Microsoft Patches OLE Zero-Day Vulnerability 37
msm1267 writes: Microsoft today released a patch for a zero-day vulnerability under active exploit in the wild. The vulnerability in OLE, or Microsoft Windows Object Linking and Embedding, enables a hacker to remotely execute code on an infected machine, and has been linked to attacks by the Sandworm APT group against government agencies and energy utilities. Microsoft also issued a massive Internet Explorer patch, but warned organizations that have deployed version 5.0 of its Enhanced Mitigation Experience Toolkit (EMET) to upgrade to version 5.1 before applying the IE patches. Version 5.1 resolves some compatibility issues, in addition to several mitigation enhancements.
Re: (Score:2)
Red headlines indicate the story's not ready yet for comments, but cued up ready to run next. Subscribers see it, an occasionally they open it up to everybody to promote subscriptions, and prove there's a breaking story worth extra attention coming. In this case, if you just checked slashdot expecting a slow news day story, you got this must-upgrade-or-else Patch Tuesday release.
Re: (Score:2)
Stories only visible to subscribers have the red background. All stories are initially only visible to subscribers before being made available to everyone, but there's some delay between the story being made available to everyone and the colour being changed to the standard green.
Re:why is it red? (Score:4, Funny)
why is it red?
Comments are disabled to allow Microsoft time to assemble a team of Social Media Manglers (SMMs). Their job is to ensure discussion of yet another failure is framed so as to minimize the harm to their client's reputation.
It's part of Microsoft's TOS with the very dicey new Slashdot.
Re: (Score:3, Funny)
This anonymous guy is right, at least with Microsoft you're paying for top vulnerabilities versus with Linux, you just get the vulns which people half heartedly create... I know where my money is going!
Re: (Score:1)
Yep, you pay for Microsoft becomes it comes with the promise they're paying people to set mistakes right... you can't get that with Linux unless you pay somebody like Red Hat/
Re: (Score:2)
"'The buggy code is at least 19 years old and has been remotely exploitable for the last 18 years,' IBM X-Force research team said in its blog on Tuesday."
http://www.nbcnews.com/tech/se... [nbcnews.com]
I know you guys recently made a big deal out of attacking free software projects, and tried to exploit a couple of recent bugs in them to evangelize for paid development, so th
Re: (Score:1)
"Zero day" means the first exploit hasn't been spotted... Microsoft announced the patch and the problem at the same time, and did so on its designated day of the month (2nd Tuesday) so it looks like they had it right.
Re:Good job MS (Score:4, Insightful)
"Zero day" means the first exploit hasn't been spotted
What? [wikipedia.org]
Microsoft announced the patch and the problem at the same time
Did you even read the summary?
Re: (Score:2)
Good catch... the summary has wrong use of the term "zero-day"... please count the number of days this has been out!
Re: (Score:2)
Of course, if you want to count from the time IBM found the bug and reported it: roughly 180.
Re: (Score:3)
In opposition, OLE has been a zero-day since at least two years after it was introduced.
Anything using OLE, or any of the later labels for OLE, should have assumed that it, somehow, was infected.
It could have been done securely, I assume, but I can't tell you how. I can say that every OLE book has told me, indirectly, how to fuck up a dude's 'puter.
Re: (Score:2)
You seem to have missed the "under active exploit in the wild" part...
Re:Is There A Fix for XP? (Score:4, Insightful)
This is the knockout blow to XP... an announced unpatched flaw!
XP vulnerabilities are exaggerated. (Score:2, Interesting)
Most writers for technical publications have limited technical knowledge. What is not said in the article linked by Slashdot is that computers that run software firewalls that monitor outgoing traffic are far more protected.
Quoting from the article [net-security.org]: "For
Re:XP vulnerabilities are exaggerated. (Score:4)
This amounts to "Don't run Office" on XP. If XP can't run IE or Office, better switch to the open source Firefox and OpenOffice... but if you're going to do that, why not bring in Linux?
Re: (Score:2)
For several use cases, it similarly won't work just like newer versions of Windows.
For example - you support a logistics center that has a several million dollar palette stacking machine that saves shloads of money. The computer that runs it uses Windows XP, and the software that runs it will *only* work on Windows XP. The manufacturer of the device is not going to update the software because that particular piece of equipment is 10 years old, so to get rid of Windows XP, you need to get rid of the perfec
Re: (Score:2)
Eventually what I did was turn the the thing into a low-powered, headless Debian server - I can run that off Ethernet. It should be noted that it was somewhat difficult to even find a distro for it - I was going with Ubuntu Se
Happy Patch Tuesday everybody! (Score:4, Interesting)
It's Patch Tuesday falling on Veteran's Day this year... so this may catch some IT staff sleeping. Everybody checking Slashdot at home who maintains one of these things... log in an apply the update!
Re: (Score:2)
Score that zero-day mention as worth zero!
Re: (Score:2)
no dice, not zero day. (Score:3)
this was a zero day vulnerability... THREE WEEKS AGO.
... an infected machine (Score:1)
NOT a remote exploit. (Score:2)
From the summary
100% wrong, the exploit is of the trojan type and needs either code to be run by a user or an MS Office document to be opened locally before the machine is pwned.