Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oops! Missed One Fix — Windows Attacks Under Way

Posted by timothy on from the don't-blame-microsoft-alone dept.

CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"

5 of 292 comments (clear)

  1. That's good thinking... by Loibisch · · Score: 5, Insightful

    Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

    Clever.

  2. Re:::yawn:: nothing to see here, as usual. by ed.mps · · Score: 4, Insightful

    Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file -- most likely delivered as an e-mail attachment.

    exploiting the weak link in the chain: your average user

    --
    !sig
  3. Re:WordPad exploitable? by ukyoCE · · Score: 5, Insightful

    People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.

    For data files like .jpg or .wri, neither the user or the system probably consider the file dangerous. So these type of exploits should be considered more dangerous than the completely-idiotic "e-mail people virus executables".

    Especially considering many of these viruses propagate through address books (ie: trusted contacts)

    But yes, at least it's not a completely automatic remote exploit.

  4. Re:::yawn:: nothing to see here, as usual. by Ilgaz · · Score: 4, Insightful

    I wouldn't really think long before opening a .wri file. I must admit. .wri doesn't have script etc. capability to start with.

    I am sure most admins didn't set policies about .wri attachments like they did for .doc stuff either. It makes it a big threat since for most people, wri (or RTF) is basically styled text file, nothing else.

  5. Re:I don't understand by JoshuaZ · · Score: 4, Insightful

    That's not called for at all. Many people use WordPad all the time with the implicit notion that is is just a glorified text editor. The vast majority of users likely have no idea that there's enough functionality of Word in WordPad for something like this to happen. Heck, if you had told me a few days ago this was going to occur I'd say something like "Well that seems vaguely plausible but extremely unlikely." Finally, software isn't made for you or me. It is made for everyone who is going to use it. Security needs to handle the not so well educated. Many people have had it drilled into their heads not open .exe files if they don't know where they came from. Opening a .doc file with what appears to be a text editor will appear completely reasonable. There's no good argument to have "Darwin" throw anything at these people. This should be solved by better programming and better education, not natural selection.