Microsoft Confirms Excel Zero-Day Attack

Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

Solultion?

If Criminal orgs are purchasing exploits, why doesn't Microsoft? (it's not like the don't have the money!)

Re:Solultion?

[cmdr_beeftaco]

Tankersley

unnamed business

Anyone have any clue what is under attack?

Re:unnamed business

Yes.

Think about it. It's a company that relies upon Excel. That means it's full of PHBs who keep using Excel to do everything from track projects to design reports.

It's your employer. Yep. That's right. I checked your IP address, I see who you're working for. Your employer works exactly as I describe.

Re:unnamed business

[dark-br]

Yes... I do... Please refer to the attached xls spreadsheet for more info. ;)

Re:unnamed business

[cp.tar]

I'm just waiting... waiting for a virus, attack or whatever you will which will simply turn all the threes into eights in every .xls file...

Until something like that happens, no-one will bother learning about security... really learning.

Re:unnamed business

[scovetta]

Woohoo! A five dollar raise for me!!!

Hackers can't do it?

[brian0918]

"...suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

Are you implying that hackers don't have the wherewithal to pull off corporate espionage? Can they do nothing more than crack the latest version of VirtuaGirl?

Re:Hackers can't do it?

[SatanicPuppy]

Yea, nice way to jump to conclusions. The idea that intellectuals can't be criminals is almost victorian. Or maybe they fell for the stereotype of the happy-go-lucky-non-malicious-but-intellectually-in qusitive hacker who could come up with an exploit, but never use it for EVIL.

Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).

Re:Hackers can't do it?

[IthnkImParanoid]

Can they do nothing more than crack the latest version of VirtuaGirl?

They can do that? Do you know where I can find these guys? I need to, uh, confirm your statement. Solely for scientific purposes, you understand.

Re:Hackers can't do it?

[theundergroundman]

If a hacker sold an exploit to someone who uses it for corporate espionage, isn't that using his intellectual ability for "evil" as you put it?

Re:Hackers can't do it?

[BunnyClaws]

The hackers themselves are probably not commiting the corporate espionage. They are merely traders in "Security Tools". They are like arms deals who sell to warlords. So no the hackers probably do not pull of the corporate espionage they just develop the means to do it. Which is probably the smarter thing to do.

Re:Hackers can't do it?

[vertinox]

Can they do nothing more than crack the latest version of VirtuaGirl?

link plz!

Re:Hackers can't do it?

[DigiShaman]

hackers for hire are not uncommon in the world of the mafia. Hell, some of them even are well groomed wearing a suit and tie. Basically, highly educated intellectuals that only give a damn about a phat paycheck.

Re:Hackers can't do it?

[Atlantic+Wall]

Someone please mod the parent up. LOL

Re:Hackers can't do it?

[gowen]

The idea that intellectuals can't be criminals is almost victorian

Hey! I resent that!

Love,
Professor James Moriarty.

Re:Hackers can't do it?

[dotoole]

You're missing the point. It's not that the hackers who find these exploits wouldn't use them - it's that they're smart enough NOT to use them. Undocumented exploits are worth their weight in gold for online criminals. Why use the exploit yourself and risk getting caught when you can sell it off to someone else for a tidy sum and let THEM risk getting caught.

Re:Hackers can't do it?

[Eric+Damron]

"The idea that intellectuals can't be criminals is almost victorian."

True but I don't think the article suggests that. Finding an exploit and then selling it IS "evil" and although IANAL probably illegal. It would take a moron not to realize that the exploit someone pays money for will be used maliciously.

Re:Hackers can't do it?

[Joebert]

*punches out through DigiShamans' screen, stabs him with a piece of the broken glass*

Man, it would have been soo much funnier if I didn't get an "excessive bad posting" message & get denied an anonymous post.

Re:Hackers can't do it?

[Master+of+Transhuman]

Sounds like a lot of Microsoft employees...

Isn't that one of the criteria for being hired there?

How do we know half the Microsoft employees aren't Russian (or Italian or Korean or Chinese or Israeli) Mafia infiltrated into Microsoft? They'd fit right in with Bill's corporate culture.

Re:Hackers can't do it?

[Master+of+Transhuman]

By the way, I did a spyware cleaning for a client yesterday (AND have to go back soon because it wasn't entirely effective despite using all the latest anti-trojan/spyware/AV tools) who indeed suggested to me that Microsoft was deliberately creating these things to make another market for itself.

So, yeah, there are consumers out there who believe that - I'm starting to take the idea seriously.

Why read the article?

[Thunderstruck]

Well organized criminals conducting corporate espionage, complex software running international corporations, (hackers/crackers) slipping deviously bugged code into the works for their own nefarious purposes.

I don't need to RTFA, I can just wait for the movie.

Re:Why read the article?

[Solder+Fumes]

You're waiting for Swordfish (2001)?

Re:Why read the article?

[GalionTheElf]

Whoever modded this informative has never seen the movie or just has a really, really sick sense of humour.

Re:Why read the article?

[Master+of+Transhuman]

Great movie.

Halle Berry tits. John Travolta doing his Scientologist impression. Hugh Jackman humping his computer. Hot blonde giving a blowjob to a hacker trying to penetrate the DoD system. A Finnish hacker named Axel Torvalds. What's not to like?

okN.xls?

[gEvil+(beta)]

The Trojan arrives as a Microsoft Excel file attachment to a spoofed e-mail with the following name: "okN.xls."

Hmm, I guess I should rename my spreadsheet containing a list of Oklahoma natives.

Re:okN.xls?

[Otter]

It seems like a lot of work to go to and not give the spreadsheet a credible name, unlessthe hax0rs are targeting camelCase users. Why not use "2007 Budget.xls" or "Vacation days.xls" or "World Cup Pool.xls"?

Re:okN.xls?

Or MyPasswords.xls

Re:okN.xls?

because that's how people actually name their files, plus when I see "2007 Budget.xls" or "Vacation days.xls" or "World Cup Pool.xls" I don't care about, but when I see okN.xls I just click on it to see what's in it.

Zero day?!?

[ILikeRed]

It should really be called the -28 day attack, or something along those lines, since they are coordinating it to fall shortly after Microsoft's retarded "we only fix security once a month" schedule.

Re:Zero day?!?

[Meshach]

That whole "fix on a schedule" idea seems like a great idea until it is put into practice; then it is exposed to be just as bad as any other "stratagy" to patch Microsoft software against every attack.

One of the pitfalls of MS' popularity is that everything they do is exploited. It seems that no matter what they do someone will take advantage of it and screw their customers.

Re:Zero day?!?

[MECC]

"That whole "fix on a schedule" idea seems like a great idea until it is put into practice"

It never seemed like a good idea from the start to anyone who's setup and used any linux distro. Release fixes when problem is fixed, not a month later.

This problem is nothing to do with MS's pervasiveness, and everything to do with plain old-fashioned incompetence.

Re:Zero day?!?

Let me get this straight... Microsoft have fixed a bug that a hacker can use to create a zombie army 28 days later?

Re:Zero day?!?

[colmore]

Closed source software doesn't have security problems, they have marketing and public image problems. What do you expect?

Re:Zero day?!?

[KarmaMB84]

It's their customers demanding they only release fixes after they've tested and approved them. God only knows how many fixes we may never get because one huge customer has an issue with it and has the lawyers ready to go if they get exploited due to documentation of a flaw. That's probably why we've gotten so many fixes rolled in with other fixes undocumented.

Re:Zero day?!?

[darkmeridian]

You were modded Funny, but that is almost exactly why the zero day exploit debuted when it did. At this moment, Windows is asking me to restart my computer for the update I just installed.

Re:Zero day?!?

[ILikeRed]

I don't think it is funny. I'm surprised that a company of Microsoft's size can get away with treating security this way. And why are their biggest customers not screaming foul (e.g. Ford, Bank of America, Unisys, Dell, US Government)?!?

NOT TO FEAR!

[pcguru19]

Just upgrade to Windows VISTA (when it's out) and Office 2007 (when it's out) and all of these silly security issues will go away....

Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.

Re:NOT TO FEAR!

[Opportunist]

It's every time all better in the next version. And DRM, don't forget that, and that will make you SO secure against everything you could do against your computer...

Re:NOT TO FEAR!

[Fred_A]

Hah, I'm glad I stuck with Windows 95. Foiled their marketing department again !

Re:NOT TO FEAR!

[naelurec]

But Vista is the one! Just think about it..

1. Built under their "security is top priority" and "trustworthy computing" iniatives.

2. Microsoft built security focused tools such as .NET .. I'm sure its used extensively in their flagship operating system and applications.

3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues.

4. I'd have to imagine in the effort to keep the system secure, backwards compatibility is largely sandboxed to not allow this insecure code to infect the integrity of the system.

5. With the knowledge that most home users (And small business users) ARE THE administrator, I'm sure they are taking special precautions to provide resources to enhance their knowledge of security and maintaining a secure system. With the 10+ gigabyte default install and modern day video capabilities, I'd imagine they have lots of video to get this knowledge out to people.

6. They have stated it is not only the most secure WINDOWS release ever, but the most secure OPERATING SYSTEM ever. I don't recall this being the case with previous releases. They even attended a blackhat conference (or something) to prove this! It must be true.

7. For extra precaution, they have high system requirements and excessive annoyances (such as making the simple task of deleting a desktop icon into a 6+ step procedure) to provide a barrier so just not everyone buys it the day it is released. Seems like they have structured it so most people won't get it until atleast SP1 or later which should be great to provide extra time to make it even more secure then the most secure OS ever.

Based on all of this. I am positive that Microsoft is right and you are wrong. a'Yup..

Re:NOT TO FEAR!

[0xABADC0DA]

Actually There's plenty of evidence for a natual cycle of security issues. In the past, millions of years ago, there were far more security issues than there are now. In fact, many scientists disagree over the cause of the recent increase of exploits, whether this is caused by man or whether it is just part of a natural downturn from the last Mini-Secure Age (which incidentally ended when the Irish potato fields were compromised).

In any case to presume some kind of pattern from this last decade of operating systems is poor reasoning --the science just isn't in yet to show any long-term trends. Sure, the 7 of 10 most exploited operating systems have been released in the last decade, but that is not statitically relevant over the million year record of security issues. Certainly taking some kind of preventive action like using Safe Languages is just being alarmist as is all the liberal scaremongering that "all your base will be pwned" by the end of the century. Think of the economic impact of all those wasted cycles that could be better used doing manual memory management.

Listen, the computer was here long before Windows, and they'll still be around after Windows is gone. We're overstating our importance to say that mere programmers can destroy the whole computer. Sure, it may be uninhabitable by our software but eventually random bit-flipping will reset the computer and a new OS will take over. It's evidence of the indisputable intelligent design of computers that they can recover from anything we could possible run on them.

Re:NOT TO FEAR!

[DonJL]

I guess this is why people upgrade to Linux and Mac systems. Personally, I grew quite tired of the "Patch of the Day" a long time ago.

Re:NOT TO FEAR!

[lynx_user_abroad]

Even if no one else gets it, I do.

Kudos.

Re:NOT TO FEAR!

[GnothiSeauton]

I actually finally broke down and created an account just to applaud your response.

Re:NOT TO FEAR!

[ronanbear]

Clearly, they didn't. It's been modded interesting instead of funny.

Re:NOT TO FEAR!

Just upgrade to Windows VISTA (when it's out) and Office 2007 (when it's out) and all of these silly security issues will go away....

Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.
 
And that's why I switched to Linux. Yup, secure as can be with my Redhat 3.0. Cause you know I listen to the geeks that say it's so much more secure than windows. No need for patches here, nobodies heard of upgrading or patching applications in linux.
 
oh wait a second, the next problem will involve upgrading to release ___ and open office ____ and all of these silly security issues will go away. Oh wait, didn't they say that when they released Redhat __, Mandrake ___, Ubuntu ___, kernel ____, OO ___? This could be a pattern forming.
 
/troll off, sorry but you left yourself wide open there. If you think what ever you are sitting in front of now and typing in slashdot isn't going to require a patch or upgrade to resolve a security issue at some point in the future, than you sir are most likely not involved in IT as I have not seen an OS yet that hasn't required a patch unless you can up your magic OS from fairyland to an FTP for me, cause when I go home my ubuntu was flashing the need for patches when I left for work.

Re:NOT TO FEAR!

[G+Morgan]

"3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues."

I'm not sure if your being sarcastic here but originally it was meant to be NT code, then they switched, then they decided their head hurt too much and switched primarily back to NT.

"7. For extra precaution, they have high system requirements and excessive annoyances (such as making the simple task of deleting a desktop icon into a 6+ step procedure) to provide a barrier so just not everyone buys it the day it is released. Seems like they have structured it so most people won't get it until atleast SP1 or later which should be great to provide extra time to make it even more secure then the most secure OS ever."

At this rate SP1 will be out before Vista anyway.

Re:NOT TO FEAR!

[G+Morgan]

The difference in this case is that OSS systems tend to deal with security issues actively rather than reactively and have never said 'patching this critical vulnerability is too hard so we won't'. They also operate on the basis that security is more important than financial efficiency so patches are released as they are finished.

Also most OSS systems start with a basis that each application should have as much access as it needs and no more.

Re:NOT TO FEAR!

[pcguru19]

Did you drink the grape Kool-aide or the cherry Kool-aide at the education camp? Microsoft will never get past the patching and they've at least built a process (monthly patches) and tools (WSUS, SMS, Windows Update, etc.) to deal with this reality.

There's a simple formula to determine how secure and relaible any software is (OS or application). As you add to the total lines of code, regardless of who is writing the code, the opportunities for unexpected errors and security issues grows at a logorythmic scale. I loaded my VISTA DVD and the friggin OS takes 12 GIGs of HDD space. Office 2007 beta is out and it's install footprint is larger than Office 2003. As you add complexity and features, you add to the error rate on software, hardware, cars, etc.

I'm probably showing my age here, but the thing that was bashed into my head when I started programming was that the next version of software should be SMALLER and MORE RELIABLE than the last version. If Microsoft (and plenty of other folks including some of the current LINUX projects) embraced making what they've already tried to build and provide better instead of pushing for something new, we'd be in a hell-of-a-lot-better-shape than we are today.

As long as we live in the "bigger is better" and "people only buy the next version if there's more features" era of computing, then security and bugs are a fact of life we have to accept. Nobody's saying Microsoft won't try or isn't getting better, but the plain truth is they will never get rid of these issues if the driving force in their organization is to innovate and expand the feature set.

IMHO, we didn't need to get anything else into MSOffice after 4.1 was released. You could copy & paste, put an excel spreadsheet in a powerpoint presentation, and write a letter. Any Office 4.1 exploits released...ever?

Re:NOT TO FEAR!

anonymous me again, yes, your point is correct, they have a different stance on patching for sure, but the post i replied to infered that MS products were the only ones with a patching cycle at all, which is absolute hogwash, in fact i wouldn't have washed a hog with that. i'm a sysadmin of linux, bsd and windows for a decade and after seeing his post I would have to think that the poster would be dangerous behind the control of a pc of any OS. ALL OS's have a very regular patching cycle, thinking anything but that will have a sooner or later compromised machine. But yes, OSS with so many eyes on it will always have an edge with respect to issuing important patches quickly, but they do have patches, rinse, lather and repeat, keep up to date with the newest version.

Re:NOT TO FEAR!

[PAjamian]

3. Given the long development cycle, I'd have to imagine ...

4. I'd have to imagine ...

5. ... I'd imagine ...

Wow, you have quite an imagination.

Re:NOT TO FEAR!

if only it was possible to mod this +15 funny

They got what they deserved...

[HellYeahAutomaton]

"Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business."

You can't go running around with a business without a name! Focus groups people, focus...

Corporate espionage ROFL!

[Spy+der+Mann]

Is diffing binaries THAT hard to do? *Rolls eyes*

Re:Corporate espionage ROFL!

[richy+freeway]

*rolls eyes back*

I'm sure you'll be needing them.

Re:Corporate espionage ROFL!

[Linegod]

LOL! Man I wish I had mod points today....

Re:Corporate espionage ROFL!

This is a zero-day bug, so there are no binaries to diff: somebody found this bug in an unpatched version of Excel.

And diffing binaries (using Sabre Security's BinDiff of course) is not completely trivial, either -- take the ADODB bug from two months ago. That was a hard one.

It's part of Microsoft's plan

[brian0918]

"If Criminal orgs are purchasing exploits, why doesn't Microsoft? (it's not like the don't have the money!)"

Microsoft lets these exploits run free to keep the cattle in line. They need to keep people upgrading and buying the latest versions of their products to keep the cash flowing. If they released a well-written, stable, secure piece of software, what reason would people have to upgrade?

Re:It's part of Microsoft's plan

[DragonWriter]

If Criminal orgs are purchasing exploits, why doesn't Microsoft?

<tinfoil>

Because, through various cutouts to avoid it being traced back to them, it is Microsoft selling the exploits.

I mean, come on, you ever know Microsoft to pass up such an obvious opportunity to leverage a monopoly in one field (say, Office suites) into a dominant market position in another field (say, exploits for Office suites.)
</tinfoil>

Re:It's part of Microsoft's plan

[WindBourne]

Funny thing is, that in windows the most secure is the stuff that has been around for a good long time and with all patches (while true of all, this seems to be the most true of MS). Every single new release MS says that this is the most secure item, when in reality it is not. All it really is, is a new version with new features that will always contains LOADS of major bugs across all the LOC.

Re:It's part of Microsoft's plan

Just like in the first part of tommorrow never dies.
"The software is full of holes as requested sir the customers will be upgrading for years to come"

Re:It's part of Microsoft's plan

[CyDharttha]

I upgrade my free/open source software because new features are added to extend funtionality, and to take advantage of ever improving hardware.

Re:It's part of Microsoft's plan

[Millenniumman]

Insightful? This is a completely unsubstantiated claim.

Re:It's part of Microsoft's plan

[dbIII]

Microsoft lets these exploits run free to keep the cattle in line.

Forget the concept of their being an active, vindictive conspiricy and consider a simpler approach. Look at Longhorn - how part way in even the new kernel was abandoned and it just ended up being the XP kernel with other bits added on. MS has shown that for business reasons they can't put in the effort and produce something that they can sell to their current customers without having the wide range of exploitable problems they currently have. Apple did manage to make such a drastic change - but it took them many years and their operating system was never seen as their core product anyway.

Re:It's part of Microsoft's plan

[CrackerJack9]

But why would you think they want you to upgrade, when even the most 'advanced' version is vulnerable?

Well organized criminals

They're very neat people. Not the jolt-can and pizza-box crowd...

Clean cubicles, every one of em. And well groomed, too.

When will people learn about MS orifice... oops I mean office.

Just a coincidense?

The attack comes only few days after Google announces own spreadsheet...

Re:Just a coincidense?

you are a douche

news?

[bcrowell]

Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable. Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges. If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

Re:news?

[SheeEttin]

MS makes it so difficult not to run with administrator privileges

Actually, it's not that hard. Log in as a limited user, do whaever you need to do, and if you encounter a program that absolutely needs to run as an admin, just right-click > Run as..., enter admin account name and password, and the program will run under the admin account. I personally haven't made the permanent switch to Linux yet, but I think it's comparable to sudo.

Re:news?

[Bert64]

Users shouldn't need to worry about stupid shit like this.
End users should be able to open data files (data, not executeable files) without fear of being owned. Data files should not have the ability to contain code (with the exception perhaps of rudimentary macros which can only interact with the host program and are sandboxed, like java applets or javascript)

Re:news?

If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.

If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.

Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.

Re:news?

[99BottlesOfBeerInMyF]

Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

These are carefully crafted messages spoofed to appear to coming from someone within the company. It is someone they know and it is an excel spreadsheet, which is data and should not be able to install any software unless Excel is designed for crap (which it is).

Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

Not very much. Without admin they could still send all the useful files somewhere public for them to copy. They need to implement jails or VMs or zones or something and they need to fix their office suite.

If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users.

First, it is from someone they know. Second, how do you filter this? They can just change the name and contents of the excel file. You can filter all excel files, but that does serious damage to the business operations in many cases.

If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

You are misinformed and badly misjudging this threat.

Re:news?

[MarcoAtWork]

hello? this is a targeted attack, what makes you think that "users are willing to click on an attachment from someone they don't know"? If it's targeted I bet the email was spoofed to appear as if it was sent by somebody working at the company...

Re:news?

[SaDan]

You shouldn't even have to do that as a normal end user. I admin Windows networks, and NO ONE gets admin access to their workstations except certian developers. The rest of the office is locked down, and have no problems doing their jobs and running a fairly decent assortment of applications (beyond MS Office).

Active Directory and group policies are your friend when it comes to a sane working environment under MS. Problem is, by the time you get that all sorted out, the admins are usually insane. ;-)

Re:News?

Someone beat you to that idea, and Microsoft has delayed their patch cycle because of that strategy. Therefore the day after is the best.

Re:news?

[alshithead]

But the email address is spoofed. Perhaps it is spoofed as someone they know or an organization they do business with. After all, it is a targeted attack and it wouldn't be too difficult to do a little prior homework to pick email addresses to spoof as.

Re:news?

[Solder+Fumes]

Data files should not have the ability to contain code

They don't. That's why viruses exploit buffer overflows and other vulnerabilities. It's not like a document format designer was thinking one day, "I should make this contain executable code!"

Re:News?

[Ruvim]

Nope, Have to wait after the patch cycle. Because, what if this new patch actually closes this hole?

Re:news?

It's not like a document format designer was thinking one day, "I should make this contain executable code!"

After having to live through dozens of MS Office macro viruses before MS finally turned them off by default, I can tell you, that's exactly what MS developers thought. Fools.

Re:news?

[cyber-vandal]

Which is fine unless one of the programs runs at startup in which case you need to create a shortcut, set that to run with different credentials and then change the registry to point to the shortcut instead of the executable. User-friendly my arse.

Re:news?

[KarmaMB84]

It has absolutely nothing to do with Microsoft Windows. Complain to the third party author of the *broken* software. Microsoft's stuff has been working fine for a long long time without admin rights. Why can't everyone else?

Re:news?

the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know

Most likely the attachments came from someone they did know. Email addresses can be spoofed; I know, because I'm getting messages from some lame dumbass security firm saying they're bouncing "my" messages. Nope, not mine, didn't come from my machine or my domain. That's how spammers do business, that's how virus writers infect machines.

And you should educate your users that when in Windows, never EVER open an attachment by clicking it! If someone sends you an MP3, open it with Winamp (NOT Windows Media Player; you can imbed a virus in a .wma file, rename it to MP3 (real MP3 fiiles are pure data, WMA files are MS's stupid data-code mix) and WiMP will happily run it.

You shoudl also educate users what types of files to never open without calling the person who sent it and asking if it's real. Spreadsheets are NOT safe files!

Whoever came up with macros that could delete data should be frying hamburgers for a living. Whoever invented Active-X should be sent to Gitmo, and whoever decided that a file's extension should be hidden by default should be hanged.

(Where are the MRCs today? LOTC="sculptor")

Re:news?

[Chazmyrr]

This is not a macro virus. This is a buffer overflow reading the data file.

Data files shouldn't contain code? What better place to put the code than in the same file as the data it manipulates? A sandbox wouldn't necessarily meet the needs of the business. A sandbox would probably be ok for Word or PowerPoint. Sandboxing Excel macros would be a huge mistake. Some of the most useful and time saving macros in Excel automate the process of gathering data from disparate sources.

Re:news?

[LewsTherinKinslayer]

not that i disparage the rest of your comment, but this particular part leaps out at me:

There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ?

why does unsolicited communication (often refered to as SPAM,) need to have attachments in the first place? Even if I could securely view an attachment in an unsolicited e-mail, i can't possibly see a reason to WANT to do so. if the e-mail is legitimate (though few of the unsolicited e-mails or IMs i receive ARE,) then plaintext or HTML or even just a plain non-script link to a business's or organization's website ought to suffice.

Re:News?

[mmalove]

"Everyone knows that you should not open attachments"

Unfortunately, not true, anymore than saying everyone knows not to follow a link emailed to you that requests you enter your login/password. The unfortunate truth is the majority of internet users are not /. computer savvy security conscious people. In fact, in the business world, they may not even by conscious...

I can't wait till Excel 2007 comes out. Not of course for the security system (which will continue to be meaningless as long as dumb Joe leaves the back door unlocked, or the key under the mat), but because you'll be able to have over 1,000,000 rows. Sweet, sweet, data:)

Re:news?

[Frightening]

Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

Because that's called MySpace, and look where that got us. Think of the children.
*raises troll mod shield*

Re:news?

[Azghoul]

You're a contracts guy and you're receiving contracts all day long, sometimes from addresses you're unfamiliar with.

You're a recruiter (a not very savvy one) and you receive attachments from people you don't know all day long.

You get "fun stuff" from your friends all the time, and this one just happens to look like some of the others that were okay.......

Just throwing a few out there. Personally I dislike the entire existance of attachments in emails.

Re:news?

[bcrowell]

These are carefully crafted messages spoofed to appear to coming from someone within the company.
So why don't they just implement SPF or DomainKeys internally?

...how do you filter this? They can just change the name and contents of the excel file.
Isn't this exactly the kind of filtering that antivirus software claims it can do? Or they could just set their mail handling software to strip attachments from senders that don't have SPF or DomainKeys.

I wasn't claiming that this sort of thing wasn't a problem. I was merely saying that it was nothing new. It's the same old threat, caused by the same old problems:

• MS monoculture in applications
• MS monoculture in operating systems
• poor default security settings in Windows
• poor default security settings in MS applications
• lack of support among vendors of Windows apps for running their apps as a non-administrator, which makes users run as admin all the time
• uneducated or careless users
• lack of widespread adoption of SPF or DomainKeys (although they're particularly lucky here because if they want to block mail with forged internal From: addresses, they only need to implement it internally)

Re:news?

[99BottlesOfBeerInMyF]

So why don't they just implement SPF or DomainKeys internally?

It takes time and is easily bypassed. The attacker can just find some company or government agency they exchange mail with that does not implement them.

Isn't this exactly the kind of filtering that antivirus software claims it can do?

No. They look for particular, automated malware. This is a directed attack that can be customized for the individual target and padded with as much data as needed to conceal it.

Or they could just set their mail handling software to strip attachments from senders that don't have SPF or DomainKeys.

What about customers with whom they do business, but who do not sign their mail? It is disruptive to stop all incoming attachments from those partners in many businesses.

It's the same old threat, caused by the same old problems:

To some degree, but it is different in that it is being used as an easy directed attack rather than an automated worm.

lack of support among vendors of Windows apps for running their apps as a non-administrator, which makes users run as admin all the time

This would not actually make much difference. They can still acquire the files on the machine, even without admin.

uneducated or careless users

A user should not have to be afraid to open data from what appears to be someone they know. The application should not be able to run executables. Excel should be sandboxed and should not be able to touch other files or the system. Default mail clients should implement interoperable signing and encryption to confirm identity and maintain the privacy of the data.

Re:news?

It's not like a document format designer was thinking one day, "I should make this contain executable code!"

What planet are you from? Ever heard of Javascript? Excel macros?

I know it comes as a shock, but it's true: some designers really are that stupid. And millions and millions of people use their products.

Re:news?

[bcrowell]

Default mail clients should implement interoperable signing and encryption to confirm identity and maintain the privacy of the data.
Try talking to someone who's actually implemented a public-key system with a large number of users. It's very difficult to do properly, and it gets more difficult as the number of users increases. With a large pool of uneducated users, I doubt that it's feasible. There are lots of details involved, such as how to revoke a key that's been compromised. And you have to watch out in case you get what you wish for, because it might not be implemented the way you'd like; it might be implemented with lots of central control, making it easier than ever before for your speech to be monitored and censored. It would be great if we had a different e-mail protocol, it would be great if gpg was used universally, it would be great if Windows and Windows apps were designed with better security in mind. Unfortunately, that's not the case; most corporations seem to have decided that they want to run Windows and Office, despite the risks and costs. Although I'm happy running Linux and BSD, it may be that those corporations have made the right choice: the costs and risks may not be that high, and it may just not be feasible for them to switch to Linux and OpenOffice. Meanwhile, MS may have actually made a rational choice by shipping software that's a security disaster -- since they're a monopoly, they won't gain any market share by improving security.

Re:news?

>> If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

> There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone.

I agreed with most of your reply, but not this. Those other operating systems and offices are just as vulnerable as Microsoft's products are, more than likely even moreso. The reason this is a Microsoft problem is because Microsoft's products are the most widespread -- if whoever was being targeted was running WordPerfect or OpenOffice, I guarantee the attackers would have had no problem finding a bug in that instead.

Re:news?

[99BottlesOfBeerInMyF]

Try talking to someone who's actually implemented a public-key system with a large number of users. It's very difficult to do properly, and it gets more difficult as the number of users increases. With a large pool of uneducated users, I doubt that it's feasible.

It's feasible, but it has to start from the other end to really work. That is to say, AOL and Comcast and Microsoft and Apple and several other big players need to agree on a standard first. Then they all need to implement it, by default, in their mail clients, both web based and otherwise. I know implementing it as a single organization trying to communicate with the world is a pain. That is why we need a real standard and buy in from the major players. (Self-signing is just fine.)

Meanwhile, MS may have actually made a rational choice by shipping software that's a security disaster -- since they're a monopoly, they won't gain any market share by improving security.

Mostly true, certainly not significant market share versus the cost.

Re:news?

[KwKSilver]

Whoever invented Active-X should be sent to Gitmo, and whoever decided that a file's extension should be hidden by default should be hanged.,

Amen! I alway force extensions to be visible for fewer problems with oo-la-la.gif.exe

Re:News?

Excel has more holes..
Memory exception errors abound when logging off abound when using Excel after doing save spreadsheet to text operations. The holey conversion utils, can be strung together, and pasting HTML into Word, can be devastating. With NX bits, it is not obvious why memory 'leaks' are not being tested, trapped and fixed. Next do graphs and charts of complex things. So easy to cause memory overlays.

Re:news?

[cyber-vandal]

Why can't I just set the executable to run with admin rights, why do I need to create an extra file?

Re:news?

[SheeEttin]

If you can't get it to work the way you want, why use it at all?

Re:news?

[cyber-vandal]

Because getting World of Warcraft to run on Linux is a fair bit harder than putting up with the aggravations of running Windows on an LUA.

Not a popularity problem

[ILikeRed]

It is not a popularity problem - it's a "our marketing and sales departments delegate everything to our engineering and security departments" problem.

Re:Not a popularity problem

Err, didn't you mean that to be the other way around?

Re:Not a popularity problem

Verb 2. delegate - give an assignment to (a person) to a post, or assign a task to (a person)

News?

[MarkByers]

Everyone knows that you should not open attachments. Word is likely full of 1000s of exploitable holes. Excel too. Plus any other complex program.

Yes, OpenOffice will be full of holes as well.

Not news.

As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though. :)

How to protect ourselves?

[ponden]

Do not run the fishy excel files?

I don't run the suspicious .exe files, but I may run the .xls files even I don't know the identity file.

Typically, the difficulty in prosecuting crackers

[mmell]

is that (much like terrorists) there is no formal organization against which to direct your attention. The white-hats are left with trying to find individual crackers, much like the *AA goes after individual file-sharers because there is no centralized target for their wrath.

In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.

So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"

Presumably they could but...

[sterno]

The thing is, to be a good hacker, you kinda have to spend a lot of time and energy on hacking. At the end of the day, it's probably easier and equally lucrative to just sell your exploits to other people rather than using them yourself. It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Re:Presumably they could but...

[mugnyte]

  What raises my eyebrows is that hacks like this are a "one shot deal". You can't run an exploit for very long without it getting notice, then patched. So the charge for these must be pretty high, given that it seems like work for hire.

  So the business background on this exploit is probably far juicier than the exploit itself. The path to contact, payment, motive, etc are probably a great story. I would certainly read that book.

  Of course, if writing such a book, I would take the XLS information and place it on the market itself, continuing the intrigue. Let's hope its something dealing with a government, which then topples, affecting more change than someone getting rich. I mean, if writing, write big.

Re:Presumably they could but...

[DigiShaman]

It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Be carefull!!! In the US, you can be charge with being an accessory to a crime.

Re:Presumably they could but...

[cowbutt]

It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

Be carefull!!! In the US, you can be charge with being an accessory to a crime.

...and shortly in the UK also if the government get their way. Or, for that matter, if you create a security testing tool that some copper takes a dislike to.

Re:Presumably they could but...

[masterzora]

Can the owner of a gun shop be charged as an accessory if a gun they sold is used in a murder?

All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).

Re:Presumably they could but...

[FreakTrap]

"Can the owner of a gun shop be charged as an accessory if a gun they sold is used in a murder?" Yep. If I go to a gun shop and say 'I need a gun, so I can kill someone,' then I am sold a gun, you bet that gun show owner is an accessory.

Re:Presumably they could but...

[masterzora]

But who ever enters a gun shop and says "I need a gun so I can kill somebody"? They just say "I need a gun".

Besides, that's what the purpose of the other half of my post was: to enter a situation where the crackers could somewhat plausibly say that they believed the buyer had a plausible reason that was both legal and ethical, such as the situation a gun shop owner is in when he sells a gun.

Patches Available

[GogglesPisano]

Patches for this problem available here, here and here.

Unnamed business?

[MarkByers]

against an unnamed business

I think they should be more worried that they are the victim of identity theft .

stupid

[mapkinase]

I do not believe that e-mail spamming attack against a single company can be that effective. Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.

Re:stupid

I do not believe that e-mail spamming attack against a single company can be that effective.

Ever heard of Osirusoft? How about Blue Security more recently? A targeted spamming attack can be pretty damn effective.

Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mail.

This could not be the e-mail users I am used to working with. They'll open anything.

Re:stupid

This could not be the e-mail users I am used to working with. They'll open anything.

I agree. Back when one of the first of this generation's e-mail ZIP file viruses hit (I think it was an early version of Bagle), we sent out a broadcast e-mail to the whole company: "DO NOT OPEN ANY ZIP FILES YOU RECEIVE VIA E-MAIL" about 3 or four times during the course of the day. At the end of the day, we got a call from one of our engineers (who was otherwise a very intelligent person), who said "I think I've got a virus... I opened this random ZIP file someone sent me."

Re:stupid

[99BottlesOfBeerInMyF]

I do not believe that e-mail spamming attack against a single company can be that effective.

For the previous, Word exploit, they were actually spoofing addresses so it appeared to be coming from an employee.

Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.

...and the fact that most systems are so insecure that users have to avoid viewing data, because it can compromise their machine is just pathetic. Whole generations are trained to work around Window's horrible lack of security. Anyone who claims MS's monopoly hasn't held back progress in the field is a crackhead.

Re:stupid

[mapkinase]

I agree with "pathetic" assessment, but that is not the point. The point was I do not believe that spammers can successful spam a single company. Probabilistically, now very few professional people open strange e-mails.

Re:stupid

[99BottlesOfBeerInMyF]

The point was I do not believe that spammers can successful spam a single company.

I think you may be confusing terms. Of course spammers can spam a company, they do it all the time. They can spam them to the point of DDoS. Or do you mean you don't think someone can successfully use this exploit to compromise machines in a given company? If so, you're wrong. They have successfully exploited machines at various companies. They spoof an address from someone at the company and send it to someone else. So no one is opening an e-mail from a stranger. I'd say 90% of companies e-mail excel documents within the company, thus there is nothing strange about it.

Re:stupid

[mapkinase]

I can easily detect with 100% accuracy if the e-mail is not from the person it claims to be from.

Two use cases:

1. A colleague that I am in regular e-mail exchange. The fact that the e-mail is not from him is easily detectable by style.
2. A colleague that I am not in a regular e-mail exchange. They do not change e-mails with the general text in it. Usually there are plenty of specific words that are explaining it. Less words, but the same is true for use case number 1.

Re:stupid

[99BottlesOfBeerInMyF]

A colleague that I am in regular e-mail exchange. The fact that the e-mail is not from him is easily detectable by style.

Does everyone in your company only exchange e-mail with others while encrypted? If not, someone else can grab the packets from the network and reassemble the mail. You know anyone in between can read your e-mail right? Assuming they just look for e-mails with excel attachments, they can change a few words and send a second e-mail very similar to the first, even referencing the first. Think, "Here is an excel file for the Herman account, can you get back to me with your revised assessment?" becoming "I made a few changes to this excel file I sent last week for the Herman account, can you get back to me with your assessment?" Heck, they can even make it look like they're replying to your response to the original mail. 90% of people are not going to notice this until it is too late, and even then many won't

Re:stupid

[infosec_spaz]

Hell...If you are MY manager, you do not open any email at ALL!!

Re:stupid

[mapkinase]

They can. Manually. But not automatically.

Re:stupid

[99BottlesOfBeerInMyF]

These attacks all seem to be manual, targeting specific companies using info they gathered about those companies to spoof a real e-mail address.

Re:stupid

[randyflood]

Imagine that I am a hacker and that I want to get access to your internal network. Now, there is a firewall between you and me. But, if I spoof some e-mail address from your company and get just a single person to open it, it can connect out of your network back to me and I can then run commands inside your network. For example, I can then download SSH to the machine and set up encrypted tunnels to tunnel further attacks to other machines in the internal network.

In a targeted attack, the actual percentage of people that open the attachment is irrelevant. All you need is one...

An Excel exploit?

[fotoflojoe]

Must be the work of terrorist cells...

Re:An Excel exploit?

[Maradine]

This is going to get our patch management team into a blazing row . . .

Re:An Excel exploit?

[grassy_knoll]

Would those terrorist cells be in the fifth column? ;)

Re:An Excel exploit?

[cain]

...which will cause gridlock.

Re:An Excel exploit?

[bsartist]

They're following an age-old formula.

Another reason to have an open file format

[Bert64]

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

You could easily parse the file at your gateway, and validate the xml content against the published schema (rejecting it if it fails), although this wouldn't be foolproof (an exploit could still exist within well formed xml, but is less likely) it would cut out a significant portion of vulnerabilities.

Re:Another reason to have an open file format

[insanarchist]

Thank god my grandma's already in the habit of validating xml content against schemas or she'd be SOL!

Re:Another reason to have an open file format

[99BottlesOfBeerInMyF]

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

...and with an open standard you could switch your users to an alternate spreadsheet if the problem persists. his vulnerability is only a major concern because of the monoculture. If 25% of users were suing OpenOffice, 25% were using MS office, 25% were using Corel, and 25% were using something else all to open the same spreadsheet files, this type of vulnerability would cause a lot less concern.

Re:Another reason to have an open file format

With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document... You could easily parse the file at your gateway, and validate the xml content against the published schema

So you expect the "malicious code" to be well labeled in the XML stream? ...maybe with XML comments? =P

Seriously you can only trap a narrow set of possible exploits this way (ones dealing with XML parser exploits generally). Scripts/macros/etc. would need to be interpreted to understand if was utilizing an exploit in the target product (assuming the vulnerability was known). Also the document can be a valid document but the organization and composition of elements in the document could be used to exploit a vulnerability.

I don't think it would net you as much of a benefit as you believe it would.

Re:Another reason to have an open file format

With an open file format, scripts, macros, etc. can be removed by the server, tags can be normalized, field lengths can be limited, etc. With MS Office, the server can't do any kind of transformation on the document reliably because the only way to manipulate MS Office files reliably is with Microsoft's software.

Re:Another reason to have an open file format

Bullcrap, an open format doesn't preclude security problems.

The closest already widespread format was PDF documents (multiple writers) and there have been plenty of exploits associated with that format, though not as many as Word, Excel, etc.

Re:Another reason to have an open file format

[colinrichardday]

Do you have examples? I've tried Google but "PDF exploit" returns PDF descriptions of exploits, not exploits of PDF.

Re:Another reason to have an open file format

[dylan_-]

I've tried Google but "PDF exploit" returns PDF descriptions of exploits, not exploits of PDF.

For future reference: using "PDF exploit filetype:html" (without the quotes, obviously) will just return .html files.

Re:Another reason to have an open file format

[colinrichardday]

Thanks

Re:Another reason to have an open file format

[bombshelter13]

It would be highly amusing if this were implemented and some blackhat then discovered a way to exploit the testing scheme and take over the gateway.

Re:Another reason to have an open file format

[IchBinEinPenguin]

You could easily parse the file at your gateway, ...

Unles the file was encrypted, which may not be an unreasonable precaution for something like a financial spreadsheet.

Just in time

[Opportunist]

Anyone here thinking it's a coincidence that the exploit goes life JUST after "patch day"?

I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.

Re:Just in time

[Bostik]

Thesaurus to the rescue: imbeciles

On a more serious note, I'm honestly surprised it has taken this long for this kind of operation to emerge. The very idea of a Patch Day[tm] is to A) appease to corporate types who think they understand what "unscheduled downtime" means but are too detached from reality to understand what significance it carries; and B) assume that people outside the company can't discover holes in your software.

For point B, see first paragraph.

Re:Just in time

[Opportunist]

For corporate types, see it, too.

Quite frankly, I do understand why it's more convenient, for both sides, to use a fixed date for patching. But let's be honest here, criminals don't care for your working hours. I could rant and rave and whatnot, for the usual exploit/hack/trojan usually comes JUST in time for weeks when either Thusday or Thursday is a holiday. Gee, why? 'cause everyone will have taking Monday/Friday off and the unpatched window opens wider.

You have NO idea what it's like around XMas/New Year if you're not in the biz.

Of COURSE the malware writers adjust to the patching rhythm. Did anyone expect anything else? That means they have a MONTH of running freely before anyone reacts. A month is a VERY long time in this biz.

Yah, ok...

[Secret+Rabbit]

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

Yes, because there is no way that the attacker could have come up with the attack him/her-self. It's completely out of the question that this person could have done it alone. Even though we know absolutely nothing about [him/her, them]. etc It certainly makes far more sense to introduce a conspiracy theory. One involving vast crime rings.

Sure.

Re:Yah, ok...

[Trails]

So we're in agreement!

The Rand Coporation, in conjunction with the saucer people, under the direction of the reverse vampires are introducing zero-day Excel exploits!

unnamed business

[wombatmobile]

located in Redmond, WA. The Chief Software Architect of the unnamed business also works a second job and hangs out with world leaders in his spare time, curing cancer.

Impossible to do

[Opportunist]

In the average office, MS-Office documents fly low. Mail is still THE way to transport documents between companies.

If you now expect your employees not to open MSO documents, you pretty much expect them not to work.

Nah...

[Svartalf]

You had it right the first time...

HOW!?!!?!

[tomstdenis]

Do you get executable code in a SPREADSHEET!?!

Seems like another MSFT "feature".

Tom

Re:HOW!?!!?!

I think you were being sarcastic, but for the benefit of people who are legitimately wondering the same thing I say this: you overwrite a buffer and inject proper machine code into it. The vector can be anything. Even an image of you, a video clip, word processor document, favicon.ico, anything... all it takes is a hole which you can exploit.

Re:HOW!?!!?!

[mortonda]

Do you get executable code in a SPREADSHEET!?!

Buffer overflows

Re:HOW!?!!?!

[dhasenan]

Anything beyond basic usage requires a macro language--especially a spreadsheet program. Now, whether the macro language should be allowed to interface with the filesystem is a different matter entirely. I'd say that a user should be given a standard "Overwrite file $FILENAME? yes/no/cancel" dialog whenever a macro tries to overwrite a file; opening or listing the contents of a directory is a bit of a tricky matter, but I don't think many users would miss that feature.

Now, if the macros were available to an external scripting language like bash or one of the P's, then there would be no reason for the macro language to be able to list or open files, only write to them. Then you'd only have, as the above poster mentioned, buffer overflows and the like.

If we wanted, we could alter our standard libraries so that, for instance, strcpy does bounds checking. Is there a reason not to?

Re:HOW!?!!?!

[cyber-vandal]

Or alternatively have digitally signed macros and don't allow any non-signed macros to run.

Re:HOW!?!!?!

[tomstdenis]

I realize that, but any half-way competent developer would be bounds checking everything they do. Oh wait... this is $BIGBUSINESS so managers dictate how long a program takes to write...

I mean it's simple, before you copy or read data you make sure your destination is the right size. It helps not to write spaghetti code too I guess...

Tom

Re:HOW!?!!?!

[darkwind_2427]

HOW!?!!?!...Do you get executable code in a SPREADSHEET!?!

Actually, M$ uses OLE2 as the binary file format for all it's office products. This is actually like it's own file system. If you dig around in the files you'll notice there is a lot of padding where you can place whatever you want and M$ office products will not even notice. I'm not sure exactly how this exploit works, but I did some research into the MS03-050 exploit and discovered that buffer overflow would allow you to execute about as much shellcode as you would want on their computer. That one in particular was a simple matter of malforming the macro header table (changing the input length). No matter how high your security settings are the code will execute without your knowledge (if you open it).

Re:HOW!?!!?!

[mortonda]

I realize that, but any half-way competent developer would

Ahh, see, there's the bad assumption. There are a LOT of really bad prograamers... nay, that's an insult to those of us who know what we're doing. I don't knwo what to call them. And they are all over the place, writing "enterprise" software. For more info, read The Daily WTF.

Re:HOW!?!!?!

[Opportunist]

In this case it isn't a macro, they're using a buffer overflow error in the code that loads and interprets MS-Office files.

Basically, what happens is that the Office reading routine creates room on the stack for some variable, to hold X bytes. Right behind those X bytes, there is the return address for the subroutine (so the reader subroutine can actually come back to the original program).

Now, this return address is being overwritten by an address that points into the spreadsheet instead (it's not THAT simple, but that's the general idea behind it). And in that area of the spreadsheet, you don't find spreadsheet data but instead you have executable code. Which is then, of course, executed (because Office thinks it's "his" code).

Quite simple. And easily avoided (the way to do it can be seen below in another subthread, by a rather good example).

Re:HOW!?!!?!

[tomstdenis]

To be fair it's half and half ... well one feeds into another.

At the beginning "programmers" were hobbyists who learned it because they were interested and took it seriously. But more and more as things got commodidized managers looked for people who got things in quicker. And by quicker I mean cut corners. So that in turn bred the generation of really shitty programmers [who often call themselves "developers"].

Now you got both shitty "coders" and shitty managers who just won't take "it'll be ready when it's ready" as an answer.

Final result: We the paying customers get shit products.

Tom

Re:HOW!?!!?!

One thing that would help: get a decent machine (e.g. an athlon64) where the hardware prevents the stack from being executed. That should make hackers lives more difficuly.

Re:HOW!?!!?!

[CosmeticLobotamy]

If we wanted, we could alter our standard libraries so that, for instance, strcpy does bounds checking. Is there a reason not to?

We did that. It's called strncpy. If you want better than that, you're going to have to make an entirely new language to get it. But if you decide to make this hypothetical language (which I call "Java", but it's kind of a silly name so I don't think it will catch on, but you could abbreviate it to something really catchy like "J2SE"), please try very hard not to make it so simple applications take up 40 megs of memory. That would suck.

Re:HOW!?!!?!

[Opportunist]

I somewhat doubt that this would help. The stack by itself is not executed. You only pop the return address from the stack, which is the standard routine for subroutine return code handling in i80x86 machines (and most other stack based microprocessors).

Even if the A64 used a different subroutine handling mechanism, it would have to be compatible with the "normal" way in i80x86 machines. Since return address manipulation is not so unheard of in "normal" programs (executable packers, code obfuscation schemes and copy protections make heavy use of it), the A64 would have to behave "normally" or it could not execute such code either.

And the normal behaviour is unfortunately to not check where that return address points to.

Bye

[Mateo_LeFou]

Between this stuff, WGA, and just general principle I'm not sure I'll ever boot XP again. Just gotta figure out how to run Party Poker on Lx...

Re:It's part of Microsoft's plan - MOD PARENT UP!

[iamcf13]

I heartily agree!

But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.

Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) does... (His Win32 OpenSSL 'repack' was very useful to me on a past project. Here is his 'about me' page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)

There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').

(I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )

Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?

[snip]

Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:

// Include necessary headers to compile
#include <stdio.h>
#include <stdlib.h>

// Start of the "main" function - used to tell the OS where
// to start processing source code.
int main(int argc, char **argv)
{
// Tells the computer to create 256 places in memory _on the stack_ for storage.
char str[256];

// This just tells the user how to use the program.
// Not really important, but useful.
if (argc < 2)
{
printf("Syntax: BadProgram TypeInAReallyLongString");
exit(1);
}

// This copies the data the _user_ specified into str.
strcpy(str, argv[1]);

// This prints the contents of str.
printf("%s\n", str);

return 0;
}

(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).

The example above is ext

Employ the hackers (fight fire with fire)

[JakeChance]

Why doesn't anyone employ these hackers to attack spam companies. It would be using one destructive web force against an annoying one, after all, I'm sure they get spam too. The enemy of my enemy is my friend.

Parent is +5 Insightfull, how?

[iBod]

Oh boy! Sure!

Do you really think there is a little department at Redmond that is in charge of 'exploits running free'?

Honestly. Sometimes I think slashdotters should get their fucking heads out of their assholes and smell the fresh air!

That's how it's done

[fm6]

They work on a schedule because that's the only way you can do a software project of any size. It's not like a flaw pops up once in a while, and they pull a programmer off his regular chores to write a patch. This is a large number of patches getting released over a long period of time. To create, test, and deploy software on that scale, you need a large team of programmers, together with project managers, QA folk, integrators, web deployment people, and technical writers. That kind of org cannot work on an ad-hoc basis.

Microsoft's fuckup is not in choosing to release their patches on a scheduled basis. They really had no choice in the matter. Their fuckup is in letting their security situation get so bad, they had to produce a large number of patches every month.

Re:That's how it's done

[ILikeRed]

1. Regardless of how often Microsoft has said otherwise in court, they do not make one product
2. Other software firms of similiar size do release security patches as needed. And not just Redhat, but IBM, Sun, Novell.... Granted doing so means you can not hide other "upgrades" into "security" packages, but it really is the best thing for the end user.

Re:That's how it's done

[fm6]

Regardless of how often Microsoft has said otherwise in court, they do not make one product

And that is relevent to this discusion because...

Other software firms of similiar size do release security patches as needed.

No software firm has ever needed to release as many security patches as Microsoft has.

I actually work for Sun. If you told our software people that they had to release dozens of patches per year, and do it without a scheduled software cycle, they'd laugh in your face.

Re:That's how it's done

[Master+of+Transhuman]

No, that's BILL'S excuse - "It doesn't make me any money, so we're not doing it."

If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.

The problem for BILL is the number of people he has to pull off his "upgrade" and "new" products like Vista - which DO make him money - to the problem of security which does NOT make him any money.

It's that simple. It always has been and always will be - which is why Microsoft Windows will NEVER be secure.

Note that most other companies do what's necessary to issue patches when the fix is done. Microsoft doesn't solely and entirely because of Bill Gate's attitudes about money.

Re:That's how it's done

[fm6]

If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.

Yeah, that's fine if you don't test your patches, document them, worry about creating new security holes, and not producing a new patch that doesn't undo the work of old ones.

Re:That's how it's done

That's probably why 4000 Sun employees have been shown the door.

Re:That's how it's done

[ILikeRed]

fm6:

And that is relevent to this discusion because...

I thought this:
fm6:

They work on a schedule because that's the only way you can do a software project of any size[SNIP]

implied that Microsoft was forced to put out patches this (nonstandard) way because of the size of their offering. Guess I misunderstood your posting.

fm6:

I actually work for Sun.[SNIP]

You're a solaris programmer? Manager? I don't run or administer Sun systems for a few years now, but that is certainly not how I remember them releasing security updates? When did you guys change practices? That should be some interesting conversations at the next USENIX meeting. I would like some more info on when they went to this model if you have it - was it before or after Microsoft decided to do so?

Re:That's how it's done

[fm6]

I don't work on Solaris, and I'm just a lowly tech writer. But you're right, nobody at Sun releases patches on a schedule. That's beside the point. I'll say it for the third and last time: Microsoft has to use a production cycle because that's the only way they can create and deploy the ungodly number of patches that are necessary to fix all the security holes they've managed to create.

If Sun's programmers had to release that many security patches, they'd have to do it on a cycle too. (Assuming they didn't just shoot themselves.) They don't do it on a cycle because they don't do that many security patches because they've never screwed up to the point where it was necessary.

Re:That's how it's done

[turbidostato]

"Microsoft has to use a production cycle because that's the only way they can create and deploy the ungodly number of patches that are necessary to fix all the security holes they've managed to create."

The problem is not here. Nobody doubts that.

The problem is between the "need to use a production cycle" and the "need to publish only on certain dates" relationship. The problem is that there's no such a relationship.

The decision about releasing bugfixes on a given day of the month is not due to engineering practices nor has nothing to do with the bugfix production cycle. It's nothing but a marketing decision.

Re:That's how it's done

[fm6]

So creating the patches on a schedule is just software engineering, but releasing it on the same schedule is a marketing decision? What are they supposed to do, take random days off?

Re:That's how it's done

I'll say it for the third and last time: Microsoft has to use a production cycle because that's the only way they can create and deploy the ungodly number of patches that are necessary to fix all the security holes they've managed to create.

If Sun's programmers had to release that many security patches, they'd have to do it on a cycle too. (Assuming they didn't just shoot themselves.) They don't do it on a cycle because they don't do that many security patches because they've never screwed up to the point where it was necessary.

Solaris Patch Report Updates as of Jun/16/2006:

http://patches.sun.com/reports/2.5.1_patch_report
http://patches.sun.com/reports/2.6_patch_report
http://patches.sun.com/reports/7_patch_report
http://patches.sun.com/reports/8_patch_report
http://patches.sun.com/reports/9_patch_report
http://patches.sun.com/reports/10_patch_report

Solaris 2.5.1: 243 patches, 2,098 bugs.
Solaris 2.6: 270 patches, 3,280 bugs.
Solaris 7: 309 patches, 3,157 bugs.
Solaris 8: 582 patches, 9,126 bugs.
Solaris 9: 493 patches, 5,849 bugs.
Solaris 10: 319 patches, 3,311 bugs.

First patch I see is for the 1st June 1994 and the last I see is for 16th June 2006. That's 2,216 patches addressing 26,821 bugs in 4,398 days.

A patch every 2 days and a bug addressed every 4 hours.

572 of those patches are security related. Meaning that Sun releases a security patch almost every week.

Micrsoft might be worse than that, but Sun are still releasing a crap load of patches.

Re:That's how it's done

[turbidostato]

"What are they supposed to do, take random days off?"

Random? Why random?

No: they can publish on a very precise date: ie. the day it's done.

On the other hand,

"So creating the patches on a schedule is just software engineering"

Where, oh, where did I say "on schedule" (or *you*, for that matter)? Let's recall it:

"Microsoft has to use a production cycle..."

So "use a production cycle" means "creating patches on schedule" now?
No: "use a production cycle" means, oh wonders, use a "production cycle", so some steps are guaranteed to happen one after the other once certain conditions are met. It can include specific dates... or not.

So Microsoft's current publication procedures include a step in terms like "publicly release on next month's first thursday, once the bugfix is ready"*1. What's the technical need for this? What's the technical difference between previous sentence and this one: "publicly release next day at 12:00UTC, once the bugfix is ready"?

Noone, as, by the way, clearly demonstrates that exactly the same technical achievements can be met by releaseing "out of fixed dates", just like anybody else in the software industry is currently doing, and even Microsoft was doing till some a year ago (of course, that doesn't mean that those other companies don't have in place their very specific production cycles too).

*1 And even then, it's not so simple. Some USA government agencies and VIP clients get those patches on a privileged basis, some time before all the other people.

Pride

[hackwrench]

It would be embarrassing for Microsoft to come to terms with the fact that they are, in fact able to purchase these exploits when their own people in possession of the source code and staring at it day in and day out cannot find them.

Long term, that is a losing strategy

[brokeninside]

You're basically arguing that Microsoft should subsidize the discover of security flaws. In an academic setting, this would probably be a good thing with the end result being a better understanding of the information technology industry. But if Microsoft is buying from black hats, then rather than subsidizing research that makes everyone more secure, Microsoft is essentially subsidizing 0 day exploits.

Re:Long term, that is a losing strategy

[dave562]

It is a great suggestion that Microsoft purchase information about their operating system from where ever it is available. It has been proven time and time again that Microsoft employees aren't capable of patching their operating system and updating their code. It has been implied that their management culture is so completely screwed up that they are never going to get anything accomplished in any sort of reasonable time frame. If I were in charge of personnel at Microsoft I would go out and recruit every user who contributes to any of the hacker sites in any sort of reasonable way, give them six figures a year, and set them loose on the source code for Windows and the various key applications. For the most part the people who are breaking Microsoft software are doing it for the thrill and challenge of it... and they aren't making much money doing it. If you were to wave six figures at some guy who can barely afford to keep his Honda Civic running and the Mountain Dew supply in the fridge stocked, he'd probably jump at the offer.

Of course, such a thing will never happen. Sooner or later the OSS community is going to catch up, they are going to come up with an Exchange killer, and they are going to come up with an accounting package to rival the likes of Platinum / Sage / AccPac for the SMB market, and then Microsoft is going to be in serious trouble. However until the OSS world gets the necessary applications to slay the dragon with, we're stuck with Microsoft for the forseeable future.

TEH funnay!

Go listen to Edwyn Collins. That's some patch for you.

in other news..

[Intangion]

they sky is blue!
water is wet!

these microsoft is being exploited again articles get kinda funny when you see one every few days
and a critical one every 1-3 weeks
cant even go a month without major exploits on windows

its either a sign of completely lousy untrustable crap code, or that they are purposely leaving backdoors in there for some evil purpose ;) and hackers are getting better at finding them now

*hugs ubuntu*

Funny::Bullshit

[ElitistWhiner]

/. is quickly becoming a verb, irrelevent. They have a hot story about a security flaw, targeted attack and economic damage to one corporation without a trace of realism anywhere to be found. Not in the lead-in story, comments, or even in the interface. Yeah, this Wiz-bang 2 week old upgrade that managed to only change the window dressing. At least, the very least, a competent UI designer would have added a "drop down" menu to the UI.

New drop down UI:
No Bullshit = no :: 5 "Funny", 5 "First P0st", 5 "TinHat", etc...
Just Laughs = "Funny"

Hacker's, the good ones, can earn a decent living playing both sides of the game. A cheesy salary on the inside and much more lucrative compensation from the outside. An organized distribution of hackers, not necessarily organized consciously by hackers, but by an outside interest is a growing threat to corporate interests.

One company does not an economic threat make, but one product does an Industry take down. And really, that is all they have to accomplish - one Industry; at a time.

It looks like Slasdot.org, is the first. If the cheesy new UI is any indication.

Re:Funny::Bullshit

[not_hylas(+)]

"Hacker's, the good ones, can earn a decent living playing both sides of the game. A cheesy salary on the inside and much more lucrative compensation from the outside. An organized distribution of hackers, not necessarily organized consciously by hackers, but by an outside interest is a growing threat to corporate interests."

Yes.
Forgetting this whole thread above, Slashdot and it's mindlessness - the keywords here are "not necessarily organized consciously and outside interest(s).
You sir, have hit the nail squarely.
Some continue to "whistle through the graveyard" and others just hope it's "just their imagination" unlike most of these commenters at least the former sense something.
Think reserved APIs, and *legal* hardware calls and parse accordingly.

Start here for the first clue, SCREAM accordingly.

http://www.securityfocus.com/columnists/402

Not just ALL your base. :-)

and you're missing the point

[BitterAndDrunk]

It's not a strange email - it's from someone in your company with a spreadsheet attachment. Worms are sophisticated these days.

Always with the buffer overflows...

[GungaDan]

The obvious solution is to get rid of the buffers. I suggest replacing them with fluffers. And retaining production rights to the movie based on resulting fluffer overflows. Profits would snowball!

Maybe CNN is the Targeted Company

[cybrzndane]

Their site is down right now. ;-) http://cnn.com/

Oh what a wonderful world THAT would be!

[The_REAL_DZA]

it's a "our marketing and sales departments delegate everything to our engineering and security departments" problem.

Sounds like a DREAMLAND to me! Almost everywhere I've ever worked, Marketing & Sales acted like they were Engineering and/or Security; dreaming up new products/features/services/abilities/laws of physics/superpowers/etc. and making surprise announcements to the CEO and other VIP's :
 
 

"Yes SIR! And if you think that's nifty, the "web version" will be out next month!

  while the developers' jaws all hit the floor...

You know what they say...

[Valdrax]

If you ban exploits, then only the criminals will have exploits.

When I see rubbish like this

[Trogre]

it makes me just a little more glad that I've already migrated nearly all my clients to OpenOffice.

Re:Typically, the difficulty in prosecuting cracke

[R3d+M3rcury]

Agreed. "Bring 'em on!"

Oops. That might be a mistake.