can do that? Do you know where I can find these guys? I need to, uh, confirm your statement. Solely for scientific purposes, you understand.

Presumably they could but... (4, Insightful)

sterno (16320) | about 8 years ago | (#15549319)

The thing is, to be a good hacker, you kinda have to spend a lot of time and energy on hacking. At the end of the day, it's probably easier and equally lucrative to just sell your exploits to other people rather than using them yourself. It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Re:Presumably they could but... (2, Interesting)

mugnyte (203225) | about 8 years ago | (#15549534)


  What raises my eyebrows is that hacks like this are a "one shot deal". You can't run an exploit for very long without it getting notice, then patched. So the charge for these must be pretty high, given that it seems like work for hire.

  So the business background on this exploit is probably far juicier than the exploit itself. The path to contact, payment, motive, etc are probably a great story. I would certainly read that book.

  Of course, if writing such a book, I would take the XLS information and place it on the market itself, continuing the intrigue. Let's hope its something dealing with a government, which then topples, affecting more change than someone getting rich. I mean, if writing, write big.

Re:Presumably they could but... (2, Insightful)

DigiShaman (671371) | about 8 years ago | (#15549569)

It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Be carefull!!! In the US, you can be charge with being an accessory [criminal-l...source.com] to a crime.

Re:Presumably they could but... (2, Informative)

cowbutt (21077) | about 8 years ago | (#15549724)

It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Be carefull!!! In the US, you can be charge with being an accessory to a crime.

...and shortly in the UK also if the government get their way [parliament.uk] . Or, for that matter, if you create a security testing tool that some copper takes a dislike to.

Re:Presumably they could but... (2, Insightful)

masterzora (871343) | about 8 years ago | (#15549744)

Can the owner of a gun shop be charged as an accessory if a gun they sold is used in a murder?

All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).

Re:Hackers can't do it? (4, Insightful)

BunnyClaws (753889) | about 8 years ago | (#15549442)

The hackers themselves are probably not commiting the corporate espionage. They are merely traders in "Security Tools". They are like arms deals who sell to warlords. So no the hackers probably do not pull of the corporate espionage they just develop the means to do it. Which is probably the smarter thing to do.

Re:Hackers can't do it? (0, Redundant)

vertinox (846076) | about 8 years ago | (#15549472)

Can they do nothing more than crack the latest version of VirtuaGirl?

link plz!

Re:Hackers can't do it? (1)

Atlantic Wall (847508) | about 8 years ago | (#15549511)

Someone please mod the parent up. LOL

Why read the article? (4, Insightful)

Thunderstruck (210399) | about 8 years ago | (#15549217)

Well organized criminals conducting corporate espionage, complex software running international corporations, (hackers/crackers) slipping deviously bugged code into the works for their own nefarious purposes.

I don't need to RTFA, I can just wait for the movie.

Re:Why read the article? (4, Informative)

Solder Fumes (797270) | about 8 years ago | (#15549637)

You're waiting for Swordfish (2001)?

Re:Why read the article? (1)

GalionTheElf (515869) | about 8 years ago | (#15549818)

Whoever modded this informative has never seen the movie or just has a really, really sick sense of humour.

okN.xls? (5, Funny)

gEvil (beta) (945888) | about 8 years ago | (#15549224)

The Trojan arrives as a Microsoft Excel file attachment to a spoofed e-mail with the following name: "okN.xls."

Hmm, I guess I should rename my spreadsheet containing a list of Oklahoma natives.

Re:okN.xls? (1)

Otter (3800) | about 8 years ago | (#15549568)

It seems like a lot of work to go to and not give the spreadsheet a credible name, unlessthe hax0rs are targeting camelCase users. Why not use "2007 Budget.xls" or "Vacation days.xls" or "World Cup Pool.xls"?

Re:okN.xls? (0)

Anonymous Coward | about 8 years ago | (#15549854)

Or MyPasswords.xls

Zero day?!? (5, Funny)

ILikeRed (141848) | about 8 years ago | (#15549229)

It should really be called the -28 day attack, or something along those lines, since they are coordinating it to fall shortly after Microsoft's retarded "we only fix security once a month" schedule.

Re:Zero day?!? (1)

Meshach (578918) | about 8 years ago | (#15549256)

That whole "fix on a schedule" idea seems like a great idea until it is put into practice; then it is exposed to be just as bad as any other "stratagy" to patch Microsoft software against every attack.

One of the pitfalls of MS' popularity is that everything they do is exploited. It seems that no matter what they do someone will take advantage of it and screw their customers.

Not a popularity problem (4, Insightful)

ILikeRed (141848) | about 8 years ago | (#15549285)

It is not a popularity problem - it's a "our marketing and sales departments delegate everything to our engineering and security departments" problem.

Re:Not a popularity problem (0)

Anonymous Coward | about 8 years ago | (#15549364)

Err, didn't you mean that to be the other way around?

Re:Not a popularity problem (0)

Anonymous Coward | about 8 years ago | (#15549649)

Verb 2. delegate - give an assignment to (a person) to a post, or assign a task to (a person)

Re:Zero day?!? (1)

MECC (8478) | about 8 years ago | (#15549533)

"That whole "fix on a schedule" idea seems like a great idea until it is put into practice"

It never seemed like a good idea from the start to anyone who's setup and used any linux distro. Release fixes when problem is fixed, not a month later.

This problem is nothing to do with MS's pervasiveness, and everything to do with plain old-fashioned incompetence.

Re:Zero day?!? (0)

Anonymous Coward | about 8 years ago | (#15549680)

Let me get this straight... Microsoft have fixed a bug that a hacker can use to create a zombie army 28 days later?

Can't blame Microsoft (-1, Flamebait)

Anonymous Coward | about 8 years ago | (#15549241)

These extortionists really need to be taken out. It's high time mossad style tactics are employed against these black hat hacker thugs. These bastards are hiding behind borders, and what they are doing should be treated as an act of agression.

NOT TO FEAR! (4, Insightful)

pcguru19 (33878) | about 8 years ago | (#15549242)

Just upgrade to Windows VISTA (when it's out) and Office 2007 (when it's out) and all of these silly security issues will go away....

Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.

Re:NOT TO FEAR! (1)

Opportunist (166417) | about 8 years ago | (#15549547)

It's every time all better in the next version. And DRM, don't forget that, and that will make you SO secure against everything you could do against your computer...

Re:NOT TO FEAR! (1)

Fred_A (10934) | about 8 years ago | (#15549645)

Hah, I'm glad I stuck with Windows 95. Foiled their marketing department again !

Re:NOT TO FEAR! (2, Funny)

naelurec (552384) | about 8 years ago | (#15549682)

But Vista is the one! Just think about it..

1. Built under their "security is top priority" and "trustworthy computing" iniatives.

2. Microsoft built security focused tools such as .NET .. I'm sure its used extensively in their flagship operating system and applications.

3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues.

4. I'd have to imagine in the effort to keep the system secure, backwards compatibility is largely sandboxed to not allow this insecure code to infect the integrity of the system.

5. With the knowledge that most home users (And small business users) ARE THE administrator, I'm sure they are taking special precautions to provide resources to enhance their knowledge of security and maintaining a secure system. With the 10+ gigabyte default install and modern day video capabilities, I'd imagine they have lots of video to get this knowledge out to people.

6. They have stated it is not only the most secure WINDOWS release ever, but the most secure OPERATING SYSTEM ever. I don't recall this being the case with previous releases. They even attended a blackhat conference (or something) to prove this! It must be true.

7. For extra precaution, they have high system requirements and excessive annoyances (such as making the simple task of deleting a desktop icon into a 6+ step procedure) to provide a barrier so just not everyone buys it the day it is released. Seems like they have structured it so most people won't get it until atleast SP1 or later which should be great to provide extra time to make it even more secure then the most secure OS ever.

Based on all of this. I am positive that Microsoft is right and you are wrong. a'Yup..

Re:NOT TO FEAR! (5, Funny)

0xABADC0DA (867955) | about 8 years ago | (#15549686)

Actually There's plenty of evidence for a natual cycle of security issues. In the past, millions of years ago, there were far more security issues than there are now. In fact, many scientists disagree over the cause of the recent increase of exploits, whether this is caused by man or whether it is just part of a natural downturn from the last Mini-Secure Age (which incidentally ended when the Irish potato fields were compromised).

In any case to presume some kind of pattern from this last decade of operating systems is poor reasoning --the science just isn't in yet to show any long-term trends. Sure, the 7 of 10 most exploited operating systems have been released in the last decade, but that is not statitically relevant over the million year record of security issues. Certainly taking some kind of preventive action like using Safe Languages is just being alarmist as is all the liberal scaremongering that "all your base will be pwned" by the end of the century. Think of the economic impact of all those wasted cycles that could be better used doing manual memory management.

Listen, the computer was here long before Windows, and they'll still be around after Windows is gone. We're overstating our importance to say that mere programmers can destroy the whole computer. Sure, it may be uninhabitable by our software but eventually random bit-flipping will reset the computer and a new OS will take over. It's evidence of the indisputable intelligent design of computers that they can recover from anything we could possible run on them.

Re:NOT TO FEAR! (1)

lynx_user_abroad (323975) | about 8 years ago | (#15549777)

Even if no one else gets it, I do.

Kudos.

Re:NOT TO FEAR! (1)

DonJL (983048) | about 8 years ago | (#15549721)

I guess this is why people upgrade to Linux and Mac systems. Personally, I grew quite tired of the "Patch of the Day" a long time ago.

They got what they deserved... (5, Funny)

HellYeahAutomaton (815542) | about 8 years ago | (#15549244)

"Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business."

You can't go running around with a business without a name! Focus groups people, focus...

unnamed business (1)

wombatmobile (623057) | about 8 years ago | (#15549485)

located in Redmond, WA. The Chief Software Architect of the unnamed business also works a second job and hangs out with world leaders in his spare time, curing cancer.

Corporate espionage ROFL! (1)

Spy der Mann (805235) | about 8 years ago | (#15549245)

Is diffing binaries THAT hard to do? *Rolls eyes*

Re:Corporate espionage ROFL! (3, Funny)

richy freeway (623503) | about 8 years ago | (#15549471)

*rolls eyes back*

I'm sure you'll be needing them.

Well organized criminals (1, Funny)

Anonymous Coward | about 8 years ago | (#15549248)

They're very neat people. Not the jolt-can and pizza-box crowd...

Clean cubicles, every one of em. And well groomed, too.

When will people learn about MS orifice... oops I mean office.

Nah... (1)

Svartalf (2997) | about 8 years ago | (#15549653)

You had it right the first time...

Just a coincidense? (0)

Anonymous Coward | about 8 years ago | (#15549252)

The attack comes only few days after Google announces own spreadsheet...

Re:Just a coincidense? (0)

Anonymous Coward | about 8 years ago | (#15549914)

you are a douche

news? (4, Interesting)

bcrowell (177657) | about 8 years ago | (#15549260)

Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable. Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges. If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

Re:news? (2, Informative)

SheeEttin (899897) | about 8 years ago | (#15549308)

MS makes it so difficult not to run with administrator privileges


Actually, it's not that hard. Log in as a limited user, do whaever you need to do, and if you encounter a program that absolutely needs to run as an admin, just right-click > Run as..., enter admin account name and password, and the program will run under the admin account. I personally haven't made the permanent switch to Linux yet, but I think it's comparable to sudo.

Re:news? (1)

SaDan (81097) | about 8 years ago | (#15549481)

You shouldn't even have to do that as a normal end user. I admin Windows networks, and NO ONE gets admin access to their workstations except certian developers. The rest of the office is locked down, and have no problems doing their jobs and running a fairly decent assortment of applications (beyond MS Office).

Active Directory and group policies are your friend when it comes to a sane working environment under MS. Problem is, by the time you get that all sorted out, the admins are usually insane. ;-)

Re:news? (2, Interesting)

Bert64 (520050) | about 8 years ago | (#15549346)

Users shouldn't need to worry about stupid shit like this.
End users should be able to open data files (data, not executeable files) without fear of being owned. Data files should not have the ability to contain code (with the exception perhaps of rudimentary macros which can only interact with the host program and are sandboxed, like java applets or javascript)

Re:news? (0)

Solder Fumes (797270) | about 8 years ago | (#15549742)

Data files should not have the ability to contain code

They don't. That's why viruses exploit buffer overflows and other vulnerabilities. It's not like a document format designer was thinking one day, "I should make this contain executable code!"

Re:news? (1, Insightful)

Anonymous Coward | about 8 years ago | (#15549813)

It's not like a document format designer was thinking one day, "I should make this contain executable code!"

After having to live through dozens of MS Office macro viruses before MS finally turned them off by default, I can tell you, that's exactly what MS developers thought. Fools.

Re:news? (5, Insightful)

Anonymous Coward | about 8 years ago | (#15549398)

If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.

If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.

Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.

Re:news? (1)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#15549423)

Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

These are carefully crafted messages spoofed to appear to coming from someone within the company. It is someone they know and it is an excel spreadsheet, which is data and should not be able to install any software unless Excel is designed for crap (which it is).

Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

Not very much. Without admin they could still send all the useful files somewhere public for them to copy. They need to implement jails or VMs or zones or something and they need to fix their office suite.

If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users.

First, it is from someone they know. Second, how do you filter this? They can just change the name and contents of the excel file. You can filter all excel files, but that does serious damage to the business operations in many cases.

If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

You are misinformed and badly misjudging this threat.

Re:news? (1)

MarcoAtWork (28889) | about 8 years ago | (#15549434)

hello? this is a targeted attack, what makes you think that "users are willing to click on an attachment from someone they don't know"? If it's targeted I bet the email was spoofed to appear as if it was sent by somebody working at the company...

Re:news? (1)

alshithead (981606) | about 8 years ago | (#15549715)

But the email address is spoofed. Perhaps it is spoofed as someone they know or an organization they do business with. After all, it is a targeted attack and it wouldn't be too difficult to do a little prior homework to pick email addresses to spoof as.

News? (4, Insightful)

MarkByers (770551) | about 8 years ago | (#15549286)

Everyone knows that you should not open attachments. Word is likely full of 1000s of exploitable holes. Excel too. Plus any other complex program.

Yes, OpenOffice will be full of holes as well.

Not news.

As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though. :)

Impossible to do (1)

Opportunist (166417) | about 8 years ago | (#15549577)

In the average office, MS-Office documents fly low. Mail is still THE way to transport documents between companies.

If you now expect your employees not to open MSO documents, you pretty much expect them not to work.

Re:News? (0)

Anonymous Coward | about 8 years ago | (#15549707)

Someone beat you to that idea, and Microsoft has delayed their patch cycle because of that strategy. Therefore the day after is the best.

Re:News? (1)

Ruvim (889012) | about 8 years ago | (#15549750)

Nope, Have to wait after the patch cycle. Because, what if this new patch actually closes this hole?

How to protect ourselves? (1)

ponden (977893) | about 8 years ago | (#15549287)

Do not run the fishy excel files?

I don't run the suspicious .exe files, but I may run the .xls files even I don't know the identity file.

Typically, the difficulty in prosecuting crackers (2, Insightful)

mmell (832646) | about 8 years ago | (#15549302)

is that (much like terrorists) there is no formal organization against which to direct your attention. The white-hats are left with trying to find individual crackers, much like the *AA goes after individual file-sharers because there is no centralized target for their wrath.

In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.

So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"

Patches Available (4, Informative)

GogglesPisano (199483) | about 8 years ago | (#15549328)

Patches for this problem available here [openoffice.org] , here [gnome.org] and here [mozilla.com] .

Unnamed business? (4, Funny)

MarkByers (770551) | about 8 years ago | (#15549339)

against an unnamed business

I think they should be more worried that they are the victim of identity theft [slashdot.org] .

stupid (4, Funny)

mapkinase (958129) | about 8 years ago | (#15549349)

I do not believe that e-mail spamming attack against a single company can be that effective. Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.

Re:stupid (1, Insightful)

Anonymous Coward | about 8 years ago | (#15549528)

I do not believe that e-mail spamming attack against a single company can be that effective.

Ever heard of Osirusoft? How about Blue Security more recently? A targeted spamming attack can be pretty damn effective.

Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mail.

This could not be the e-mail users I am used to working with. They'll open anything.

Re:stupid (0)

Anonymous Coward | about 8 years ago | (#15549699)

This could not be the e-mail users I am used to working with. They'll open anything.

I agree. Back when one of the first of this generation's e-mail ZIP file viruses hit (I think it was an early version of Bagle), we sent out a broadcast e-mail to the whole company: "DO NOT OPEN ANY ZIP FILES YOU RECEIVE VIA E-MAIL" about 3 or four times during the course of the day. At the end of the day, we got a call from one of our engineers (who was otherwise a very intelligent person), who said "I think I've got a virus... I opened this random ZIP file someone sent me."

An Excel exploit? (5, Funny)

fotoflojoe (982885) | about 8 years ago | (#15549387)

Must be the work of terrorist cells...

Re:An Excel exploit? (1)

Maradine (194191) | about 8 years ago | (#15549840)

This is going to get our patch management team into a blazing row . . .

Re:An Excel exploit? (5, Funny)

grassy_knoll (412409) | about 8 years ago | (#15549853)

Would those terrorist cells be in the fifth column? [wikipedia.org] ;)

Another reason to have an open file format (4, Interesting)

Bert64 (520050) | about 8 years ago | (#15549390)

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

You could easily parse the file at your gateway, and validate the xml content against the published schema (rejecting it if it fails), although this wouldn't be foolproof (an exploit could still exist within well formed xml, but is less likely) it would cut out a significant portion of vulnerabilities.

Re:Another reason to have an open file format (4, Funny)

insanarchist (921436) | about 8 years ago | (#15549494)

Thank god my grandma's already in the habit of validating xml content against schemas or she'd be SOL!

Re:Another reason to have an open file format (1)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#15549524)

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

...and with an open standard you could switch your users to an alternate spreadsheet if the problem persists. his vulnerability is only a major concern because of the monoculture. If 25% of users were suing OpenOffice, 25% were using MS office, 25% were using Corel, and 25% were using something else all to open the same spreadsheet files, this type of vulnerability would cause a lot less concern.

Re:Another reason to have an open file format (2, Insightful)

Anonymous Coward | about 8 years ago | (#15549549)

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document... You could easily parse the file at your gateway, and validate the xml content against the published schema

So you expect the "malicious code" to be well labeled in the XML stream? ...maybe with XML comments? =P

Seriously you can only trap a narrow set of possible exploits this way (ones dealing with XML parser exploits generally). Scripts/macros/etc. would need to be interpreted to understand if was utilizing an exploit in the target product (assuming the vulnerability was known). Also the document can be a valid document but the organization and composition of elements in the document could be used to exploit a vulnerability.

I don't think it would net you as much of a benefit as you believe it would.

Re:Another reason to have an open file format (0)

Anonymous Coward | about 8 years ago | (#15549591)

With an open file format, scripts, macros, etc. can be removed by the server, tags can be normalized, field lengths can be limited, etc. With MS Office, the server can't do any kind of transformation on the document reliably because the only way to manipulate MS Office files reliably is with Microsoft's software.

Re:Another reason to have an open file format (1, Insightful)

Anonymous Coward | about 8 years ago | (#15549600)

Bullcrap, an open format doesn't preclude security problems.

The closest already widespread format was PDF documents (multiple writers) and there have been plenty of exploits associated with that format, though not as many as Word, Excel, etc.

Re:Another reason to have an open file format (1)

colinrichardday (768814) | about 8 years ago | (#15549730)

Do you have examples? I've tried Google but "PDF exploit" returns PDF descriptions of exploits, not exploits of PDF.

Re:Another reason to have an open file format (1)

dylan_- (1661) | about 8 years ago | (#15549809)

I've tried Google but "PDF exploit" returns PDF descriptions of exploits, not exploits of PDF.
For future reference: using "PDF exploit filetype:html" (without the quotes, obviously) will just return .html files.

Just in time (4, Insightful)

Opportunist (166417) | about 8 years ago | (#15549405)

Anyone here thinking it's a coincidence that the exploit goes life JUST after "patch day"?

I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.

Re:Just in time (1)

Bostik (92589) | about 8 years ago | (#15549605)

Thesaurus to the rescue: imbeciles

On a more serious note, I'm honestly surprised it has taken this long for this kind of operation to emerge. The very idea of a Patch Day[tm] is to A) appease to corporate types who think they understand what "unscheduled downtime" means but are too detached from reality to understand what significance it carries; and B) assume that people outside the company can't discover holes in your software.

For point B, see first paragraph.

Re:Just in time (1)

Opportunist (166417) | about 8 years ago | (#15549662)

For corporate types, see it, too.

Quite frankly, I do understand why it's more convenient, for both sides, to use a fixed date for patching. But let's be honest here, criminals don't care for your working hours. I could rant and rave and whatnot, for the usual exploit/hack/trojan usually comes JUST in time for weeks when either Thusday or Thursday is a holiday. Gee, why? 'cause everyone will have taking Monday/Friday off and the unpatched window opens wider.

You have NO idea what it's like around XMas/New Year if you're not in the biz.

Of COURSE the malware writers adjust to the patching rhythm. Did anyone expect anything else? That means they have a MONTH of running freely before anyone reacts. A month is a VERY long time in this biz.

Yah, ok... (0, Redundant)

Secret Rabbit (914973) | about 8 years ago | (#15549430)

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

Yes, because there is no way that the attacker could have come up with the attack him/her-self. It's completely out of the question that this person could have done it alone. Even though we know absolutely nothing about [him/her, them]. etc It certainly makes far more sense to introduce a conspiracy theory. One involving vast crime rings.

Sure.

HOW!?!!?! (0)

tomstdenis (446163) | about 8 years ago | (#15549689)

Do you get executable code in a SPREADSHEET!?!

Seems like another MSFT "feature".

Tom

Re:HOW!?!!?! (0)

Anonymous Coward | about 8 years ago | (#15549814)

I think you were being sarcastic, but for the benefit of people who are legitimately wondering the same thing I say this: you overwrite a buffer and inject proper machine code into it. The vector can be anything. Even an image of you, a video clip, word processor document, favicon.ico, anything... all it takes is a hole which you can exploit.

Re:HOW!?!!?! (2, Informative)

mortonda (5175) | about 8 years ago | (#15549862)

Do you get executable code in a SPREADSHEET!?!

Buffer overflows [wikipedia.org]

Bye (1)

Mateo_LeFou (859634) | about 8 years ago | (#15549751)

Between this stuff, WGA, and just general principle I'm not sure I'll ever boot XP again. Just gotta figure out how to run Party Poker on Lx...

Employ the hackers (fight fire with fire) (2, Interesting)

JakeChance (983045) | about 8 years ago | (#15549892)

Why doesn't anyone employ these hackers to attack spam companies. It would be using one destructive web force against an annoying one, after all, I'm sure they get spam too. The enemy of my enemy is my friend.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...