Microsoft Confirms Excel Zero-Day Attack 199
Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."
Hackers can't do it? (Score:5, Funny)
Are you implying that hackers don't have the wherewithal to pull off corporate espionage? Can they do nothing more than crack the latest version of VirtuaGirl?
Re:Hackers can't do it? (Score:5, Insightful)
Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).
Re:Hackers can't do it? (Score:2, Insightful)
Re: (Score:2)
Re:Hackers can't do it? (Score:2)
By the way, I did a spyware cleaning for a client yesterday (AND have to go back soon because it wasn't entirely effective despite using all the latest anti-trojan/spyware/AV tools) who indeed suggested to me that Microsoft was deliberately creating these things to make another market for itself.
So, yeah, there are consumers out there who believe that - I'm starting to take the idea seriously.
Re:Hackers can't do it? (Score:5, Funny)
Hey! I resent that!
Love,
Professor James Moriarty.
Re:Hackers can't do it? (Score:2, Insightful)
Re:Hackers can't do it? (Score:2)
True but I don't think the article suggests that. Finding an exploit and then selling it IS "evil" and although IANAL probably illegal. It would take a moron not to realize that the exploit someone pays money for will be used maliciously.
Re:Hackers can't do it? (Score:5, Funny)
They can do that? Do you know where I can find these guys? I need to, uh, confirm your statement. Solely for scientific purposes, you understand.
Presumably they could but... (Score:5, Insightful)
Re:Presumably they could but... (Score:3, Interesting)
What raises my eyebrows is that hacks like this are a "one shot deal". You can't run an exploit for very long without it getting notice, then patched. So the charge for these must be pretty high, given that it seems like work for hire.
So the business background on this exploit is probably far juicier than the exploit itself. The path to contact, payment, motive, etc are probably a great story. I would certainly read that book.
Of course, if writing such a book, I would take the XL
Re: (Score:3, Insightful)
Re:Presumably they could but... (Score:3, Informative)
Be carefull!!! In the US, you can be charge with being an accessory to a crime.
Re:Presumably they could but... (Score:2, Insightful)
All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).
Re:Hackers can't do it? (Score:3, Insightful)
Why read the article? (Score:5, Insightful)
I don't need to RTFA, I can just wait for the movie.
Re:Why read the article? (Score:5, Informative)
Re:Why read the article? (Score:2)
Great movie.
Halle Berry tits. John Travolta doing his Scientologist impression. Hugh Jackman humping his computer. Hot blonde giving a blowjob to a hacker trying to penetrate the DoD system. A Finnish hacker named Axel Torvalds. What's not to like?
okN.xls? (Score:5, Funny)
Hmm, I guess I should rename my spreadsheet containing a list of Oklahoma natives.
Re:okN.xls? (Score:2)
Zero day?!? (Score:5, Funny)
Re:Zero day?!? (Score:2)
One of the pitfalls of MS' popularity is that everything they do is exploited. It seems that no matter what they do someone will take advantage of it and screw their customers.
Not a popularity problem (Score:5, Insightful)
Re:Zero day?!? (Score:2)
It never seemed like a good idea from the start to anyone who's setup and used any linux distro. Release fixes when problem is fixed, not a month later.
This problem is nothing to do with MS's pervasiveness, and everything to do with plain old-fashioned incompetence.
Re:Zero day?!? (Score:2)
That's how it's done (Score:3, Insightful)
Re:That's how it's done (Score:2)
Re:That's how it's done (Score:2)
And that is relevent to this discusion because...
No software firm has ever needed to release as many security patches as Microsoft has.
I actually work for Sun. If you told our software people that they had to release dozens of patches per year, and do it without a scheduled software cycle, they'd laugh in your face.
Re:That's how it's done (Score:3, Insightful)
No, that's BILL'S excuse - "It doesn't make me any money, so we're not doing it."
If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.
The problem for BILL is the number of people he has to pull off his "upgrade" and "new" products like Vista - which DO make him money - to the problem of security which does NOT make him
Re:That's how it's done (Score:2)
Re:Zero day?!? (Score:2)
NOT TO FEAR! (Score:4, Insightful)
Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.
Re:NOT TO FEAR! (Score:2)
Re:NOT TO FEAR! (Score:2)
Re:NOT TO FEAR! (Score:3, Funny)
1. Built under their "security is top priority" and "trustworthy computing" iniatives.
2. Microsoft built security focused tools such as
3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues.
4. I'd have to imagine in the effort to keep the system secure, b
Re:NOT TO FEAR! (Score:2, Insightful)
There's a simple formula to determine how secure and relaible any software is (OS or application). As you add to the total lines of code, regardless of who is writing the code, the opportunities for unexpected errors and security issues grows at a logorythmic s
Re:NOT TO FEAR! (Score:5, Funny)
In any case to presume some kind of pattern from this last decade of operating systems is poor reasoning --the science just isn't in yet to show any long-term trends. Sure, the 7 of 10 most exploited operating systems have been released in the last decade, but that is not statitically relevant over the million year record of security issues. Certainly taking some kind of preventive action like using Safe Languages is just being alarmist as is all the liberal scaremongering that "all your base will be pwned" by the end of the century. Think of the economic impact of all those wasted cycles that could be better used doing manual memory management.
Listen, the computer was here long before Windows, and they'll still be around after Windows is gone. We're overstating our importance to say that mere programmers can destroy the whole computer. Sure, it may be uninhabitable by our software but eventually random bit-flipping will reset the computer and a new OS will take over. It's evidence of the indisputable intelligent design of computers that they can recover from anything we could possible run on them.
They got what they deserved... (Score:5, Funny)
You can't go running around with a business without a name! Focus groups people, focus...
unnamed business (Score:2)
Corporate espionage ROFL! (Score:2)
Re:Corporate espionage ROFL! (Score:3, Funny)
I'm sure you'll be needing them.
Re:Corporate espionage ROFL! (Score:2)
news? (Score:5, Interesting)
Re:news? (Score:2, Informative)
Actually, it's not that hard. Log in as a limited user, do whaever you need to do, and if you encounter a program that absolutely needs to run as an admin, just right-click > Run as..., enter admin account name and password, and the program will run under the admin account. I personally haven't made the permanent switch to Linux yet, but I think it's comparable to sudo.
Re:news? (Score:2)
Re:news? (Score:2)
Re:news? (Score:3, Interesting)
End users should be able to open data files (data, not executeable files) without fear of being owned. Data files should not have the ability to contain code (with the exception perhaps of rudimentary macros which can only interact with the host program and are sandboxed, like java applets or javascript)
Re:news? (Score:2)
Data files shouldn't contain code? What better place to put the code than in the same file as the data it manipulates? A sandbox wouldn't necessarily meet the needs of the business. A sandbox would probably be ok for Word or PowerPoint. Sandboxing Excel macros would be a huge mistake. Some of the most useful and time saving macros in Excel automate the process of gathering data from disparate sources.
Re:news? (Score:5, Insightful)
There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?
Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.
No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.
If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.
No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.
Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.
Re:news? (Score:2, Interesting)
Because that's called MySpace, and look where that got us. Think of the children.
*raises troll mod shield*
Re:news? (Score:2)
You're a recruiter (a not very savvy one) and you receive attachments from people you don't know all day long.
You get "fun stuff" from your friends all the time, and this one just happens to look like some of the others that were okay.......
Just throwing a few out there. Personally I dislike the entire existance of attachments in emails.
Re:news? (Score:2)
Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.
These are carefully crafted messages spoofed to appear to coming from someone within the company. It is someone they know and it is an excel spreadsheet, which is data and should not be able to install any software unless Excel is designed for crap (which it is).
Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administra
Re:news? (Score:2)
News? (Score:5, Insightful)
Yes, OpenOffice will be full of holes as well.
Not news.
As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though.
Impossible to do (Score:2)
If you now expect your employees not to open MSO documents, you pretty much expect them not to work.
Re:News? (Score:2)
Unfortunately, not true, anymore than saying everyone knows not to follow a link emailed to you that requests you enter your login/password. The unfortunate truth is the majority of internet users are not
I can't wait till Excel 2007 comes out. Not of course for the security system (which will continue to be meaningless as long as dumb Joe leav
Typically, the difficulty in prosecuting crackers (Score:3, Insightful)
In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.
So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"
Patches Available (Score:4, Informative)
Unnamed business? (Score:5, Funny)
I think they should be more worried that they are the victim of identity theft [slashdot.org].
stupid (Score:4, Funny)
Re:stupid (Score:2)
I do not believe that e-mail spamming attack against a single company can be that effective.
For the previous, Word exploit, they were actually spoofing addresses so it appeared to be coming from an employee.
Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.
...and the fact that most systems are so insecure that users have to avoid viewing data, because it can compromise their machine is just pathetic. Whole generations are trained to wo
and you're missing the point (Score:2)
Re:stupid (Score:2)
The point was I do not believe that spammers can successful spam a single company.
I think you may be confusing terms. Of course spammers can spam a company, they do it all the time. They can spam them to the point of DDoS. Or do you mean you don't think someone can successfully use this exploit to compromise machines in a given company? If so, you're wrong. They have successfully exploited machines at various companies. They spoof an address from someone at the company and send it to someone else. So no
An Excel exploit? (Score:5, Funny)
Re:An Excel exploit? (Score:2)
Re:An Excel exploit? (Score:5, Funny)
Re:An Excel exploit? (Score:2)
Another reason to have an open file format (Score:5, Interesting)
You could easily parse the file at your gateway, and validate the xml content against the published schema (rejecting it if it fails), although this wouldn't be foolproof (an exploit could still exist within well formed xml, but is less likely) it would cut out a significant portion of vulnerabilities.
Re:Another reason to have an open file format (Score:4, Funny)
Re:Another reason to have an open file format (Score:2)
With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...
...and with an open standard you could switch your users to an alternate spreadsheet if the problem persists. his vulnerability is only a major concern because of the monoculture. If 25% of users were suing OpenOffice, 25% were using MS office, 25% were using Corel, and 25% were using something else all to open the same spreadsheet files, this type of vulnerability would cause a l
Re:Another reason to have an open file format (Score:2, Insightful)
So you expect the "malicious code" to be well labeled in the XML stream? ...maybe with XML comments? =P
Seriously you can only trap a narrow set of possible exploits this way (ones dealing with XML parser exploits generally). Scripts/macros/etc. would need to be interpreted to un
Re:Another reason to have an open file format (Score:2)
Re:Another reason to have an open file format (Score:2)
Re:Another reason to have an open file format (Score:2)
Just in time (Score:5, Insightful)
I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.
Re:Just in time (Score:2)
Thesaurus to the rescue: imbeciles
On a more serious note, I'm honestly surprised it has taken this long for this kind of operation to emerge. The very idea of a Patch Day[tm] is to A) appease to corporate types who think they understand what "unscheduled downtime" means but are too detached from reality to understand what significance it carries; and B) assume that people outside the company can't discover holes in your software.
For point B, see first paragraph.
Re:Just in time (Score:2)
Quite frankly, I do understand why it's more convenient, for both sides, to use a fixed date for patching. But let's be honest here, criminals don't care for your working hours. I could rant and rave and whatnot, for the usual exploit/hack/trojan usually comes JUST in time for weeks when either Thusday or Thursday is a holiday. Gee, why? 'cause everyone will have taking Monday/Friday off and the unpatched window opens wider.
You have NO idea what it's like around XMas/New Yea
Bye (Score:2)
Employ the hackers (fight fire with fire) (Score:2, Interesting)
Funny::Bullshit (Score:2)
New drop down UI:
No Bullshit = no
Re:unnamed business (Score:3, Funny)
Think about it. It's a company that relies upon Excel. That means it's full of PHBs who keep using Excel to do everything from track projects to design reports.
It's your employer. Yep. That's right. I checked your IP address, I see who you're working for. Your employer works exactly as I describe.
Re:unnamed business (Score:2, Insightful)
I'm just waiting... waiting for a virus, attack or whatever you will which will simply turn all the threes into eights in every .xls file...
Until something like that happens, no-one will bother learning about security... really learning.
Re:unnamed business (Score:3, Funny)
Re:unnamed business (Score:5, Funny)
It's part of Microsoft's plan (Score:4, Insightful)
Microsoft lets these exploits run free to keep the cattle in line. They need to keep people upgrading and buying the latest versions of their products to keep the cash flowing. If they released a well-written, stable, secure piece of software, what reason would people have to upgrade?
Re:It's part of Microsoft's plan (Score:5, Funny)
Because, through various cutouts to avoid it being traced back to them, it is Microsoft selling the exploits.
I mean, come on, you ever know Microsoft to pass up such an obvious opportunity to leverage a monopoly in one field (say, Office suites) into a dominant market position in another field (say, exploits for Office suites.)
</tinfoil>
Re:It's part of Microsoft's plan (Score:3, Interesting)
Re:It's part of Microsoft's plan - MOD PARENT UP! (Score:3, Informative)
But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.
Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye
Re:It's part of Microsoft's plan (Score:2, Insightful)
Re:Long term, that is a losing strategy (Score:2, Insightful)
Nah... (Score:2)
Re:HOW!?!!?! (Score:3, Informative)
Buffer overflows [wikipedia.org]
Always with the buffer overflows... (Score:2)
Re:HOW!?!!?! (Score:2)
Ahh, see, there's the bad assumption. There are a LOT of really bad prograamers... nay, that's an insult to those of us who know what we're doing. I don't knwo what to call them. And they are all over the place, writing "enterprise" software. For more info, read The Daily WTF [thedailywtf.com].
Re:HOW!?!!?! (Score:2)
At the beginning "programmers" were hobbyists who learned it because they were interested and took it seriously. But more and more as things got commodidized managers looked for people who got things in quicker. And by quicker I mean cut corners. So that in turn bred the generation of really shitty programmers [who often call themselves "developers"].
Now you got both shitty "coders" and shitty managers who just won't take "it'll be ready when
Re:HOW!?!!?! (Score:3, Informative)
Now, if the macros were available to an
Re:HOW!?!!?! (Score:2)
Re:HOW!?!!?! (Score:4, Informative)
Basically, what happens is that the Office reading routine creates room on the stack for some variable, to hold X bytes. Right behind those X bytes, there is the return address for the subroutine (so the reader subroutine can actually come back to the original program).
Now, this return address is being overwritten by an address that points into the spreadsheet instead (it's not THAT simple, but that's the general idea behind it). And in that area of the spreadsheet, you don't find spreadsheet data but instead you have executable code. Which is then, of course, executed (because Office thinks it's "his" code).
Quite simple. And easily avoided (the way to do it can be seen below in another subthread, by a rather good example).
Re:HOW!?!!?! (Score:2)
We did that. It's called strncpy. If you want better than that, you're going to have to make an entirely new language to get it. But if you decide to make this hypothetical language (which I call "Java", but it's kind of a silly name so I don't think it will catch on, but you could abbreviate it to something really catchy like "J2SE"), please try very hard not to make it so sim
Re:HOW!?!!?! (Score:2, Informative)
Actually, M$ uses OLE2 [wikipedia.org] as the binary file format for all it's office products. This is actually like it's own file system. If you dig around in the files you'll notice there is a lot of padding where you can place whatever you want and M$ office products will not even notice. I'm not sure exactly how this exploit works, but I did some research into the MS03-050 [microsoft.com] exploit and discovered that buffer overflow would allow you to execute about as much