Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Confirms Excel Zero-Day Attack

Posted by ryuzaki0 on from the 0day-warez-is-fun-to-say-though dept.

Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

55 of 199 comments (clear)

  1. Hackers can't do it? by brian0918 · · Score: 4, Funny

    "...suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

    Are you implying that hackers don't have the wherewithal to pull off corporate espionage? Can they do nothing more than crack the latest version of VirtuaGirl?

    1. Re:Hackers can't do it? by SatanicPuppy · · Score: 4, Insightful

      Yea, nice way to jump to conclusions. The idea that intellectuals can't be criminals is almost victorian. Or maybe they fell for the stereotype of the happy-go-lucky-non-malicious-but-intellectually-in qusitive hacker who could come up with an exploit, but never use it for EVIL.

      Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    2. Re:Hackers can't do it? by IthnkImParanoid · · Score: 5, Funny

      Can they do nothing more than crack the latest version of VirtuaGirl?

      They can do that? Do you know where I can find these guys? I need to, uh, confirm your statement. Solely for scientific purposes, you understand.

      --
      It's nothing but crumpled porno and Ayn Rand.
    3. Re:Hackers can't do it? by theundergroundman · · Score: 2, Insightful

      If a hacker sold an exploit to someone who uses it for corporate espionage, isn't that using his intellectual ability for "evil" as you put it?

    4. Re:Hackers can't do it? by BunnyClaws · · Score: 3, Insightful

      The hackers themselves are probably not commiting the corporate espionage. They are merely traders in "Security Tools". They are like arms deals who sell to warlords. So no the hackers probably do not pull of the corporate espionage they just develop the means to do it. Which is probably the smarter thing to do.

      --
      "Anything tastes good if you deep fry it."
    5. Re:Hackers can't do it? by gowen · · Score: 5, Funny
      The idea that intellectuals can't be criminals is almost victorian

      Hey! I resent that!

      Love,
      Professor James Moriarty.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    6. Re:Hackers can't do it? by dotoole · · Score: 2, Insightful

      You're missing the point. It's not that the hackers who find these exploits wouldn't use them - it's that they're smart enough NOT to use them. Undocumented exploits are worth their weight in gold for online criminals. Why use the exploit yourself and risk getting caught when you can sell it off to someone else for a tidy sum and let THEM risk getting caught.

  2. Why read the article? by Thunderstruck · · Score: 4, Insightful

    Well organized criminals conducting corporate espionage, complex software running international corporations, (hackers/crackers) slipping deviously bugged code into the works for their own nefarious purposes.

    I don't need to RTFA, I can just wait for the movie.

    --
    Trying to use sarcasm in text-based forums does not work.
    1. Re:Why read the article? by Solder+Fumes · · Score: 4, Informative

      You're waiting for Swordfish (2001)?

  3. okN.xls? by gEvil+(beta) · · Score: 5, Funny

    The Trojan arrives as a Microsoft Excel file attachment to a spoofed e-mail with the following name: "okN.xls."

    Hmm, I guess I should rename my spreadsheet containing a list of Oklahoma natives.

    --
    This guy's the limit!
  4. Zero day?!? by ILikeRed · · Score: 5, Funny

    It should really be called the -28 day attack, or something along those lines, since they are coordinating it to fall shortly after Microsoft's retarded "we only fix security once a month" schedule.

    --
    I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
  5. Re:unnamed business by Anonymous Coward · · Score: 3, Funny
    Yes.

    Think about it. It's a company that relies upon Excel. That means it's full of PHBs who keep using Excel to do everything from track projects to design reports.

    It's your employer. Yep. That's right. I checked your IP address, I see who you're working for. Your employer works exactly as I describe.

  6. NOT TO FEAR! by pcguru19 · · Score: 4, Insightful

    Just upgrade to Windows VISTA (when it's out) and Office 2007 (when it's out) and all of these silly security issues will go away....

    Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.

    --
    STFU & GBTW
    1. Re:NOT TO FEAR! by naelurec · · Score: 2, Funny

      But Vista is the one! Just think about it..

      1. Built under their "security is top priority" and "trustworthy computing" iniatives.

      2. Microsoft built security focused tools such as .NET .. I'm sure its used extensively in their flagship operating system and applications.

      3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues.

      4. I'd have to imagine in the effort to keep the system secure, backwards compatibility is largely sandboxed to not allow this insecure code to infect the integrity of the system.

      5. With the knowledge that most home users (And small business users) ARE THE administrator, I'm sure they are taking special precautions to provide resources to enhance their knowledge of security and maintaining a secure system. With the 10+ gigabyte default install and modern day video capabilities, I'd imagine they have lots of video to get this knowledge out to people.

      6. They have stated it is not only the most secure WINDOWS release ever, but the most secure OPERATING SYSTEM ever. I don't recall this being the case with previous releases. They even attended a blackhat conference (or something) to prove this! It must be true.

      7. For extra precaution, they have high system requirements and excessive annoyances (such as making the simple task of deleting a desktop icon into a 6+ step procedure) to provide a barrier so just not everyone buys it the day it is released. Seems like they have structured it so most people won't get it until atleast SP1 or later which should be great to provide extra time to make it even more secure then the most secure OS ever.

      Based on all of this. I am positive that Microsoft is right and you are wrong. a'Yup..

    2. Re:NOT TO FEAR! by 0xABADC0DA · · Score: 5, Funny

      Actually There's plenty of evidence for a natual cycle of security issues. In the past, millions of years ago, there were far more security issues than there are now. In fact, many scientists disagree over the cause of the recent increase of exploits, whether this is caused by man or whether it is just part of a natural downturn from the last Mini-Secure Age (which incidentally ended when the Irish potato fields were compromised).

      In any case to presume some kind of pattern from this last decade of operating systems is poor reasoning --the science just isn't in yet to show any long-term trends. Sure, the 7 of 10 most exploited operating systems have been released in the last decade, but that is not statitically relevant over the million year record of security issues. Certainly taking some kind of preventive action like using Safe Languages is just being alarmist as is all the liberal scaremongering that "all your base will be pwned" by the end of the century. Think of the economic impact of all those wasted cycles that could be better used doing manual memory management.

      Listen, the computer was here long before Windows, and they'll still be around after Windows is gone. We're overstating our importance to say that mere programmers can destroy the whole computer. Sure, it may be uninhabitable by our software but eventually random bit-flipping will reset the computer and a new OS will take over. It's evidence of the indisputable intelligent design of computers that they can recover from anything we could possible run on them.

    3. Re:NOT TO FEAR! by pcguru19 · · Score: 2, Insightful

      Did you drink the grape Kool-aide or the cherry Kool-aide at the education camp? Microsoft will never get past the patching and they've at least built a process (monthly patches) and tools (WSUS, SMS, Windows Update, etc.) to deal with this reality.

      There's a simple formula to determine how secure and relaible any software is (OS or application). As you add to the total lines of code, regardless of who is writing the code, the opportunities for unexpected errors and security issues grows at a logorythmic scale. I loaded my VISTA DVD and the friggin OS takes 12 GIGs of HDD space. Office 2007 beta is out and it's install footprint is larger than Office 2003. As you add complexity and features, you add to the error rate on software, hardware, cars, etc.

      I'm probably showing my age here, but the thing that was bashed into my head when I started programming was that the next version of software should be SMALLER and MORE RELIABLE than the last version. If Microsoft (and plenty of other folks including some of the current LINUX projects) embraced making what they've already tried to build and provide better instead of pushing for something new, we'd be in a hell-of-a-lot-better-shape than we are today.

      As long as we live in the "bigger is better" and "people only buy the next version if there's more features" era of computing, then security and bugs are a fact of life we have to accept. Nobody's saying Microsoft won't try or isn't getting better, but the plain truth is they will never get rid of these issues if the driving force in their organization is to innovate and expand the feature set.

      IMHO, we didn't need to get anything else into MSOffice after 4.1 was released. You could copy & paste, put an excel spreadsheet in a powerpoint presentation, and write a letter. Any Office 4.1 exploits released...ever?

      --
      STFU & GBTW
  7. They got what they deserved... by HellYeahAutomaton · · Score: 5, Funny
    "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business."

    You can't go running around with a business without a name! Focus groups people, focus...

  8. It's part of Microsoft's plan by brian0918 · · Score: 4, Insightful

    "If Criminal orgs are purchasing exploits, why doesn't Microsoft? (it's not like the don't have the money!)"

    Microsoft lets these exploits run free to keep the cattle in line. They need to keep people upgrading and buying the latest versions of their products to keep the cash flowing. If they released a well-written, stable, secure piece of software, what reason would people have to upgrade?

    1. Re:It's part of Microsoft's plan by DragonWriter · · Score: 4, Funny
      If Criminal orgs are purchasing exploits, why doesn't Microsoft?
      <tinfoil>

      Because, through various cutouts to avoid it being traced back to them, it is Microsoft selling the exploits.

      I mean, come on, you ever know Microsoft to pass up such an obvious opportunity to leverage a monopoly in one field (say, Office suites) into a dominant market position in another field (say, exploits for Office suites.)
      </tinfoil>

    2. Re:It's part of Microsoft's plan by WindBourne · · Score: 2, Interesting

      Funny thing is, that in windows the most secure is the stuff that has been around for a good long time and with all patches (while true of all, this seems to be the most true of MS). Every single new release MS says that this is the most secure item, when in reality it is not. All it really is, is a new version with new features that will always contains LOADS of major bugs across all the LOC.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    3. Re:It's part of Microsoft's plan by CyDharttha · · Score: 2, Insightful

      I upgrade my free/open source software because new features are added to extend funtionality, and to take advantage of ever improving hardware.

  9. news? by bcrowell · · Score: 4, Interesting

    Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable. Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges. If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

    --
    Find free books.
    1. Re:news? by SheeEttin · · Score: 2, Informative
      MS makes it so difficult not to run with administrator privileges


      Actually, it's not that hard. Log in as a limited user, do whaever you need to do, and if you encounter a program that absolutely needs to run as an admin, just right-click > Run as..., enter admin account name and password, and the program will run under the admin account. I personally haven't made the permanent switch to Linux yet, but I think it's comparable to sudo.
    2. Re:news? by Bert64 · · Score: 2, Interesting

      Users shouldn't need to worry about stupid shit like this.
      End users should be able to open data files (data, not executeable files) without fear of being owned. Data files should not have the ability to contain code (with the exception perhaps of rudimentary macros which can only interact with the host program and are sandboxed, like java applets or javascript)

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:news? by Anonymous Coward · · Score: 5, Insightful
      If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

      There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

      Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

      No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.

      If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

      No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.

      Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.

    4. Re:news? by Frightening · · Score: 2, Interesting
      Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

      Because that's called MySpace, and look where that got us. Think of the children.
      *raises troll mod shield*
  10. Not a popularity problem by ILikeRed · · Score: 4, Insightful

    It is not a popularity problem - it's a "our marketing and sales departments delegate everything to our engineering and security departments" problem.

    --
    I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
  11. News? by MarkByers · · Score: 4, Insightful

    Everyone knows that you should not open attachments. Word is likely full of 1000s of exploitable holes. Excel too. Plus any other complex program.

    Yes, OpenOffice will be full of holes as well.

    Not news.

    As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though. :)

    --
    I'll probably be modded down for this...
  12. Typically, the difficulty in prosecuting crackers by mmell · · Score: 2, Insightful
    is that (much like terrorists) there is no formal organization against which to direct your attention. The white-hats are left with trying to find individual crackers, much like the *AA goes after individual file-sharers because there is no centralized target for their wrath.

    In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.

    So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"

  13. Presumably they could but... by sterno · · Score: 4, Insightful

    The thing is, to be a good hacker, you kinda have to spend a lot of time and energy on hacking. At the end of the day, it's probably easier and equally lucrative to just sell your exploits to other people rather than using them yourself. It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

    --
    This sig has been temporarily disconnected or is no longer in service
    1. Re:Presumably they could but... by mugnyte · · Score: 2, Interesting


        What raises my eyebrows is that hacks like this are a "one shot deal". You can't run an exploit for very long without it getting notice, then patched. So the charge for these must be pretty high, given that it seems like work for hire.

        So the business background on this exploit is probably far juicier than the exploit itself. The path to contact, payment, motive, etc are probably a great story. I would certainly read that book.

        Of course, if writing such a book, I would take the XLS information and place it on the market itself, continuing the intrigue. Let's hope its something dealing with a government, which then topples, affecting more change than someone getting rich. I mean, if writing, write big.

    2. Re:Presumably they could but... by DigiShaman · · Score: 2, Insightful

      It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

      Be carefull!!! In the US, you can be charge with being an accessory to a crime.

      --
      Life is not for the lazy.
    3. Re:Presumably they could but... by cowbutt · · Score: 2, Informative
      It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

      Be carefull!!! In the US, you can be charge with being an accessory to a crime.

      ...and shortly in the UK also if the government get their way. Or, for that matter, if you create a security testing tool that some copper takes a dislike to.

    4. Re:Presumably they could but... by masterzora · · Score: 2, Insightful
      Can the owner of a gun shop be charged as an accessory if a gun they sold is used in a murder?

      All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).

      --
      Remember, open source is free as in speech, not free as in bear.
  14. Patches Available by GogglesPisano · · Score: 4, Informative

    Patches for this problem available here, here and here.

  15. Unnamed business? by MarkByers · · Score: 4, Funny

    against an unnamed business

    I think they should be more worried that they are the victim of identity theft .

    --
    I'll probably be modded down for this...
  16. stupid by mapkinase · · Score: 4, Funny

    I do not believe that e-mail spamming attack against a single company can be that effective. Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  17. An Excel exploit? by fotoflojoe · · Score: 5, Funny

    Must be the work of terrorist cells...

    1. Re:An Excel exploit? by grassy_knoll · · Score: 5, Funny

      Would those terrorist cells be in the fifth column? ;)

      --
      A Human Right
  18. Another reason to have an open file format by Bert64 · · Score: 4, Interesting

    With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

    You could easily parse the file at your gateway, and validate the xml content against the published schema (rejecting it if it fails), although this wouldn't be foolproof (an exploit could still exist within well formed xml, but is less likely) it would cut out a significant portion of vulnerabilities.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Another reason to have an open file format by insanarchist · · Score: 4, Funny

      Thank god my grandma's already in the habit of validating xml content against schemas or she'd be SOL!

    2. Re:Another reason to have an open file format by Anonymous Coward · · Score: 2, Insightful
      With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document... You could easily parse the file at your gateway, and validate the xml content against the published schema

      So you expect the "malicious code" to be well labeled in the XML stream? ...maybe with XML comments? =P

      Seriously you can only trap a narrow set of possible exploits this way (ones dealing with XML parser exploits generally). Scripts/macros/etc. would need to be interpreted to understand if was utilizing an exploit in the target product (assuming the vulnerability was known). Also the document can be a valid document but the organization and composition of elements in the document could be used to exploit a vulnerability.

      I don't think it would net you as much of a benefit as you believe it would.
  19. Just in time by Opportunist · · Score: 4, Insightful

    Anyone here thinking it's a coincidence that the exploit goes life JUST after "patch day"?

    I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  20. Re:unnamed business by dark-br · · Score: 4, Funny

    Yes... I do... Please refer to the attached xls spreadsheet for more info. ;)

  21. Re:Corporate espionage ROFL! by richy+freeway · · Score: 3, Funny
    *rolls eyes back*

    I'm sure you'll be needing them.

  22. Re:It's part of Microsoft's plan - MOD PARENT UP! by iamcf13 · · Score: 2, Informative
    I heartily agree!

    But 'backwards compatibility' made Windows the (in)famous clusterfsck it is.

    Imagine how stable and secure Windows would be if Microsoft rewrote and streamlined it (goodbye .dll hell!) and the apps that they put out that use it from the ground up to avoid all the exploits and what not like this programmer (.chm) does... (His Win32 OpenSSL 'repack' was very useful to me on a past project. Here is his 'about me' page. Just on the strength of the blockqoute below, I know this guy knows what he is doing and deserves any work/support you can send his way....)

    There is more to life than 'just making a buck', but when this is done at the corporate level, it transforms everybody it touches to seen-it-all, done-it-all cynics who keep their funds close to them, part with them only when necessary (food/clothing/shelter/heat/lights/vehicle fuel and maintennance/public transport fares/occasional recreational spending) and do anything they can to escape its clutches (i.e. use adblock when online, and A/V devices capable of 'adskipping').

    (I 'posted' the text below in an earlier comment here but I can't find the link to it right away. Note, I'm not a shill for this guy, just an admirer of simple, elegant, secure C program code that I can learn from and use in future projects.... It would be nice if the following, complete text was on a standard webpage instead of being imbedded in a compiled HTML file (.chm) =/ )

    Security. There's a little word with a big meaning. Unlike other web servers, ProtoNova is secure. What exactly does this mean in terms of what a web server should be?

    [snip]

    Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:

    // Include necessary headers to compile
    #include <stdio.h>
    #include <stdlib.h>

    // Start of the "main" function - used to tell the OS where
    // to start processing source code.
    int main(int argc, char **argv)
    {
    // Tells the computer to create 256 places in memory _on the stack_ for storage.
    char str[256];

    // This just tells the user how to use the program.
    // Not really important, but useful.
    if (argc < 2)
    {
    printf("Syntax: BadProgram TypeInAReallyLongString");
    exit(1);
    }

    // This copies the data the _user_ specified into str.
    strcpy(str, argv[1]);

    // This prints the contents of str.
    printf("%s\n", str);

    return 0;
    }

    (For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).

    The example above is ext

  23. Re:HOW!?!!?! by mortonda · · Score: 2, Informative

    Do you get executable code in a SPREADSHEET!?!

    Buffer overflows

  24. Employ the hackers (fight fire with fire) by JakeChance · · Score: 2, Interesting

    Why doesn't anyone employ these hackers to attack spam companies. It would be using one destructive web force against an annoying one, after all, I'm sure they get spam too. The enemy of my enemy is my friend.

  25. That's how it's done by fm6 · · Score: 2, Insightful
    They work on a schedule because that's the only way you can do a software project of any size. It's not like a flaw pops up once in a while, and they pull a programmer off his regular chores to write a patch. This is a large number of patches getting released over a long period of time. To create, test, and deploy software on that scale, you need a large team of programmers, together with project managers, QA folk, integrators, web deployment people, and technical writers. That kind of org cannot work on an ad-hoc basis.

    Microsoft's fuckup is not in choosing to release their patches on a scheduled basis. They really had no choice in the matter. Their fuckup is in letting their security situation get so bad, they had to produce a large number of patches every month.

    1. Re:That's how it's done by Master+of+Transhuman · · Score: 2, Insightful


      No, that's BILL'S excuse - "It doesn't make me any money, so we're not doing it."

      If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.

      The problem for BILL is the number of people he has to pull off his "upgrade" and "new" products like Vista - which DO make him money - to the problem of security which does NOT make him any money.

      It's that simple. It always has been and always will be - which is why Microsoft Windows will NEVER be secure.

      Note that most other companies do what's necessary to issue patches when the fix is done. Microsoft doesn't solely and entirely because of Bill Gate's attitudes about money.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  26. Re:HOW!?!!?! by dhasenan · · Score: 2, Informative

    Anything beyond basic usage requires a macro language--especially a spreadsheet program. Now, whether the macro language should be allowed to interface with the filesystem is a different matter entirely. I'd say that a user should be given a standard "Overwrite file $FILENAME? yes/no/cancel" dialog whenever a macro tries to overwrite a file; opening or listing the contents of a directory is a bit of a tricky matter, but I don't think many users would miss that feature.

    Now, if the macros were available to an external scripting language like bash or one of the P's, then there would be no reason for the macro language to be able to list or open files, only write to them. Then you'd only have, as the above poster mentioned, buffer overflows and the like.

    If we wanted, we could alter our standard libraries so that, for instance, strcpy does bounds checking. Is there a reason not to?

  27. Re:unnamed business by scovetta · · Score: 2, Funny

    Woohoo! A five dollar raise for me!!!

    --
    Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  28. Re:HOW!?!!?! by darkwind_2427 · · Score: 2, Informative
    HOW!?!!?!...Do you get executable code in a SPREADSHEET!?!
    Actually, M$ uses OLE2 as the binary file format for all it's office products. This is actually like it's own file system. If you dig around in the files you'll notice there is a lot of padding where you can place whatever you want and M$ office products will not even notice. I'm not sure exactly how this exploit works, but I did some research into the MS03-050 exploit and discovered that buffer overflow would allow you to execute about as much shellcode as you would want on their computer. That one in particular was a simple matter of malforming the macro header table (changing the input length). No matter how high your security settings are the code will execute without your knowledge (if you open it).
  29. Re:HOW!?!!?! by Opportunist · · Score: 3, Informative

    In this case it isn't a macro, they're using a buffer overflow error in the code that loads and interprets MS-Office files.

    Basically, what happens is that the Office reading routine creates room on the stack for some variable, to hold X bytes. Right behind those X bytes, there is the return address for the subroutine (so the reader subroutine can actually come back to the original program).

    Now, this return address is being overwritten by an address that points into the spreadsheet instead (it's not THAT simple, but that's the general idea behind it). And in that area of the spreadsheet, you don't find spreadsheet data but instead you have executable code. Which is then, of course, executed (because Office thinks it's "his" code).

    Quite simple. And easily avoided (the way to do it can be seen below in another subthread, by a rather good example).

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  30. Re:Long term, that is a losing strategy by dave562 · · Score: 2, Insightful
    It is a great suggestion that Microsoft purchase information about their operating system from where ever it is available. It has been proven time and time again that Microsoft employees aren't capable of patching their operating system and updating their code. It has been implied that their management culture is so completely screwed up that they are never going to get anything accomplished in any sort of reasonable time frame. If I were in charge of personnel at Microsoft I would go out and recruit every user who contributes to any of the hacker sites in any sort of reasonable way, give them six figures a year, and set them loose on the source code for Windows and the various key applications. For the most part the people who are breaking Microsoft software are doing it for the thrill and challenge of it... and they aren't making much money doing it. If you were to wave six figures at some guy who can barely afford to keep his Honda Civic running and the Mountain Dew supply in the fridge stocked, he'd probably jump at the offer.

    Of course, such a thing will never happen. Sooner or later the OSS community is going to catch up, they are going to come up with an Exchange killer, and they are going to come up with an accounting package to rival the likes of Platinum / Sage / AccPac for the SMB market, and then Microsoft is going to be in serious trouble. However until the OSS world gets the necessary applications to slay the dragon with, we're stuck with Microsoft for the forseeable future.