Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security

Windows 0-Day Exploited In Ongoing Attacks 114

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.
This discussion has been archived. No new comments can be posted.

Windows 0-Day Exploited In Ongoing Attacks

Comments Filter:
  • by mwvdlee ( 775178 ) on Wednesday October 22, 2014 @09:27AM (#48203395) Homepage

    UAC will display a warning, this exploit only touches users who run as admin.
    I don't think any still supported version of Windows defaults to admin.

    • by fisted ( 2295862 ) on Wednesday October 22, 2014 @09:29AM (#48203403)
      You do know the common way for users to deal with UAC prompts, right?
      • by afidel ( 530433 ) on Wednesday October 22, 2014 @09:34AM (#48203459)

        Yes, but in a well managed environment users won't get a UAC prompt because they won't be local admins, if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you.

        • by dbIII ( 701233 )
          However when you have inhouse software that only runs as admin because your VB jockeys haven't worked out that it's no longer 1995 then you are fucked - frequently - when each new wave of malware hits.
          MS Windows is no longer the problem. Losers who treat it like MSDOS and write software are the problem.
          • If it's in-house software then it can be fixed - no excuses. If people don't fix problems they know about and can fix then they get what they deserve.

            Show me somebody who has a huge investment into a physical machine controlled by some proprietary software where the vendor has gone out of business and there's no source available and then I'll have a bit of sympathy, but even then put it on a VM on its own VLAN - these are not extremely difficult problems.

          • This is not isolated to in-house software, maybe the VB jockeys though. I have never actually seen one, so do VB jockeys wear multicolored hats?
            • Some do, however I've seen a few that are incapable of finding their head let alone placing a hat on it. Generally these are still stuck developing on VB6 rather than the vastly improved .NET versions (and are still whining about it after all these years...)
          • It's not just in house VB jockeys doing this. All sorts of "enterprise" grade software will only run as admin.
            If you can find the registry keys to tweak and files and folders to manually change perms on than sometimes that problem can be mitigated.
            Really, the problem is that software development gives little priority to security.
          • by Bacon Bits ( 926911 ) on Wednesday October 22, 2014 @12:46PM (#48205201)

            No, you just use the Application Compatibility Toolkit which allows you to run an application with the exact level of permissions it requires to get things done regardless of the permissions assigned to the current user. Does your application need to be able to write to it's own program folder, but you want to prevent everything else from doing that, too? Application Compatibility Toolkit [microsoft.com].

            Is it easy to use? No, but it does work very well. The tools exist to get what you need done regardless of your environment. Granting users admin rights when they don't need them is just lazy.

            • Writing a program that demands admin rights when it does not need them (eg. to put a lock file in the root of the system drive instead of elsewhere for a purely arbitrary reason) is even lazier.

              Sometimes it's better to go after the root cause of the problem and get the developers that have been left behind to understand that it's the 21st century and their desktop software is likely to be running in a multi-user, networked, multi-core, 64 bit environment. There are far too many that can't even get ONE of
        • by DarkOx ( 621550 )

          Have not looked at the vuln yet but does it necessarily pop a UAC given its OLE, i assume this is some kind of memory overwrite. So might be possible to step all over the users data without calling any privileged operations.

        • by Qzukk ( 229616 )

          well managed environment

          Number one target for this will be grandpa forwarding that patriotic slideshow with God Bless America playing as it pages through sunsets and crying eagles and a root kit on the 4th slide.

        • by Anonymous Coward

          In every well managed environment you always have that one executive that is above best practices.

        • Even power users get the UAC prompt for certain things. But if they don't have local admin, the point is still moot.

        • if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you

          It's like my grandpa used to say "Kid, you can't make an idiot not be an idiot--and also never fuck a hooker who's coughing."

      • Switch to MS-DOS?

      • Well, if the solution is to run as admin so you don't get those pesky notices .... then the outcome is going to be not unlike your nick, and entirely self inflicted.

        Because, you will be fisted by the first exploit to come along.

        • by fisted ( 2295862 )
          That is not what i was referring to. The typical technically illiterate user wouldn't know how to do that anyway (or even know what it means)
      • If an "exploit" requires the user to manually give it complete access to the PC to work... it's not an exploit.
    • by gweihir ( 88907 )

      As Windows slowly gets where Unix already was 30 years ago, the problem in cases like this is less with Windows and more with Windows-users.

      Still, OLE was a pretty bad idea from day 1.

    • by Khyber ( 864651 )

      "UAC will display a warning, this exploit only touches users who run as admin."

      I run as admin on my Windows7 machine and I get UAC prompts.

      Next.

  • Damn linux (Score:5, Funny)

    by ruir ( 2709173 ) on Wednesday October 22, 2014 @09:36AM (#48203465)
    Linux is not good, damn full of bugs, heartbleed, shellsock and now THIS!!! Crap, wait, I must have made some mistake ;)
  • by technomom ( 444378 ) on Wednesday October 22, 2014 @09:51AM (#48203585)
    ....Don't ever change you magnificant bastard.
  • by blueshift_1 ( 3692407 ) on Wednesday October 22, 2014 @09:55AM (#48203623)
    Yeah, you defflinitely have "allow" it. But most people don't read half the messages excel or powerpoint throw at them. Just accept, accept, open, enable, install, install. Why do we even make botnets... I'm sure the users would do it on their own if they were prompted.
    • Re:Definitely Users (Score:5, Interesting)

      by CauseBy ( 3029989 ) on Wednesday October 22, 2014 @10:09AM (#48203737)

      It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

      When 100% of past warnings were unnecessary people don't pay attention to warnings anymore. This isn't a problem with human behavior, this is a problem with the warnings. Warnings need to have a memorably high rate of indicating actual danger -- five or ten percent is enough. One in a million is not enough.

      Windows is like the crazy guy on the corner who says "the end is near!" Yeah, sure, maybe this time he's right, but we've heard that false message too many times to even bother listening to it.

      • by Anonymous Coward
        The solution could be to create random spurious warnings for things that are dangerous. "Confirm delete of c:\windows directory and all subdirectories?" "Confirm sending violent threat email to PotUS?" "Confirm rabid weasel release in your back yard?" Then if they answer "yes", actually do the ones that a computer can do.
      • by Zalbik ( 308903 ) on Wednesday October 22, 2014 @11:11AM (#48204293)

        It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

        Well, then you should take a look at the attached powerpoint presentation! It gives an in-depth analysis of exactly why you should be careful when answering "Yes" to UAC prompts.

      • by Anonymous Coward

        I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

        If you configure UAC to the highest level you can prevent some explorer mishaps by a tired, drunken administrator.

    • ... almost every doc I open is opened in a locked state, Windows tosses up a message asking if I want to unlock it to make changes, or even to print it, I believe. That's a great way to train your users to click "OK" to every message they see.
  • by Grantbridge ( 1377621 ) on Wednesday October 22, 2014 @09:56AM (#48203629)

    Just download this handy powerpoint slideshow [example.com] and I think you'll find it explains how this attacks works in perfect detail...

  • Really? Who installs PowerPoint on the server? Cause you are gonna be all like, hold up let me unrack this server and connect a projector to it...right.
    • by ruir ( 2709173 )
      Dont ask...we had a fantastic team of System administrators here that fortunately when one left the other had the good sense of leaving too, that installed EVERYTHING they could into the servers. The Windows servers had Office, and Linux servers had 30-40GB of software.
      • Leaving the servers open to all kinds of vulnerability issues by installing unnecessary software. That's a fantastic team of system admiistrators?
        • by ruir ( 2709173 )
          Are you so dense to not understand than when I am rejoicing they left, that could only be irony? You could improve your social skills.
          • Re-read your original comment. The irony was lost in translation. Maybe you should go back to school to learn proper English?
      • by ndato ( 3482697 )
        System administrators job is to install everything and allow every user to access and execute everything, isn't it?
    • by tlhIngan ( 30335 )

      Really? Who installs PowerPoint on the server? Cause you are gonna be all like, hold up let me unrack this server and connect a projector to it...right.

      If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the repo

      • If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the reporting tool actually called Excel to fill in the fields.

        This may have been correct 5 to 10 years ago, but you should never do this in a modern installa

    • Ciitrix server serving Office to remote users
      Sharepoint addon for searching and indexing Office files.
      I'm sure there are others this is just what I thought up in 30 seconds.
  • by __aaclcg7560 ( 824291 ) on Wednesday October 22, 2014 @10:23AM (#48203839)
    If you're a security remediation specialist for the I.T. department, Windows is job security as these problems will never go away.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Do you know any OS that is free of bugs and security risks, including users?

      • by Anonymous Coward

        VMS is really, really close to perfect.

      • Neither Linux nor Mac is paying my salary. Only Windows. Thanks, Microsoft!
  • by Anonymous Coward

    If you leave one hole in Windows unpatched, soon there will be more.

  • Who the fsck embeds OLE objects in PowerPoint.

    I have enough trouble getting text to display.
  • Libreoffice? (Score:3, Interesting)

    by BellyJelly ( 3772777 ) on Wednesday October 22, 2014 @02:06PM (#48205955)
    Well, we mostly use Libreoffice at work. Are we vulnerable if we open a powerpoint file in Impress?

If you think the system is working, ask someone who's waiting for a prompt.

Working...