Oops! Missed One Fix — Windows Attacks Under Way

CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"

I don't understand

[veganboyjosh]

How can code in the wordpad text editor leave a machine vulnerable? Can someone explain this in a way that's not super technical? Faulty code in a browser, or similar, I can understand.

Re:I don't understand

I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp

Re:I don't understand

[V!NCENT]

How can code in the wordpad text editor leave a machine vulnerable?

It can be used to execute a malicious program that makes the system vulnerable. Wordpad just works as a launcher for the malicious program.

Re:I don't understand

[Anthony_Cargile]

Surely not a remote exploit, must be some sort of password retrieval (siw.exe) or something used to compromise a network or else it would not be so "critical". Now would be a good time to peek at the leaked Windows NT code from 2004...

Re:I don't understand

[RemoWilliams84]

I don't know. Who would actually use the converter in Wordpad anyway. I honestly didn't even know anything other than notepad was still standard on Windows. I always use Word or notepad for quick things. And I use textpad when doing programming or SQL.

Re:I don't understand

[show+me+altoids]

It has to trick the user into opening a Word 97 file with Wordpad, which can be done by changing the extension of the file to .wri. So as long as you don't open any attachments to bogus email, you'll be OK. This information is in the article, BTW.

Re:I don't understand

Whoosh!

Re:I don't understand

[Anthony_Cargile]

Thanks, forgot about privilege escalation. Perhaps it is a shellcode vulnerability or overflow, details to come hopefully (monitor milw0rm.com). I can only wonder how wordpad of all programs can allow this over some self-made app that does the same thing?

Re:I don't understand

The attacker sends you a .wri file in an email. By default this will be opened using WordPad. WordPad will attempt to decode the Word97 content of the .wri file and in doing so will trigger some sort of attack code (the article and security advisory are vague about this part).

Basically, don't open weird files that you find on the internet.

Re:I don't understand

[arootbeer]

I can only wonder how wordpad of all programs can allow this over some self-made app that does the same thing?

It's easier to get someone to open a .wri or .doc file than a .exe file.

Re:I don't understand

Ah, see this is why security is not my field, or maybe I need another red bull. I guess I would make a great MS programmer with that attitude: "Just finish the app by noon and we'll let somebody else audit it and we'll release a patch 5 years from now". Yeah, my future with Microsoft is bright.

Re:I don't understand

This information is in the article, BTW.

In the what, now?

Re:I don't understand

It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.

Re:I don't understand

Funny, I received a spam with a .wri file attached a few days ago. Of course, I didn't opened it, but I was suprised. Now I understand.

Re:I don't understand

His was funnier. Yours was kinda sad.

Re:I don't understand

Explaining jokes be fun!

Re:I don't understand

a common joke here on /.

Yea, the only humor used more is lame sarcasm

Re:I don't understand

[Ilgaz]

The real question is, how come Apple TextEdit.app which is there for years doesn't get such issue and MS Wordpad gets it? Or Kate? Gedit? I think it is the thing which confuses people.

Re:I don't understand

wordpad is like notepad, except actually useful.

Re:I don't understand

[clone53421]

Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.

Re:I don't understand

[ivucica]

Wordpad is like Notepad, except it can actually parse UNIX line endings :) :)

Sigh, I tried to brighten up the situation. Yes, you're right, both are crappy and annoying as hell :)

Re:I don't understand

[RenderSeven]

MS Notepad never gets issues either because it and your other examples are plain text editors. WordPad has all sorts of MS Word functionality built into it so you can view Word documents if you dont have Word installed. Problem is that Word has been (relatively) well shaken out but WordPad has not, since, hey its only WordPad so who gives a cripe.

The vulnerability is using WordPad to convert an infected Word document, by getting the user to open an infected attachment. Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.

Re:I don't understand

[eggnet]

TextEdit can read and write word docs too. It supports rich text.

Re:I don't understand

[Ilgaz]

Textedit shouldn't trick by its name, it is a full feature document editor. It relies on system wide frameworks just like wordpad does.

Re:I don't understand

[quantum+bit]

Yeah, but it changes them to DOS format when you save, with no option to keep the UNIX line endings :(

Good thing vim has a windows version.

Re:I don't understand

[buchner.johannes]

If wordpad is affected so badly, just think about the damage mspaint will do!

Re:I don't understand

Faulty code in a browser, or similar, I can understand

Why? After all, a web browser is just another application that runs on your system.

Re:I don't understand

Change the default application that opens .wri (OLD Ms-Write files from Windows 3.x, that Wordpad opens) to Microsoft Word (whatever version) & you should be ok. Changing the file extension association here:

HKEY_CLASSES_ROOT\.wri

From WORDPAD.EXE (beneath that in the tree of folders), to the same thing the .doc file extension has of, & merging THIS .reg file into your registry SHOULD technically do the job:

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

THAT, technically SHOULD do the job for "proofing you" vs. this attack, until MS issues a patch next month/year January 2009...

APK

Re:I don't understand

[cheater512]

Erm I have seen Notepad crash before. That puzzled me somewhat. :P

Re:I don't understand

[cheater512]

Is it just me or would this attack be impossible if Windows used mime types correctly.

E.g. On Linux it generally doesnt matter what the file extension is, it always opens in the correct program due to the mime type being used to determine the program and not the file extension.

Re:I don't understand

[flycream]

It actually does open on drag&drop. Just dont drop on the text area, but menu bar instead.

Re:I don't understand

[beav007]

It doesn't much like 150MB SQL dumps, I'll tell you that...

Re:I don't understand

[darkpixel2k]

Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.

Don't drop the files into the 'document area', drop them onto the 'menu bar' area and they'll open.

I f*cking hate wordpad, but it's the only thing that recognizes and saves unix line-endings and is installed on every windows box since the beginning of time.

Re:I don't understand

[Nazlfrag]

I doubt it, it's probably a valid Word file for the most part. Linux could be vulnerable to the same trick if a privilege escalation bug is found that is able to be exploited just by loading the file.

Re:I don't understand

[PotatoFarmer]

MIME types can be spoofed just as easily as file extensions, it's trivial to modify Content-type headers.

Re:I don't understand

Attacker's email..

Urgent, please review. (open in wordpad)

Re:I don't understand

[b4dc0d3r]

It's not in the editor, it's in a convertor. Kind of like a plugin. In order to make Word files the standard, MS included a utility so that if the user does not buy Word but does buy Windows, they can convert .doc files to text and read it that way. So the text editor loads a plugin to convert files.

At this point, someone has a malicious .doc file which (since it is a binary format and contains complicated structures) overwrites the stack and executescode, which is running in the text editor's address space.

If the .doc file weren't so complicated to read the converter would have had no problems and a simple "text editor" would not be the hottest exploit since Paris Hilton.

Re:I don't understand

[Mr.+DOS]

Well, sorta, if your definition of the beginning of time is 1995 or thereabouts ;) Before then, we had Write and its unhidable EOF character... This almost makes me want to fire up Windows 3.1 on some old machine and see if Write supported non-DOS line-endings like WordPad does.

</nitpicking>

      --- Mr. DOS

Re:I don't understand

Wouldn't that be kind of illegal to do in an "untitrusting" way?

I mean, if Microsoft sells a word processor where the documents that the WP produces can only be viewed by that program OR the operating system the same vendor happens to sell too. Doesn't this lock out other vendors of word processing programs that do not have the advantage of making their document formats viewable by default on the most used OS for text processing? And isn't that illegal and that which happened in the IE antitrust case?

Please enlighten me.

Re:I don't understand

[i.of.the.storm]

Yeah, notepad fails on files over several megabytes. Notepad++ ftw.

Re:I don't understand

[i.of.the.storm]

Yeah, seriously. I don't understand why notepad can't do that. They really just don't care, I guess. I would love it if they could fix that for Windows 7, or hell just patch it for all versions of Windows but that would be asking too much... the only thing Notepad has going for it is that it starts up faster than anything else.

Re:I don't understand

[gallwapa]

On xp. I loaded a 2gb text file in vista pretty quickly (all things considered)

find and replace, however...not so much

Re:I don't understand

Heh, you'd have to be dumber than a box of rocks to obey that... lol!

APK

Re:I don't understand

It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, reformats your computer, installs windows on your computer, and opens Wordpad.

there fixed that for you

Re:I don't understand

[gad_zuki!]

The issue is that people run windows running as local admin, so all you have to do is find a way to get some code to run. If you can find a way to break out of of the application and run some code youre golden. You dont need to do privilege escalation as the person double-clicking everything is running as admin. Most of these exploits dont work when you run as limited user.

If anything these recent exploits should be a pretty big hint to move away from the admin 24/7 way of doing things. Unix people learned this lesson long ago as they now user sudo or su and never stay logged in as root.

Re:I don't understand

This is incredibly annoying - dropping files on Wordpad just inserts them into the document as an OLE link, instead of opening them. But drop it on the toolbars at the top and it'll open it just fine!

Re:I don't understand

Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext

What do you expect? Wordpad is 13 years old now. Things can be very confusing at that age. It's perfectly normal to experiment with both rich and plain text. The important thing, as the article points out, is to use protection.

And if Wordpad decides to be more stylish by wearing fancy fonts, bold typefaces, and italics, there's nothing wrong with that. Society has become a lot more except of rich text editors in the past few decades.

Re:I don't understand

[JoshuaZ]

That's not called for at all. Many people use WordPad all the time with the implicit notion that is is just a glorified text editor. The vast majority of users likely have no idea that there's enough functionality of Word in WordPad for something like this to happen. Heck, if you had told me a few days ago this was going to occur I'd say something like "Well that seems vaguely plausible but extremely unlikely." Finally, software isn't made for you or me. It is made for everyone who is going to use it. Security needs to handle the not so well educated. Many people have had it drilled into their heads not open .exe files if they don't know where they came from. Opening a .doc file with what appears to be a text editor will appear completely reasonable. There's no good argument to have "Darwin" throw anything at these people. This should be solved by better programming and better education, not natural selection.

Re:I don't understand

[Amphetam1ne]

Basically, don't open weird files that you find on the internet.

Any chance you could get that printed up on a mousemat or somthing? I'd certainly buy a few to send out to relatives and family friends as Xmas presents....

Re:I don't understand

[CheeseTroll]

Find/replace in notepad on large files makes it looks like I'm *really* busy on my computer at work. :-)

Re:I don't understand

[Chabil+Ha']

Reminds me of my favorite notepad pseudo-easter egg. Type the words below in a new instance of Notepad, save it, close it, re-open it in Notepad and see what it does...

this app can break

Re:I don't understand

[MicktheMech]

You don't happen to have a translation, do you?

Re:I don't understand

[RenderSeven]

I hear where you're coming from, and you make some fair points. But I stand by it my opinion, worthless though it may be :-) If anyone at this point doesnt get that you dont open anything, from anybody, no matter what, then you will probably learn that Darwin is harsh even to the innocent. Since this sequence (embedding a virus and changing the name to .wri) pretty much requires malicious intent, then to be infected you'd be opening a .wri file from an unknown source. You should at least be asking yourself, if you know what a .wri is then why did they send that format? instead of say rtf? And if you dont know what it is, then theres no excuse for opening it. Anyone who hasnt adopted a little healthy suspicion about, well, everything, is eventually going to get kicked a rung or two down the evolutionary ladder.

Re:I don't understand

[Chabil+Ha']

I've tried taking it to numerous online translators, and even taking it to Chinese natives but they couldn't make any sense of it either.

Re:I don't understand

[ozphx]

Doesnt work on vista. IIRC thats notepad on XP autodetecting the character set for an 8bit ASCII file - picks one of the asian languages?

Vista notepad is presumably a unicode build.

Kindof an ironic string to make it fail though ;)

Re:I don't understand

[Zarel]

MS Notepad never gets issues either because it and your other examples are plain text editors. WordPad has all sorts of MS Word functionality built into it so you can view Word documents if you dont have Word installed.

Incidentally, you can no longer open .doc files on WordPad in Windows Vista and higher (see the Wikipeda article). I guess Microsoft really wants users to buy Office.

Re:I don't understand

[darkpixel2k]

Well, sorta, if your definition of the beginning of time is 1995 or thereabouts ;) Before then, we had Write and its unhidable EOF character... This almost makes me want to fire up Windows 3.1 on some old machine and see if Write supported non-DOS line-endings like WordPad does.

</nitpicking>

--- Mr. DOS

That's the year I got my first IT job, so for me it's kinda like the sacred Unix Epoch. Nothing existed before it.

Re:I don't understand

[ozmanjusri]

Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.

This attitude is why Microsoft products have such a poor record for stability and security.

Computers SHOULD be designed for people who have no knowledge of the intricacies of operating systems.
Computers SHOULD be designed to be safe for beginners to use.
Computers SHOULD be designed so an unintended error does not result in a compromised system.
Computers SHOULD be designed to be robust enough to use without fear.

Operating system progress has virtually halted for more than a decade because of the Windows monopoly. THAT is the problem here, not users trying to come to grips with a needlessly complicated and inconsistent tool.

I HATE the way Microsoft's evangelists have switched to this "Blame the user" mentality to try shift attention from their failures. It's hypocritical, dishonest, and most of all, it allows them to sit on their laurels and continue serving up variations of the same stale OS they've been facelifting for the past 15 years.

Re:I don't understand

[sootman]

And this is why I love Slashdot. I was gonna reply about the one thing I love about wordpad--that it handles various line endings better than notepad--but I first checked the other replies to see if that had been mentioned. Not only have a few others already posted the same thing, they've also mentioned a bug^H^H^Hfeature that I HATE (that dragging a document into the window doesn't open it) AND a fix (drag it onto the toolbar instead.) AWESOME!!!!!11

Re:I don't understand

[K.+S.+Kyosuke]

Just read this...

Re:I don't understand

[hairyfeet]

I prefer Metapad myself. Small,light, runs on a flash, plenty of nice features, and a simple batch file you can make on the FAQ page that will change out Notepad for Metapad on a Win2K or XP machine.

So does anyone know how this will affect someone who has MSWorks installed? I read TFA and they only mentioned Word. While I see very few machines without SOME kind of word processor(I give my customers OO.o if they don't have one) I do see plenty of folks out there who are running some version of MSWorks that came with their PC. So does anyone know if Works opens the .wri file or will it call on Wordpad like MSWord does?

Re:I don't understand

[clone53421]

Wordpad is like Notepad, except it can actually parse UNIX line endings :) :)

True dat, but I personally like Notepad... although there are replacements that are significantly better. Notepad will do in a pinch.

Re:I don't understand

[node+3]

If anyone at this point doesnt get that you dont open anything, from anybody, no matter what, then you will probably learn that Darwin is harsh even to the innocent.

That's different from saying they deserve it. These people are victims of malicious intent. That's like saying anyone who helps a stranger on the street deserves to be robbed. It might happen and 'Darwin is harsh', like you said, but that doesn't make it deserved.

The logic of 'they deserve it' also lets the criminal off the hook. If someone gets what they deserve, it's hard to see why the person who perpetrated that is guilty of anything in a moral sense.

Since this sequence (embedding a virus and changing the name to .wri) pretty much requires malicious intent, then to be infected you'd be opening a .wri file from an unknown source.

You mean like a worm email that comes from a friend's infected PC?

You should at least be asking yourself, if you know what a .wri is then why did they send that format? instead of say rtf?

People do odd things all the time. If you go a day without an odd thing happening, you must lead a very simple and sheltered life (which is odd in itself, so...).

Re:I don't understand

[Nutria]

Computers SHOULD be designed for people who have no knowledge of the intricacies of operating systems.

Depends on what they are going to do with them. See below.

Computers SHOULD be designed to be safe for beginners to use.

Yes, to use. But they will always need knowledgeable people to manage them, and any attempt to overcome this fundamental law of nature is doomed to cause lots of people to be infected by lots of malware.

Re:I don't understand

[westyvw]

File extensions. Lol they are funny. Who would have thought an OS would use THAT to figure out what the data is and what to do with it? Nobody would ever do that would they?

Re:I don't understand

[tonyr60]

Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext

What do you expect? Wordpad is 13 years old now. Things can be very confusing at that age.

I would have expected a degree of maturity with age, rather than confustion. Like Linux and Solaris, both a little older than Wordpad and a damn sight more mature.

Re:I don't understand

[tonyr60]

You make the assumption that the mime type in the email header will always match the content. What was your email address??

Re:I don't understand

[Richard_at_work]

Tell me again what Apache uses to determine how to handle content? I do believe it uses .... file extensions.

Re:I don't understand

[smoker2]

Notepad has certainly had issues. I remember a virus back in '99 that hid itself in notepad, so even if you rebooted after a full scan it re-inserted itself in the system. It blocked virus updates on the AV scanner too, so the only way I found it was to search the net for symptoms on a clean machine, then (eventually) take a copy of the clean notepad.exe on a floppy to the other machine and replace the infected one. IIRC, it was kakworm responsible.

I remember because I was showing one of the office girls what happened when you opened one of the various russian spam emails we were getting. She asked what it did, so I said click it and find out ...
took me 4 hours to track that fucker down.

Re:I don't understand

[sproot]

And I bet you still didn't get her in the sack ;)

Re:I don't understand

[jonadab]

> Yeah, but it changes them to DOS format when you save, with no option to keep the UNIX line endings :(

Why would you want to? All the Unix software these days understands both formats, so if you've got data that you work with on both kinds of systems, proper ASCII carriage-return/line-feed pairs are the way to go. Not only can you open your files in Notepad then, but you can also send them directly to an ASCII printer without any special drivers or interpretation. (Granted, more and more printers these days expect Postscript, PCL, JetDirect, RPCS, or somesuch instead of ASCII. But there are still a few ASCII printers around, and they tend to be fast and efficient for printing large amounts of plain-text data.)

Re:I don't understand

[jonadab]

> > This information is in the article, BTW.
> In the what, now?

In the TFA article. You're probably accustomed to people just calling it the TFA, but they mean the TFA article. Similarly, when these people talk about software programs, they usually just call them "software", but it means the same thing. Some people just like to shorten and abbreviate everything.

Re:I don't understand

[PMBjornerud]

It's easier to get someone to open a .wri or .doc file than a .exe file.

Much easier. Set up a dummy web site serving "documentation" on any subject you're pretending to represent. Users will get a .wri file, displayed with a very friendly "text document" user interface and allowing the user to open it.

It's not very difficult to make users "click here for documentation". The user is expecting to get a document file, they get a file in a document format. They will open it.

Re:I don't understand

[Cally]

...because Wordpad's the default helper application for RTF.

Re:I don't understand

[Ilgaz]

They killed way better "Write" (from WIN16) just because they figured people are happily using it instead of MS Word in many cases. The "Wordpad" is MS Write with shaved features. The name itself advertises "Word" and uses "Pad" like "Notepad", e.g. simple crap which can't be relied on.

Re:I don't understand

[shutdown+-p+now]

Good thing Emacs has a windows version.

There, corrected that for you.

Re:I don't understand

[tehcyder]

The vulnerability is using WordPad to convert an infected Word document, by getting the user to open an infected attachment. Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.

Yeah you have to be really stupid to open a document file, it's perfectly obvious that a text file can in fact destroy your computer.

Re:I don't understand

[clone53421]

Find/replace in notepad on any file takes absurdly long. I was amazed, when I started using Metapad, at how much faster its find/replace was.

Re:I don't understand

The mime type has nothing to do with the OS. This is completely browser based. Once you've saved the file to your hdd the mime type is lost and you're stuck with looking at the extension or file contents.

Re:I don't understand

[csartanis]

seriously.

/facepalm

Re:I don't understand

[jandrese]

Wouldn't the mime type be set for Wordpad then? I don't see how this would help.

Re:I don't understand

[tehcyder]

Basically, don't open weird files that you find on the internet

Yes, but who's going to think a .wri file is suspicious (until now)?

Re:I don't understand

[RenderSeven]

If only it was as simple as that. MS uses the extension to determine which app to associate it with, but the apps generally dont consider the extension canonical or even relevant, and instead scan the file to determine the data type. Thats why this virus both needs the extension renamed to wri, and why Wpad falls victim to it. Its MS wrapping a stupid idea in a clever idea that makes it bad.

Re:I don't understand

[clone53421]

Eh? Yours doesn't? In that case, I'm going to write a virus, make the primary icon the "Word document" icon, and send it to you. Sure, your OS will probably say "Application" somewhere, but will you notice that, or will you see the filename and icon and just assume it's really a Word document?

Re:I don't understand

[nametaken]

You say that, but think about how many jokes there have been over vistas uac. Too many don't agree. MS gives a user the ability to do silly things to their machine, people complain. MS makes it painfully obvious before users do something silly, people complain.

I'm not usually a big MS apologist, but they can't win here.

Re:I don't understand

[clone53421]

A virus that replaces a common Windows executable with an infected copy that mimics it functionally isn't exploiting a security flaw in the original executable. Just because "winmine.exe" has no known exploits doesn't mean somebody can't create a viral copy of it that will format your primary partition.

Re:I don't understand

[clone53421]

Software is like a child... if it's neglected, it never matures.

Re:I don't understand

[clone53421]

Anyone dumb enough to obey that is too stupid to know how if the default application isn't already Wordpad.

Re:I don't understand

Faulty code in a browser, or similar, I have been conditioned to tolerate by years of apathy towards product quality by Microsoft.

Fixed that for you.

Re:I don't understand

[Just+Some+Guy]

Don't drop the files into the 'document area', drop them onto the 'menu bar' area and they'll open.

At this rate, Windows will never be ready for the desktop.

Re:I don't understand

[thexile]

Just lookout for the Wordpad in Mojave!

Re:I don't understand

[wolferz]

"I HATE the way Microsoft's evangelists have switched to this "Blame the user" mentality to try shift attention from their failures. It's hypocritical, dishonest, and most of all, it allows them to sit on their laurels and continue serving up variations of the same stale OS they've been facelifting for the past 15 years."

uhm... ok... I agree that it's ridiculous to blame the users. I also agree that this does happen among the less experienced Windows stalwarts. But the majority of knowledgeable computer techies admit that Windows has problems when it comes to usability. And no, building your own computer or writing your own program does not make you knowledgeable in this context, especially considering these tasks are often outsourced to be preformed by people who don't even have a high school level education.

Don't try to claim this is a MS only problem. In the hands of a novice a Linux computer is only more secure than a windows machine for two reasons: 1. a compromised user account doesn't compromise the entire system and 2. there are fewer "hackers" targeting Linux.

Most of the damage that happens to Linux systems is from users who didn't know what they were doing and screwed crap up. The same thing can be said about Windows. But if you take security related problems out of the equation and limit the scope to problems like deleting important files and stuff like that Linux gets a lot more of that. In fact, without the security issues on Windows, Linux has more problems over all than Windows.

Look, they both have problems. Nether one is inherently better than the others. I use both every day and like both of them. I just get really tired of the Linux Fanboys running around hissing "M.SSSSS. issss eeevviiilllll" every chance they get. Especially when, in my experience, most of Windows' problems are a result of its popularity (not MS's mistakes) while most of Linux's (and open source in general) problems are a result of bad design choices by its developers.

And yes, it is obvious that you're a Linux Fanboy. The unmitigated Anti-MS Rhetoric you're spewing gives it away.

Re:I don't understand

I'm not sure if you're coming from a Unix background, but if you are... the way I see it:
Imagine that your favourite text editor (say KWrite or Vim or ...) has a bug that causes a bufferoverflow if one of the lines is longer than 256 characters. If you would open such a file, the overflowing data might be written at a location where something else is supposed to be. Maybe it trashes the stack, making it to a syscall with nasty parameters. Maybe it overwrites part of the programs code. Maybe it trashes the stack jumping into newly written code, if you're really unlucky. Et cetera. If you're system is setup right (and it isn't for everyone) you'd still need administrative rights to take the machine down, but that is not important. Because even without that, it can delete all your documents, your music collection, your wallpaper collection, and so on, and probably mail itself to someone else too. In fact, it probably wants your machine to stay up so it doesn't need administrative rights to do anything it wants to do.
We're writing the year 2008 and this problem is still not fixed. Not only do bufferoverflows still exist, but processes get away with way too much still, even though from a theoretical point of view all problems are already fixed. That, my dear friends, is called progress.

Re:I don't understand

Don't drop the files into the 'document area', drop them onto the 'menu bar' area and they'll open.

I fucking love you.

Re:I don't understand

[DeskLazer]

some people clearly can't get humor.

allow me to elaborate; a common stereotype of the typical slashdot user is that they post without reading TFA. when AC posted asking what he meant by article, it was poking fun at the typical /. user. any questions?

Re:I don't understand

[hollywoodb]

I HATE the way Microsoft's evangelists have switched to this "Blame the user" mentality to try shift attention from their failures. It's hypocritical, dishonest, and most of all, it allows them to sit on their laurels and continue serving up variations of the same stale OS they've been facelifting for the past 15 years.

It works both ways.

$FAV_OS evangelists:
If it is a $FAV_OS problem, blame the users. If there's a $OTHER_OS problem, blame the OS.

Re:I don't understand

[clone53421]

I think this is a whoosh^2.

Re:I don't understand

[csartanis]

Not to mention that the mime type is set by the sender and/or server. The email could very well say that this .doc file is something like text/x-wordpad and then it gets opened with wordpad.

Re:I don't understand

And yes, it is obvious that you're a Linux Fanboy. The unmitigated Anti-MS Rhetoric you're spewing gives it away.

Moron.

Re:I don't understand

[darkpixel2k]

I fucking love you.

I'm really hoping Anonymous Coward is a girl, otherwise this thread just made me a bit nervous...

Re:I don't understand

Ok when I said mime type I didnt mean the email mime type.

Check out the 'file' utility. Give it any file, and it will spit out what the file is no matter what the file extension is.
KDE uses a similar mechanism, Gnome probably does too.
You cant trick it - it detects what the file is, and then opens it with the default program for the matching mime type.

Re:I don't understand

No, the mime type as detected by the system - not specified by the email.
E.g. the file command on Linux.

Re:I don't understand

The logic of 'they deserve it' also lets the criminal off the hook. If someone gets what they deserve, it's hard to see why the person who perpetrated that is guilty of anything in a moral sense.

Guilt is not a zero-sum game, you don't need to divide it up. They're both guilty, and nobody gets off the hook.

That's good thinking...

[Loibisch]

Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

Clever.

Re:That's good thinking...

[moderatorrater]

They've been doing this for over a year now at least. It's the greatest weakness in patch tuesday and shows how monopolies are often caught between a rock and a hard place. Corporations demand a set cycle for patches, but if you do that then the attackers can optimize their attacks so that they arrive one month from when the next patches come out. It's a lose-lose situation for them.

Re:That's good thinking...

[_Sprocket_]

Not at all. You see - exploits are only developed by analyzing patches. What you have here is a very advanced malware developer. For they had gazed on the patch and, instead of seeing the vulnerabilities being patched, they saw the one that was not. It's all very Zen.

Actually - it's not the first time Microsoft's patch cycle has been gamed.

Re:That's good thinking...

[Ilgaz]

MS is really serious about Patch Tuesday? E.g. if a hotfix to that issue found, will they wait until Tuesday to release it? They fixed that server service issue before, outside normal patching time, about weeks ago.

Re:That's good thinking...

[FranTaylor]

sed -e 's/only/often/g'

Re:That's good thinking...

[akad0nric0]

Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

Clever.

What makes you think MS released their advisory as soon as they learned about the exploit?

Re:That's good thinking...

[I)_MaLaClYpSe_(I]

Well, that server service thing was patched out of cycle because it was "wormeable". Thus, you could easily turn it into a worm like sasser. Of course, such worms are already out there now but imagine if there would have been worms exploiting this before MS had a patch available. All defcon levels would have been raised, including the ISCs warning levels.

I personally do hope that MS will patch this sooner but I do not expect it. I have instead blocked the .wri extensions at the perimeter.

Re:That's good thinking...

[Culture20]

Corporations demand a set cycle for patches

Any corporation large enough to demand something from Microsoft is large enough that it will have at least two or three people testing patches for their environment before deployment anyway, so vendor patch cycles are pointless.

Re:That's good thinking...

Not really....

I have used windows since version 3 up to vista and every iteration in between including server and workstations and one thing i have NEVER had happen to me is to be compromised by a virus. I have never been hacked and I have never had any really nasty spyware on my pc (although I have had some of the obnoxious pop up producing kind from time to time). Am I lucky? Maybe... But here's what I do know. As long as I have worked with computers I have always kept my OS and every program with the ability to be updated patched to it's current level. I usually upgrade to the newest version of all software that I run, provided that software is stated to work with the OS I am using. I always accept every MS Patch, critical and optional unless its obvious I don't need it (like additional language packs) and thus my pc is always protected. I don't have a firewall and I don't run a virus scanner on either my home pc, work pc (I am an admin and have removed it) nor my webserver and I promise you noone is hacking it. I do have spyware scanners because that crap finds its way on a machine just by being connected to the internet. I regularly download torrents both for cracked software and legit software and not once (ok once) has there ever been a virus in the download but my download manager caught it and I promptly deleted the file before opening it. Of course i also don't do stupid shit like clicking on popup ads or downloading free software (with the 100 programs attached to it that I don't want or need). I say all of this to make the point that its not Microsoft who is to blame here. Take 90+ percent of computer users world wide and put them on linux and trust me within a few weeks, linux would be the most hacked, virus prone OS and this whole stupid argument about MS would be reversed. Remember, most of the shady people who create viruses and hack software use windows, just like the world. And another thing, if MS makes such crappy software, stop using it. Stop talking about it, and go off into your dark corner and play with your linux box. MS makes wonderful software and marketing giant or not, they must be doing something right because I have heard this argument again and again about how bad MS is and how linux will take over and how macs are better and how this distro and that distro is the newest greatest best "est".... But here we are, it's almost 2009 and MS is still winning the game and i don't know how many of you have worked with Windows 2008 or have seen what's coming in Windows 7 but (and I know we'll always have to continue to hear how MS stole this idea and rehashed that idea from linux etc. etc. etc.) if the reports are correct, the next version of windows will be the most stable and secure OS they have ever released and perhaps the best OS ever released period. Does MS Windows have issues, sure, but so does linux. Its just hard to see how bad it is when only 12 people in the world use it (obvious exaggeration). So please give it a rest already. If you hate windows, don't use it and shut the hell up about it. Because more than 90% of the world including a shit load of you slashdotters use it too and love it. To me when you spend so much of your energy negatively bashing your competition, you must be losing to that competition and its eating you up inside. Relax... the world and life itslef should not be taken so damn seriously. WOOO SAHHHHHH!

no problem

[gEvil+(beta)]

Pffff. What could possibly happen in only a month?

Re:no problem

i see what you did thayre.

Re:no problem

[maugle]

Pffff. What could possibly happen in only a month?

"They've broken through! Take cover!!!"
"They're coming this way! Run! RU--"
"There's no escape!"
"The fools! Why did they connect the Santabots to the Internet?!"
"And why were they armed?!"

Re:no problem

yea what can possibly happen its not like they can get cont... over the system and stop the networ...

::yawn:: nothing to see here, as usual.

[Shados]

From the article (i know I know, slashdot...), Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable. I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003 (which is quite popular), but for people at home, if your machine is up to date, you're fine.

So seriously, whats the big deal?

Re:::yawn:: nothing to see here, as usual.

[ed.mps]

Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file -- most likely delivered as an e-mail attachment.

exploiting the weak link in the chain: your average user

Re:::yawn:: nothing to see here, as usual.

[AGSHender]

Well, considering that like many businesses that rely on specialized pieces of software to function (mine in particular being a law firm), we have held off on deploying both XP SP3 and not even put thought into Vista because our document management software and change-tracking/metadata scrubbing software are incompatible with anything above XP SP2 for the moment.

We can't keep entirely up to date because it breaks the software my firm relies on, and replacing them isn't an option. From my experience at the law firms I've worked at, they move at one of two speeds: slowly or not at all.

Re:::yawn:: nothing to see here, as usual.

[AGSHender]

Oh, you mean like the nine servers behind the locked door next to me running Windows 2000 Server SP4? The ones that the firm relies on but doesn't want to or can't afford to upgrade/replace? Assholes, truly.

Re:::yawn:: nothing to see here, as usual.

[Anonym1ty]

Well.. All THEIR base are belong to us.

Re:::yawn:: nothing to see here, as usual.

[Shados]

If you have servers that old that you can't upgrade, thats fine (I mean, Win2k Server is still supported until 2010 I think? So thats fair).

Just be careful about what you do while you're logged in (as you always should on a server anyway). I agree it IS unacceptable for something like this to happen on a supported OS, but my original post merely pointed out that its not like everyone will get hacked by doing nothing tomorrow. It only affects 2 versions of Windows if you're up to date, and only if you touch a malicious file. The people using these 2 versions still probably know what they're doing (I don't think grandma is using WinServer 2003)

Re:::yawn:: nothing to see here, as usual.

The same locked up 2000 Servers that unless they're terminal servers won't be opening e-mailed .wri files? Unless you're an incompetent administrator that is.

Re:::yawn:: nothing to see here, as usual.

[clone53421]

Meh... just set your server to block all e-mails with .wri attachments and you should be ok as far as this particular exploit is concerned.

Re:::yawn:: nothing to see here, as usual.

While I understand the problem that critical custom software forces businesses to be slow to deploy updates, what I don't understand is ignoring the problem that they are leaving their critical machines vulnerable.

Yes it's the proverbial horns of dilemma, but it's one that's been going on for years -- businesses have got to deal with this critical business problem. Obviously relying on Microsoft and their software vendor doesn't work. At this point it's clear negligence by the business, and likely actionable by affected clients and investors.

[That's a general comment - AGSHender is no doubt a member of the choir.)

Re:::yawn:: nothing to see here, as usual.

[Detritus]

Why not just take an axe to the office router? Not accepting mail with attachments would have the same effect in many businesses.

Re:::yawn:: nothing to see here, as usual.

[Ilgaz]

I wouldn't really think long before opening a .wri file. I must admit. .wri doesn't have script etc. capability to start with.

I am sure most admins didn't set policies about .wri attachments like they did for .doc stuff either. It makes it a big threat since for most people, wri (or RTF) is basically styled text file, nothing else.

Re:::yawn:: nothing to see here, as usual.

[beer_maker]

... to block all e-mails with .wri attachments ...

How many businesses do you estimate are still using this one particular format on their business-critical communications?

Re:::yawn:: nothing to see here, as usual.

Perhaps he read it as meaning using .wri attachments to block emails?

Re:::yawn:: nothing to see here, as usual.

[Khyber]

Quite a few. HP does, I know for a fact.

Re:::yawn:: nothing to see here, as usual.

[Mashiki]

Well I didn't miss it, people must not just think too much of us x64 folks, not only did I read the article but I had to read the security advisory to find out.

Affected Software - Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Re:::yawn:: nothing to see here, as usual.

[jaxtherat]

He did specify .wri attachments you know, but the axe thing is equally good in my books.

Re:::yawn:: nothing to see here, as usual.

[Shados]

So it doesn't affect Windows 2000 (is there a 2k 64 bit? and if there is, does it have more than 3 drivers?). So basically, it affects non-updated 64 bit versions of XP, and Windows Server 2003...

So, an non-updated version of an OS that doesn't see much use because until recently, its driver support sucked (its quite good now, but back then, ouch), and a version of Windows on which you shouldn't be spending time reading random documents (and it doesn't mention Windows Server 2003 R2...so its possible that even Windows Server 2003 isn't REALLY affected).

Its still unacceptable, since those are supported versions of Windows, but the summary really made it seem like the Windows world was about to crumble on itself...

Re:::yawn:: nothing to see here, as usual.

[binaryspiral]

Seriously, its a big deal for me... SP3 has been politically held off the +1000 workstations I manage.

Oh wait... maybe if a few hundred get pwned, then the political minds that decided this crap will finally get their just rewards.

I can only hope...

Re:::yawn:: nothing to see here, as usual.

Are you sure holding off on patching XP is necessary? Our company had some problems with some engineering software that was designed for 16bit Windows 3x but it runs fine now in Windows XP with a few tweaks to directory permissions.

Seems to me a law firm should have a fiduciary responsibility to protect it's client's data.

Re:::yawn:: nothing to see here, as usual.

[Mashiki]

It wouldn't be news if it wasn't bad, or contain doom and gloom.

Re:::yawn:: nothing to see here, as usual.

[Nazlfrag]

Perhaps because your average luser is on XP SP1 at most, and considering perhaps installing SP2, and haven't even heard of SP3.

Re:::yawn:: nothing to see here, as usual.

[LingNoi]

The other 0 day exploit for Internet Explorer works on XP.

Re:::yawn:: nothing to see here, as usual.

Non-updated? SP2 is the _current_ version for XP x64 and Server 2003!

Re:::yawn:: nothing to see here, as usual.

[jonadab]

> I am sure most admins didn't set policies about .wri attachments like they did for .doc stuff either.

The truly paranoid admins who have free reign to do what they want (because their bosses respect their judgment and/or are afraid of them) generally have the mail servers set up to strip email of all attachments and, indeed, everything that's not plain text. (In extreme BOFH cases the attachments go into the bit bucket, and in other cases they are set aside and can be retrieved somehow if they turn out to actually be needed, e.g., you go to the IT guy and say, "Hey, I'm supposed to be getting a quote from B2BCorp for a new high-speed electric paperclip dispenser", and the IT guy finds that one and marks it for delivery.)

Most systems, however, allow Office-format attachments, because all bosses universally think they need to get those.

Re:::yawn:: nothing to see here, as usual.

[beer_maker]

That's a little sad ... but it explains so much.

Re:::yawn:: nothing to see here, as usual.

For years I've been using Wordpad to open up questionable emailed Word files, under the assumption that it would skip over any script-based attacks in the document. I guess *that* was a bad idea...

Details to come...

I will shortly be posting more details on this exploit in Wordpad format. Stay tuned!

WordPad?

[Yvan256]

Are .rtf files now unsafe on Windows?

Re:WordPad?

[enharmonix]

Are .rtf files now unsafe on Windows?

Probably not. The article specifically mentions renaming Word documents to have a .wri extension. Sounds like the formats are the same, and it takes no stretch of the imagination to think that a Word documents might house malicious code.

Re:WordPad?

[macxcool]

Not likely. RTF is really just text with extra formatting tags. They aren't binary files like Word documents.

Re:WordPad?

[The+MAZZTer]

Actually it's .wri files, which haven't been savable in Windows since 3.1.

Re:WordPad?

[MiniMike]

Are .rtf files now unsafe on Windows?

.rtf? RTFA!

Btw, the answer is yes, they are unsafe on Windows, if you want to keep them safe move your .rtf files to a Linux machine asap. But they are not vulnerable to this exploit.

Re:WordPad?

[kitsunewarlock]

You say that about every extension.

Re:WordPad?

[Madball]

Actually it's .wri files, which haven't been savable in Windows since 3.1.

You can rename or Save As to whatever.wri in any version of Windows.
Inferring from the content of the advisory at http://www.microsoft.com/technet/security/advisory/960906.mspx , the extension and format really doesn't matter, except to the extent you can get Wordpad to open the file. It would also work with a .doc extension, but only if you don't have Word installed (which is not vulnerable). To broaden the susceptible audience, .wri will likely be used an attack because it is always associated to the flawed program (Wordpad), assuming you haven't changed that behavior.

Re:WordPad?

[Java+Pimp]

Are .rtf files now unsafe on Windows?

Probably not. The article specifically mentions renaming Word documents to have a .wri extension. Sounds like the formats are the same, and it takes no stretch of the imagination to think that a Word documents might house malicious code.

The formats are not the same. The flaw is in the code that converts the Word doc to a format that WordPad can understand. The exploit only requires getting the user to open the file in WordPad.

You don't "have" to give it a .wri extension. Giving it the .wri extension just makes it easier since the windows file associations will cause explorer to choose WordPad instead of relying on the user to do it.

Re:WordPad?

[Anthony_Cargile]

The Complete List of Insecure File Extensions in Windows:

.com, .cmd, .bat, .wri(NEW!), .rtf(NEW!), .doc, .vba, .exe, .msi, .sys, .dll, .pif, .eml, .pl, .txt, .htm, .ocx, .., .py, /., .TROJAN, ., .sh, .lnk, .doc, .sav, .zip, .vmx, .CLICKHERE!,

and the list goes on...

Re:WordPad?

[clone53421]

Don't forget .hta, .wm*, and .mp3...

oh, and how is .txt insecure?

Re:WordPad exploitable?

[Java+Pimp]

Send a specially crafted word document (i.e. code embedded) and trick the user into opening it with WordPad (i.e. using the .wri file extension).

Re:WordPad exploitable?

[Shados]

Its not remotely exploitable. From the article, a user has to open a maliciously crafted file. So its just the fairly typical exploit where a document viewer poorly handles documents it can open.

It needs user interaction to work, someone has to open a file that they don't trust (I guess it MAY be possible to trick a user into opening the file from the web, since there is a Word viewer that potentially use the same file converter that is responsible for the exploit).

Also, XP SP3, Vista and WinServer 2008 aren't vulnerable at all.

Re:WordPad exploitable?

[macxcool]

If you had read the article you would know that a specially crafted file with a Wordpad-associated extension is required. Notepad is next ;-)

Re:WordPad exploitable?

[V!NCENT]

How do you even make a bug there, it's a CS students first year project to make a text editor?

It is a text editor but it can open Word 2002 files. Word files are binary executables, so Wordpad has to be able to launch an executable. The exploit here is a malicious, executable file that when launched, runs and infects the system.

Re:WordPad exploitable?

[fotbr]

IIRC Wordpad can handle some embeded objects in .rtf (and other??) files. I'm guessing the exploit takes advantage of a vulnerability with one of those embedded types or the handling of them.

Just a guess, and I'm posting before reading.

Re:WordPad exploitable?

[LWATCDR]

"do you send them a malformed .txt file?"
Yes.
Windows 2000 and I think some versions of XP had a way to get a BSOD using type and a malformed text file so why not?
Actually I think you have to send a malformed DOC or RTF since it is in the file converter utility but I am not sure.
Doesn't effect me since I have OO for docs and RTF and Notepad++ for .txt files.

Re:WordPad exploitable?

[BaronHethorSamedi]

From the article:

Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file -- most likely delivered as an e-mail attachment.

Apparently it has to do with the conversion process, and-once again-requires a little bit of help. Following the basic precautions that keep you out of most malware-related problems will (hopefully) keep you out of trouble on this one, (don't open e-mails from senders you don't know, etc.)

Re:WordPad exploitable?

[Java+Pimp]

Word files are not binary executables. They are (pre OOXML) binary file formats. I don't know what the exact exploit is (probably some sort of buffer overflow) but the idea is to craft a Word document such that it contains executable code and exploits the flaw in wordpad that causes the executable code to execute.

Re:WordPad exploitable?

[Surreal+Puppet]

This type of bug relies on "glitches" in the memory management (simplifying it a bit...) of the program, not on any high-level misses in the actual mechanisms of the code. Any program written in a programming language without automatic memory management can be exploited in this way, if the programmer "misses his step" somewhere. They can also be devilishly hard to find, because data can be structured and handled in memory in very complex and abstract ways.

The neverending story

[Surreal+Puppet]

It seems this has been going on forever now. The most high-profile cases where the excel bugs a while back.

1. Fuzz MS file format handling code until bug is found.

2. Develop exploit, and mail infected files to high-profile targets.

3. ???

4. Profit!

Corrupt Memory, and it works on server 2003

[nathan.fulton]

When you're running everything as root, everything can be exploitable. And it looks like this is a character set or file format converter, which is considerably more than simple typing and copy/paste (the extend.) From the Security Focus page (disucssion tab), it looks like it could be a buffer overflow ("prone to a remote code-execution vulnerability because of...corrupted memory.")

The info page shows that it does indeed affect Server 2003, one of the more populat versions out there, as noted by another comment

Re:Corrupt Memory, and it works on server 2003

If you are letting anyone work on word docs or check their email on a production server, you have far larger issues, than this bug.

Re:Corrupt Memory, and it works on server 2003

[t0rkm3]

Some people do run Windows 2003 on their desktops for some reason.

Don't ask me dude... I won't touch the stuff. I've just seen it done.

Re:Corrupt Memory, and it works on server 2003

[Shados]

If you have an MSDN Subscription and are a developer, thats actually your best bet (well, now its Windows Server 2008, which is superior in every way, but...)

Windows Server editions have been better desktops than their actual "home" or "professional" editions for a while. The only drawback is they are harder to setup initially (2003 and 2008 are fairly locked down by default), and that they have higher hardware requirements (but use the hardware better). Oh, and the price, of course (but if you use it for development purpose, you can use the MSDN version. Even without that, its expensive, but its not 10 grands either)

Add that some stuff only works on Windows Server (let say, Sharepoint), and unless you feel like running Windows XP or Vista, only to spend 99% of your time in a VM, Windows Server is a vastly superior option.

Re:Corrupt Memory, and it works on server 2003

[RulerOf]

I ran Server 2003 for quite a while as a Desktop OS to familiarize myself with security and local/group policy. On top of the fact that it was rock solid, my impetus paid off handily.

On the other hand though, MS Server OSes load more services and have stricter policies that delay startup, logon, logoff, and shutdowns. It's really up to the user.

These days, I run Server 2008 on a spare machine with considerably lower power requirements than my desktop. I find that XP/Vista are geared more toward what I want to do on a desktop, whereas putting the same functionality into Server 2003 or 2008 that is normally in the desktop OS by default is kind of a pain in the ass. :P

Re:Corrupt Memory, and it works on server 2003

[DarkOx]

What if its a production terminal server you insensitive clod/.

Re:Corrupt Memory, and it works on server 2003

[Bryansix]

Ya, $1200 for every version of Windows Server ever made plus every version of SQL server and every version of Visual Studio ain't bad at all.

Re:Corrupt Memory, and it works on server 2003

[Shados]

Unfortunately if you want every versions of Visual Studio, its more like 12k... 1200$ is for the MSDN Pro subscription, which is missing a lot of stuff. One pro trick though, is if you buy 2 years of MSDN Subscription at once, you fall in the volume licensing agreements, and the second year is like 100$, so you save a lot.

That said, aside for Windows (the desktop version) and Office 2007, in a Premium subscription, all that stuff is for dev use only. Still cool that they give you Windows and Office 2007 now, they didn't use to (it was Office 2003 even long after 2007 came out, for one).

Re:Corrupt Memory, and it works on server 2003

[arkhan_jg]

Education discounts using MOLP licences are pretty sweet too. Added an extra couple of server 2008 standard licences at our school for sysadmin desktops at ~£90 each. Makes adding the MMC plugins for domain services management a hell of a lot easier for a start.

Re:Corrupt Memory, and it works on server 2003

"running everything as root..."

If 15 people share a machine, anyone running as root puts everyone's data at risk. Requiring each person to run on their own access restricted account means that if any one person gets burned then at least they didn't take everyone else with them.

There is a bit of overhead associated with this however. Admins have to be called upon a lot to install things, and even if you have admin rights you'll be repeatedly prompted for your password. Which is in itself a security risk but I won't get into that. Point is, it makes using the machine slightly more annoying but is worth the risk to help protect the data of other people.

Running as less than root on a machine with only one user is like wearing a seat belt in your office chair. You get all the annoyance without any benefit.

"Oh no! Malware ate all my data including that picture of me and grandma Trudy who's now dead and can therefore never be replaced. Oh whew! At least all these easily reproduced system files are safe, for a second there I started to get worried."

Re:WordPad exploitable?

[ukyoCE]

People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.

For data files like .jpg or .wri, neither the user or the system probably consider the file dangerous. So these type of exploits should be considered more dangerous than the completely-idiotic "e-mail people virus executables".

Especially considering many of these viruses propagate through address books (ie: trusted contacts)

But yes, at least it's not a completely automatic remote exploit.

Re:WordPad exploitable?

Like the 'Bush hid the facts' bug?

Re:WordPad exploitable?

The flaw is in the Wordpad Genuine Advantage Authentication Service. A port is left open by the service that can be used to exploit the system as wordpad and the WPGAA service require system privileges.
(!true)

Re:WordPad exploitable?

[V!NCENT]

My bad.

From en.wikipedia.org/wiki/Visual_Basic_for_Applications:

By embedding the VBA IDE into their applications, developers can build custom solutions using Microsoft Visual Basic. It was also built into Office

Office documents can contain Visual Basic code, so when executed by Wordpad...

Re:WordPad exploitable?

Here's a fun one: Create an empty file (empty new txt file will do), rename it boo.com, select it in Windows explorer, press the delete key.

Now the hard part...

[ptelligence]

Is tricking users into opening malicious ASCII pr0n files with .wri extensions.

Re:WordPad exploitable?

[dedazo]

so when executed by Wordpad

Wordpad does not have the capability to execute those macros, because it does not have an embedded VBA interpreter. The macros are binary gibberish without the VBA runtime, much like a Perl file is just text without the Perl interpreter.

Re:WordPad exploitable?

[V!NCENT]

Maybe Wordpad uses the non-Win32 dlls or something? Could that make some not needed functions accessible by it?

execution of arbitrary code via network ..

[rs232]

"Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable", Shados That's two out of four not affected ..

'Impact: Execution of arbitrary code via network, User access via network'

"I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003", Shados

'"limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter .. If exploited, a hacker could gain the same rights on a PC as a local user and could remotely execute code'

http://www.cio.com/article/470080/Another_Microsoft_Bug_Revealed_on_Huge_Patch_Day http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123100

OMG! RLY? How will the human Race Survive?!?!?11

[Real1tyCzech]

Control Panel - Folder Options - File Types - WRI - Edit - Open - Change to Microsoft Word.

Problem solved.

Next!

Why is this news?

Windows is Exploitable. oooh, BIG surprise. They missed one, just like the bazillion before it that they just now fixed, and the bazillion after that they will fix as people figure them out. Then again, there is the, do-it-yourself e-mail viruses "Please delete your system.ini file. Its infected! All windows systems have this critical error and your private information is stored inside. Instead of coming out publicly with this easy fix, I've forwarded this e-mail to you to tell you the dangers of the system.ini file. " A windows user is a virus! Quarantine them all!

ALL versions of Windows?

[dafrazzman]

Not according to the article. From the second paragraph:

In an advisory posted yesterday, Microsoft said that "limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. The flawed converter handles Microsoft Word 97 files on Windows 2000 Service Pack 4 (SP4), XP SP2, Server 2003 SP1 and SP2. Newer versions of Windows -- XP SP3, Vista and Server 2008 -- are not vulnerable to the bug, however.

Re:ALL versions of Windows?

[dafrazzman]

It would seem I've been beat to the punch, but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.

Re:ALL versions of Windows?

[CajunArson]

but I really don't see how the submitter managed to misunderstand the article on such a basic level, with the editor(s) not catching it either.

Well, if you think the submitter and editors are halfway smart and cynical, then you would think they knew that the vast majority if Windows users are not even at risk but put up the story anyway because it fits their agenda.
    On the other hand, if you think they truly are drooling idiots, then the submitter probably only read the headline of the article, and the editors only half-read the submission before posting it instead of articles that are likely much more interesting.
      It is left as an exercise for the reader to figure out which scenario happened.

Re:ALL versions of Windows?

[gazbo]

Trick question: it's both.

The editors posted it because they are drooling morons. They see windows...bug...POST!

The submitter, however, knew exactly what he was doing: ...an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. A phrase carefully worded to be completely true, and yet lead those who don't RTFM to get it completely wrong. It would be impressive if it weren't OH SO FUCKING TEDIOUS.

Re:ALL versions of Windows?

[cyberfunkr]

Unless the Powers That Be(TM) fixed the summary, I think you're putting extra words on the screen or misreading it.

The key is, "...WordPad Text Converter, a tool included with all versions of Windows." The TOOL exists in all versions of Windows, which as far as I can tell is correct and the summary states clearly.

But the exploit only works in SOME versions of Windows. Something the summary should have stated but was edited because someone's cut and paste function had a buffer overflow and was truncated.

Re:ALL versions of Windows?

[LingNoi]

yet it doesn't matter because the article has been updated to include another flaw which does effect IE 7 xp x86.

Fedora bug ..

[rs232]

'I keep on getting pop-up messages from the packagekitd: "Update Applet Failed to reset client"'

You must be the only one, I googled on it and got only the one hit .. :) It was posted at 10:22 and the responce at 12:23 ...

"Fedora Core people, are you listening ?!"

Was it you that posted the question ?

Re:Fedora bug ..

[bytesex]

I found the same link, and it helpfully tells you to edit xml in certain places. As root. It's not that I can't do it, it's just that it reminds me of how 2009 isn't going to be the year of Linux on the desktop (again).

Re:Fedora bug ..

[Entropius]

That's a lot more userfriendly than Windows.

Linux: "There's a problem. If you're technically able, here is a fix."

Windows: "There is a problem. You're boned, sorry."

Re:Fedora bug ..

[shutdown+-p+now]

Actually, in this case it's:

Windows: "There's a problem. You wouldn't have had it if you updated your XP to SP3 as we advised you to do several months ago. You might want to consider doing so now, at least."

Re:WordPad exploitable? Just click

[quaero_notitia]

You mean all someone has to do is click on an attachment called "biggest breasts ever.wri"? Oh, NOBODY would be that dumb!

Re:WordPad exploitable?

[clone53421]

It's probably the buffer overflow condition that Java Pimp described.

Re:WordPad exploitable?

[clone53421]

Nothing happened...

Re:WordPad exploitable? Just click

[Shados]

No. Someone has to click an attachment called "biggest breasts ever.wri" while, at the SAME TIME, running a non-updated version of Windows, Windows 2000, or Windows Server 2003. You reduce your attack vector by a significant amount here.

Actually, Microsoft missed patching TWO exploits

0-day for Internet Explorer v.7 is in the wild and was not patched yesterday

http://isc.sans.org/diary.html?storyid=5458
http://www.vupen.com/english/advisories/2008/3391
http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/

Internet users located in China report infections that result when using IE 7 to browse booby-trapped websites. Researchers from McAfee investigated the matter and found the exploits successfully target the Microsoft browser on both Windows XP Service Pack 3 and Vista SP 1.

Re:OT, I know, but not completely

Go to Fedora's Koji site (http://koji.fedoraproject.org/koji/) and download the dbus 1.2.8-1, PackageKit 0.3.12-1, and gnome-packagekit (or KDE's equiv). Manually install. It worked for me on both my Fedora 9 and Fedora 10 machines.

Re:WordPad exploitable?

[dedazo]

No, it must be a buffer overflow that results from reading the file. Applications can't be made to do things they were not designed to do, but they can be used as tangential attack vectors by forcing them to interact with malicious data.

Don't open email unrequested attachments from strangers and stop running Windows under an admin account and you'll effectively eliminate the chances of being hit by something like this. These "attacks" are mostly social engineering anyway.

Re:WordPad exploitable?

[Kalriath]

It doesn't do anything. I was expecting something a little more fun than deleting a file.

Re:WordPad exploitable? Just click

[Java+Pimp]

... while, at the SAME TIME, running a non-updated version of Windows, Windows 2000, or Windows Server 2003.

Does it have to be with the same hand?

j/k

Re:WordPad exploitable?

[clone53421]

In that case, run cmd and type the following:

debug
a
int 18
int 3
  (blank line)
g

It's a little more fun than deleting a file, and I bet you've never seen that error before.

Microsoft file formats...

Can anyone list the Windows file formats that HAVEN'T been affected by one or more vulnerabilities? There's .txt, possibly .bmp and .wav... are there any others?

Dear MS, please answer the following. Once it was discovered that ONE of your programs had a vulnerability that could cause buffer overflows and thereby would allow code-execution, and that this vulnerability was widely exploited by malware authors, why, for the love of God, did you not audit ALL other programs for similar buffer overflow vulnerabilities?

Does MS really think that these scumbags are as stupid as cartoon criminals in that they'll never try the same exploit twice?

Re:Microsoft file formats...

There are known vulnerabilities in some of the parsers for both .bmp and .wav files.

So I think you're stuck with just .txt

(posting as AC to save moderations on this thread).

Perhaps not, but...

[insllvn]

I don't think grandma is using WinServer 2003

My grandmother still uses Windows ME. I have suggested she update, even offered to do it for her, but she resists, laboring under the delusion that the entire interface would change as drastically as the last time when she switched from an old Mac (and I mean old) to her current machine. I would insist, but at her current rate of adoption she won't actually connect it to the internet before the sun burns down to an ember... All that aside, my gran still uses an outdated version of Windows you insensitive clod!

Re:Perhaps not, but...

[ockegheim]

She'd better be careful not to stick just any floppy disk into that thing!

Re:WordPad exploitable?

[Anthony_Cargile]

This is not offtopic mods, look it up.

Specifically, Notepad used to get confused between unicode text and western (or ascii?) 4-3-3-5 strings like the one above and would print them graphically as dashes.

Re:OMG! RLY? How will the human Race Survive?!?!?1

[Ilgaz]

Will you pay MS Office price to people who doesn't have it installed?

Re:OMG! RLY? How will the human Race Survive?!?!?1

[clone53421]

In that case, I hear OO.org can open .wri files.

Re:WordPad exploitable?

[V!NCENT]

Thanks for this information as I do not know a lot about the subject.

[...] and stop running Windows (strike)under an admin account(/strike) and you'll effectively eliminate the chances of being hit by something like this.

That was taken care of a long time ago ;-)

Re:WordPad exploitable? Just click

[lord_sarpedon]

I'd put a notice at the top of the file. "This naughty image is only compatible with the following versions of Windows: ..."

I'm sure many victims would kindly downgrade as needed to make my exploit work.

Re:OMG! RLY? How will the human Race Survive?!?!?1

[Ilgaz]

I'd recommend Abiword for "Wordpad" fans.http://www.abisource.com/download/ , it is not a "build from source" thing, it is tiny and comes with a installer. Of course, it is a full feature Word processor, not a crippled "Write".

MS figured people happily uses Write for their everyday stuff and even offices so they crippled it and shipped "Wordpad", the naming itself is like "This is like Notepad, use real Word for writing things".

Just install all of the plugins package, it does open and even save them.

Re:OMG! RLY? How will the human Race Survive?!?!?1

[Real1tyCzech]

OMG! RLY?!?!?! Troll???!

Replace Microsoft Word with OpenOffice, nitwit.

Get a life!

Re:WordPad exploitable?

On all systems I know, this causes explorer to hang, consuming 100% CPU on one core.

Lame excuse for not doing my homework ...

[PolygamousRanchKid+]

So tomorrow, instead of telling my teacher, "the dog ate my homework," I can tell her, "WordPad ate my homework, and had the rest of my computer for dessert!"

It didn't work with, "the cat ate my gym suit" either.

Re:WordPad exploitable? Just click

[Shados]

Yeah...you DO have a point there...

Re:OT, I know, but not completely

[foobat]

this is what the red hat bugzilla is for https://bugzilla.redhat.com/ bugs. or perhaps the fedora forums http://fedoraforum.org/ or perhaps #fedora on freenode.

Not a windows story on slashdot, because posting about it here is not really going to get it fixed...

Re:Terrorist computer virus infects hospitals

[Ilgaz]

They don't have such chance to make it non vulnerable unless they scrap entire backwards compatibility.

A more mad solution would be the thing Apple did. Run the older OS in a virtual machine in its own thread (trublue, MacOS Classic support).

MS can't take such big decisions so, anything claimed for Windows 7 is a joke. If one can run Wordpad from XP in Windows 7, it is not secure.

Re:OMG! RLY? How will the human Race Survive?!?!?1

[freddy_dreddy]

Replace OpenOffice with utter crap, dillhole.

Wrote my thesis on it. OpenOffice is truly the king of all that sucks.

Re:WordPad exploitable?

The macros are binary gibberish without the VBA runtime, much like a Perl file is just text without the Perl interpreter.

But... Even WITH the Perl interpreter, it's binary gibberish! :-)

Re:WordPad exploitable?

[ion.simon.c]

*blink*

I don't have a Windows box to test on so....

This generates a "Privileged Instruction" error, followed by triggering a hardware breakpoint?

Like This Was a Shock.

[darkonc]

So many people saw this coming when Microsoft announced monthly updates. Hackers were obviously going to wait until patch Wednesday to start using new exploits because they now know that they're going to have a full month to use it before MS patches --- and to make things even worse, Microsoft is going to soft-pedal the severity of the attacks so that users don't get too worried.

Now the hackers really do have Microsoft on their side!

Re:Like This Was a Shock.

[Shados]

Thing too, is Microsoft caved in on their user's requests... There's no reason for this. It was originally so sysadmins would have a more stable schedule to test updates, to ease the strain. But with the tools that are provided by MS to manage updates on a network, you can throttle and control them extremely well, decide when you update what on a network of pretty much any size, block certain updates, delay others... So sysadmins really could go at their own pace, with the only drawback that they may not update fast enough on after a patch is release and hackers use the patch code to exploit unpatched machines...but thats really the sysadmin's problem (and as we see, it doesn't change anything anyway, like in this situation).

So they basicallly just caved in to the demands of sysadmins who can't do their jobs (be it because they suck, or because their employers are morons). Its sad really.

Here's the Exploit Code

[Radhruin]

Here's the exploit code referenced in the article update... The second one apparently works on Vista, too. http://www.milw0rm.com/exploits/7403 http://www.milw0rm.com/exploits/7410

Re:Here's the Exploit Code

[Shados]

I tried it for kicks, and in case I'm doing something wrong, it doesn't work in Vista if IE's protected mode is at on (that is, if you didn't disable UAC, pretty much).

Didn't try without it cuz im too lazy, but it definately doesnt work on my computer. (Vista SP1, protected mode on)

You know you are too much of a geek...

[cp.tar]

... when this:

Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.

makes you ask "what has all this have to do with the OS kernel?"

Re:WordPad exploitable?

[legirons]

"do you send them a malformed .txt file?"

Considering that you can get Visual Studio's text editor to go into rich-text mode and start displaying weird fonts while viewing a plain text file by inserting special control characters, then I wouldn't be sure about plain-text not being exploitable in MS software.

Re:WordPad exploitable? Just click

[pairo]

You don't even have to RTFA to know that there is no patch available.

Re:WordPad exploitable?

[Entropius]

Properly implement sudo (kdesudo, etc.) in a version of Windows that doesn't suck and I might.

Re:WordPad exploitable?

[Mozk]

I think he was using the other definition of remotely, which is admittedly confusing in that context.

When are you fucking morons in the IT industry

[Master+of+Transhuman]

...going to stop coding fucking buffer overflows and assorted other common software flaws? It's fucking 2009. Why is this shit still happening? Even on Linux I get several security bug patches a week.

And now after Windows XP has been out for HOW FUCKING LONG, Microsoft gets to issue TWENTY-EIGHT fucking fixes in one month - and at that, manages to miss one or two more?

Fucking pathetic.

You programmers better go back to school and start figuring out how to write code that doesn't fucking suck!

Re:When are you fucking morons in the IT industry

[Yunzil]

You programmers better go back to school and start figuring out how to write code that doesn't fucking suck!

I'll get right on that chief. And I asked you to hold the pickles on this burger.

Re:When are you fucking morons in the IT industry

[Shados]

To be fair, this comes from a legacy component of Windows, that was not only written long ago, but is also not vulnerable in the latest versions. So they DID learn, just too late.

It does remind me of the Twilight Princess exploit on the Wii though. With all the trouble game companies go to DRM their shit to hell and beyond, one of their programmers didn't check bounds while reading the save file (not checking bounds when reading a fucking FILE, WHAT THE FUCK), and it got pwned. So Nintendo defeated its own protection scheme. What morons...

Re:When are you fucking morons in the IT industry

[ConceptJunkie]

It's 2009 where you live? What timezone is that?!

Re:When are you fucking morons in the IT industry

I think he must be in roughly GMT+500.

Re:When are you fucking morons in the IT industry

[Culture20]

I'll get right on that chief. And I asked you to hold the pickles on this burger.

He'll get right on that chief. Your next burger won't have any pickles. Nope, no pickles, that's for certain. I always order burgers plain; the spit is easier to spot.

Re:When are you fucking morons in the IT industry

[Master+of+Transhuman]

I see all the asshole programmers on /. decided to moderate this as flamebait, instead of taking the hint.

Read my lips: Your software is shit.

Re:WordPad exploitable?

[SeekerDarksteel]

The macros are binary gibberish without the VBA runtime, much like a Perl file is just ascii gibberish without the Perl interpreter

FTFY

Re:It does NOT need the user to open a file

That exploit is for the IE7 0-day, not the wordpad txt converter vulnerability. The IE7 0-day is remotely exploitable, while the wordpad one is not (unless the user opens a maliciously crafted file which happens to launch another malware program that further compromises the system).

This is an exploit for IE

[Britz]

AFAI understood this is an IE exploit. So you expect ppl. that use IE to do that?

Re:This is an exploit for IE

[Real1tyCzech]

To use OpenOffice?

FFS.... If you people ever want to get people to use OSS, you seriously need to get over your superiority complex.

Re:WordPad exploitable?

[jaxtherat]

People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.

Which people are you referring to then? Surely not the average user.

Re:WordPad exploitable?

[binaryspiral]

I'll introduce you to the average user... they'll open anything that gets through spam/virus scans in their email.

Even if you tell them not to open anything they didn't expect, they always do.

Attachments are so exciting to them, it's like a raccoon going after a shiny trinket.

Re:WordPad exploitable?

[Sun.Jedi]

Mods. Please. Look it up.

This must be mod-fucktard day.

Re:WordPad exploitable?

NTVDM does not support ROM basic.

Wow who'd have thought?

[TOGSolid]

Attacks that revolve around opening fucked up attachments and the usual bugginess of IE. Man, such a novel concept, I know I never would have seen that coming.

Seriously though, anyone who is still opening up weird attachments and is still using IE deserves to have their computers raped.

Re:Wow who'd have thought?

[clone53421]

This exploit has nothing to do with IE...

Windows's true form

Recent cloud computing simulations has concluded Microsoft Windows(R) share the same properties as an ancient hand-crafted Chinese ivory ball.

http://www.buddhamuseum.com/puzzle-ball_006.html

They are both bulky, complex and expensive, with multilayer of interacting holes capable of forming holes at any possible angle with near infinite combination.

Not Wild About A New MS Exploit?

[hduff]

At this point in time it does not appear to be wildly used,

Perhaps hackers will become more enthusiastic about it with time.

Re:WordPad exploitable?

[CCFreak2K]

Properly implement sudo (kdesudo, etc.) in a version of Windows that doesn't suck and I might.

Wish granted. (Yes I know Windows Vista isn't affected, but the capability you asked for is there.)

Re:WordPad exploitable?

[andreyvul]

Agreed. UAC is like sudo but without any short-term memory whatsoever (i.e. the 15-minute auto-OK).

Plagiarism! :)

[wiedzmin]

I posted it first, over an hour earlier: http://slashdot.org/firehose.pl?op=view&id=2125979

Re:Plagiarism! :)

[Simon+(S2)]

haha :) but they took mine! :)

it's amazing...

I find it amazing how, seen the incredible number of Windows machine being used in botnets, a lot of people here are still downplaying the importance of these 0-day exploits.

The MS-astroturfers are alive and well

--
John Doe

Change the default app file association to Ms-Word

Change the default application that opens .wri (OLD Ms-Write files from Windows 3.x, that Wordpad opens) to Microsoft Word (whatever version) & you should be ok. Changing the file extension association here:

HKEY_CLASSES_ROOT\.wri

From WORDPAD.EXE (beneath that in the tree of folders), to the same thing the .doc file extension has!

Just merging THIS .reg file into your registry SHOULD technically do the job:

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

Technically SHOULD do the job for "proofing you" vs. this attack, until MS issues a patch next month/year January 2009...

APK

I have to object that

[I)_MaLaClYpSe_(I]

exploits are only developed by analyzing patches.

Wrong - you see? Exploits are being written by skilled crackers* and security experts alike. But:

• Finding flaws and creating reliable exploits, as you say, is very Zen.

• Therefore it does not make sense to waste a 0-day on a broad public. It might have taken you very long to find and write and a worm or a mass exploitation (botnet, autorooter, infected web portal) guarantees you that
  • your secret vulnerability gets detected and patched by the vendor
  • AV & IDS signatures will be added very very soon

It is much better for a cracker to only use few targeted attacks and stay under the radar of the infosec community.

The whitehat security researchers might tell Microsoft about the problem, which you can observe as "the vulnerability was privately reported" in those advisories. Those are the vulnerabilities that are found by "hackers" that do not make money out of it.

And therefore, the blackhats keep their 0-days and those get only patched when the whitehats discover the same vulnerability and report it.

Apart from that, the creator of the 0-day could possibly also just have a very good tool for finding flaws automatically or could be good in fuzzing techniques and might as well just have directed his skills at the program mentioned in the advisories. All I want to say is that it was not necessarily someone who looked at the disassembled code, looking for the patched vulnerability and just realizing (matrix like by "seeing the code") another vulnerability.

Personally I regard this as unlikely as I know of some very good programs to analyze the patch and find the vulnerability this very patch tries to close but would not show you any other flaws.

Maybe the cracker got his hands on a description of the patched vulnerabilities that Microsoft gives out to paying customers? And has then targeted the mentioned programs? But as finding some otherwise unspecified flaw in IE is difficult, targeting a small executable is much more simple and so the attacker might have looked for a flaw and found one that later turned out to be a different flaw that what MS thought of in the early patch announcement. I find this scenario to be especially likely as this would explain why the attacker has wasted a precious 0-day for mass exploitation: he simply thought he would exploit what the MS patch was about to patch. So there would not have been any benefit in keeping that knowledge but instead it would have been most profitable to exploit it before the patch comes!

I for one imagine a cracker somewhere, now biting into his ass that he disclosed a vulnerability which previously nobody knew of - in a way, not even himself. *g*

______
* call me pathetic for using the correct words. I know, nobody uses them any more

Re:I have to object that

[_Sprocket_]

All I want to say is that it was not necessarily someone who looked at the disassembled code, looking for the patched vulnerability and just realizing (matrix like by "seeing the code") another vulnerability.

My post was a mixture of sarcasm, humor, and a disbelief in the idea that releasing patches causes more problems than it solves.

For the record, I'm also skeptical of the mystical powers often attributed to hackers.

Having said that - great post.

Re:WordPad exploitable?

[UnknownSoldier]

HOLY SH!T ... just tried it, and verified that bug. Like the wiki says, a bug in IsTextUnicode().

Yeah, mods are on crack on this one.

Re:It does

I just checked and Write from Windows for Workgroups 3.11 handles Unix style text files just fine. Also tested notepad which doesn't handle them correctly just to make sure dosbox wasn't translating them into DOS style text files on the fly.

It's all about the timing

[rderr]

Patch Tuesday, exploit Wednesday. -Rob

Re:WordPad exploitable?

[Caetel]

I'd be willing to bet that the vast majority of users have never heard of a WRI file.

Re:WordPad exploitable?

[ratboy666]

And that binary format contains calls to Windows(tm) drawing routines. That WAS exploited earlier. This may be similar. Microsoft binary formats had little to do with interchange, and a lot to do with efficiency. Not having to deal with portability issues means that things like drawing dll parameters where simply "jammed in".

This increased the attack surface to a major part of the Windows(tm) drawing and rendering code.

And, since the display driver is running in kernel, it too was part of the attack surface. I had presumed that this was all straightened out, but... who knows?

The effect is that valid code sequences CAN be dropped into WORD(tm) files, and buffer overflows may extend into rather unexpected places, that can then run the exploit code. Rather clever, actually. Its a clever exploit on "clever" coding. What it should have taught is to review "clever" code, and rip it out.

On to a real-life story. A patch was developed for a performance enhancement for a BIG Unix installation. The Unix vendor (all names removed to protect the guilty and innocent) had generated the patch internally. It worked, and "saved the day" for the client (a major financial institution). The patch was proposed as an add-in for the regular Unix system; after all, there may be other clients who could benefit. The Unix committee squashed the patch -- it was too clever.

And that's what SHOULD happen.

Re:WordPad exploitable?

[Cow4263]

Yes, that is a little more exciting than deleting a file..

Almost as exciting as copy \ paste.

Re:WordPad exploitable? Just click

[benthurston27]

why isn't "biggest breasts ever.wri" underlined it won't let me click on it how do I get the file?

Re:WordPad exploitable?

[clone53421]

Well, it didn't on XP.

Re:I don't understand - Change File Association

This fixes it by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this):

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

Paste what is between the dashed liens only above, into notepad.exe, save it as TYPE "All Files", & on disk as APKMsWordPadBugFix.reg, & then open it using regedit.exe. It will ask if you want to merge this registry file. Do so.

(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)

An easy fix for anyone just in case, before MS issues a fix...

APK

EZ enough Fix inside.... apk

This patches the bug for Microsoft Office 2003/Microsoft Windows 2003 users by default, & simple to change for later/earlier versions too...

(Simply by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this, & Ms-Word handles old Windows 3.x & NT 3.5x Ms-Write .wri files, just fine...)):

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

Paste what is between the dashed lines only above, into notepad.exe, save it as TYPE "All Files", & on disk as APKMsWordPadBugFix.reg, & then open it using regedit.exe. It will ask if you want to merge this registry file. Do so.

(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)

A simple to do, easy fix for anyone, even before MS issues a fix...

NOTE - POTENTIALLY/POSSIBLY IMPORTANT for users of versions of Office or Word, other than 2003:

IF you have versions of Ms-Office (Ms-WORD specifically), other than 2003?

You MIGHT have to change "Word.Document.8", wherever it appears above, to whatever version number yours is, along with the GUID used to do the OLEServer library marshalling/summoning of Word to open .wri files with, instead of Wordpad.exe & that's found in the .doc file association under -> HKEY_CLASSES_ROOT , easily enough)...

APK

P.S.=> "We can do this... We HAVE the technology!", I am surprised that MS didn't - it's common-sensically easy!

I don't see HOW they could have missed this IF it was a KNOWN issue that came up before "Patch Tuesday" 2 days ago, I thought of it in literally 2 seconds, & took maybe 2 minutes to make the file & test it, it works... apk

EZ enough to fix for MS, ahead of time... apk

EZ enough fix is below, for the bug for MS Office 2003/MS Word 2003 users by default, & simple to change for later/earlier versions too...

(Simply by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this, & Ms-Word handles old Windows 3.x & NT 3.5x Ms-Write .wri files, just fine...)):

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

Paste what is between the dashed lines only above, into notepad.exe, save it as TYPE "All Files", & on disk as APKMsWordPadBugFix.reg, & then open it using regedit.exe. It will ask if you want to merge this registry file. Do so.

(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)

A simple to do, easy fix for anyone, even before MS issues a fix...

NOTE - POTENTIALLY/POSSIBLY IMPORTANT for users of versions of Office or Word, other than 2003:

IF you have versions of Ms-Office (Ms-WORD specifically), other than 2003?

You MIGHT have to change "Word.Document.8", wherever it appears above, to whatever version number yours is, along with the GUID used to do the OLEServer library marshalling/summoning of Word to open .wri files with, instead of Wordpad.exe & that's found in the .doc file association under -> HKEY_CLASSES_ROOT , easily enough)...

APK

P.S.=> "We can do this... We HAVE the technology!", I am surprised that MS didn't - it's common-sensically easy!

I don't see HOW they could have missed this IF it was a KNOWN issue that came up before "Patch Tuesday" 2 days ago, I thought of it in literally 2 seconds, & took maybe 2 minutes to make the file & test it, it works... apk

The problem is not as simple as you mention...

[master_p]

Operating system progress has virtually halted for more than a decade because of the Windows monopoly. THAT is the problem here, not users trying to come to grips with a needlessly complicated and inconsistent tool.

And what the open source community did? it duplicated an even older operating system, i.e. Unix.

There are other factors that affect the development of operating systems:

• Operating system progress depends on programming language progress. Unfortunately, no one has come up with a safe alternative of the C programming language.
• CPU designers have minimal security built in CPUs. Process-level security is not adequate, what it is needed is a security model within a process. As it is right now, code within a process can access anything in the memory managed by the process.

Don't think that Unix is any safer than Windows in this case. This bug is analogous to the Unix worm 20 years ago.

Re:The problem is not as simple as you mention...

[KiltedKnight]

And what the open source community did? it duplicated an even older operating system, i.e. Unix.

And that operating system has been hardened. It was also designed as a multi-user operating system, unlike Windows, which still has the "single user" mentality. Unix and its derivatives were meant for multiple people to be logged on at the same time. It even deals well with the same person being logged on multiple times from different locations. Try doing that with your Windows box. If you are logged on at the desktop then try to log in with a remote desktop, your desktop session gets logged out.

Operating system progress depends on programming language progress. Unfortunately, no one has come up with a safe alternative of the C programming language.

That's because the C programming language does what it does really well. It is a small language that can be easily extended and is not too much of a step above assembler. That is what makes it ideal for writing operating systems, device drivers, and such.

CPU designers have minimal security built in CPUs. Process-level security is not adequate, what it is needed is a security model within a process. As it is right now, code within a process can access anything in the memory managed by the process.

Well, if you want to go with a pure Intel architecture, you can always implement all four rings... don't expect a whole lot in performance, though. Besides, a CPU in and of itself doesn't need the security. It's the programs that run on it that must enforce what can and cannot be done.

Don't think that Unix is any safer than Windows in this case. This bug is analogous to the Unix worm 20 years ago.

Except that bug was patched 20 years ago... unlike several Windows bugs that have been around for years and still haven't been patched.

Wild about exploits

[Porchroof]

" At this point in time it does not appear to be wildly used"

I think the author meant to say "widely", don't you?

Re:WordPad exploitable?

[Sun.Jedi]

Read the OP. He (they) asked a question that was at in part very similar to the wordpad bug.

Mods are, for the most part, fucking stupid when it comes to commonsense.

Yeah, it's another I hate mods troll -1 post. IDC, won't bother me to see them burn up mod points on my drivel.

Re:WordPad exploitable?

[clone53421]

Wordpad does the same thing.

Not a traditional overflow

[redb0ne]

As far as the IE vuln goes: This is not a traditional heap overflow, just look at how it is being exploited. In a traditional heap overflow, we'd see them performing some type of allocation foo or shoving a lot of data into a small buffer or something along those lines, but that is not the case here. The block of XML that triggers the vuln is too small and does not have any of the indicating factors of traditional heap overflows. (This should not be confused with the fact that a heap spray is being used in the exploits we've found in the wild, that makes exploitation more reliable, but does not indicate a heap overflow always). This is a use after free. If you debug it, you'll see that memory is free()'d, but dangling references are left to the free'd object, so if that block of memory is reallocated and filled with user controlled data, we can control a virtual function pointer and call into any area of memory we like. This makes exploitation very unreliable, in about 20 tests I ran, roughly 4 of them resulted in an exploitable condition, the others either failed to crash (memory was never reallocated) or crashed in a non-exploitable manner (another uncontrollable structure was allocated in place of the controlled data). There are ways of making these more reliable (someone wrote a paper and presentation on it a year ago wrt a IIS vulnerability), but it isn't easy and doesn't improve reliability all that much. This is a common problem with browsers due to complicated inheritence and a large number of objects that are being handled.

Re:WordPad exploitable?

[dedazo]

Other than credential caching, I don't see what the problem is with UAC. Most of the "problems" people claim it has are related to crappy software that thinks it has control of the entire computer. It's not a technical issue, it's a legacy and culture one, and given the circumstances I think UAC is the best possible worst solution.

Re:WordPad exploitable?

[dedazo]

haha, yes, I suppose I should have used Python as the example instead <g>

Re:stupid is as stupid does...

[lpq]

So someone who doesn't have WORD installed, but thinks they are safe because they only have a converter (WordPad viewer) and no Macro functionality will be screwed.

So if you use any Open source pdf->text converter, then you are saying users that get infected by opening a pdf in their pdf->text converter are "stupid" and "deserve [shit]"?

Wouldn't this also correspond to any open source conversion util ? I.e. -- your assessment of them being "stupid" -- anyone using a converter from some higher level format to view in a lower level format is "stupid"? What about people who use an HTML viewer? Like a browser ? Do they qualify as stupid too?

Just checking...
Maybe you could tell everyone which higher level format converters are 'safe'? Please be exhaustive so those who strive not to be 'stupid' will be able to protect themselves...

Re:OMG! RLY? How will the human Race Survive?!?!?1

[Real1tyCzech]

Agreed on all counts. Abiword is definitely a good replacement.

That said, wordpad has undergone some serious work (albeit the only work really done on it since it came into existence) for Windows 7. ...of course, you'll get that lovely "ribbon" UI that everyone seems to love to hate, so YMMV.

Re:OMG! RLY? How will the human Race Survive?!?!?1

[Ilgaz]

I suggest it since I know the user profile of Wordpad and Write (yes, true) using people. They just want a fast Word processor to do everyday stuff and some even uses for big text only things.

Abiword is both. It is both massively backwards compatible and it has real word processor features which MS would never dare to put or it would kill Word sales. Apple has cut some Textedit features too, MacOS one was better I heard.

My good deed for the day

[tqft]

http://www.samanthaslopes.com/images/promo/promo02.jpg

Only cost 40K