Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oops! Missed One Fix — Windows Attacks Under Way

Posted by timothy on from the don't-blame-microsoft-alone dept.

CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"

40 of 292 comments (clear)

  1. I don't understand by veganboyjosh · · Score: 4, Interesting

    How can code in the wordpad text editor leave a machine vulnerable? Can someone explain this in a way that's not super technical? Faulty code in a browser, or similar, I can understand.

    1. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

      I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp

    2. Re:I don't understand by V!NCENT · · Score: 5, Informative

      How can code in the wordpad text editor leave a machine vulnerable?

      It can be used to execute a malicious program that makes the system vulnerable. Wordpad just works as a launcher for the malicious program.

      --
      Here be signatures
    3. Re:I don't understand by Anthony_Cargile · · Score: 3, Informative

      Surely not a remote exploit, must be some sort of password retrieval (siw.exe) or something used to compromise a network or else it would not be so "critical". Now would be a good time to peek at the leaked Windows NT code from 2004...

    4. Re:I don't understand by show+me+altoids · · Score: 5, Informative

      It has to trick the user into opening a Word 97 file with Wordpad, which can be done by changing the extension of the file to .wri. So as long as you don't open any attachments to bogus email, you'll be OK. This information is in the article, BTW.

      --
      I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
    5. Re:I don't understand by Anonymous Coward · · Score: 5, Informative

      The attacker sends you a .wri file in an email. By default this will be opened using WordPad. WordPad will attempt to decode the Word97 content of the .wri file and in doing so will trigger some sort of attack code (the article and security advisory are vague about this part).

      Basically, don't open weird files that you find on the internet.

    6. Re:I don't understand by arootbeer · · Score: 5, Informative

      I can only wonder how wordpad of all programs can allow this over some self-made app that does the same thing?

      It's easier to get someone to open a .wri or .doc file than a .exe file.

    7. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

      This information is in the article, BTW.

      In the what, now?

    8. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

      It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.

    9. Re:I don't understand by clone53421 · · Score: 5, Funny

      Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    10. Re:I don't understand by eggnet · · Score: 3, Informative

      TextEdit can read and write word docs too. It supports rich text.

    11. Re:I don't understand by darkpixel2k · · Score: 3, Informative

      Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.

      Don't drop the files into the 'document area', drop them onto the 'menu bar' area and they'll open.

      I f*cking hate wordpad, but it's the only thing that recognizes and saves unix line-endings and is installed on every windows box since the beginning of time.

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    12. Re:I don't understand by JoshuaZ · · Score: 4, Insightful

      That's not called for at all. Many people use WordPad all the time with the implicit notion that is is just a glorified text editor. The vast majority of users likely have no idea that there's enough functionality of Word in WordPad for something like this to happen. Heck, if you had told me a few days ago this was going to occur I'd say something like "Well that seems vaguely plausible but extremely unlikely." Finally, software isn't made for you or me. It is made for everyone who is going to use it. Security needs to handle the not so well educated. Many people have had it drilled into their heads not open .exe files if they don't know where they came from. Opening a .doc file with what appears to be a text editor will appear completely reasonable. There's no good argument to have "Darwin" throw anything at these people. This should be solved by better programming and better education, not natural selection.

    13. Re:I don't understand by ozmanjusri · · Score: 3, Insightful
      Anyone stupid enough to get infected this way deserves everything Darwin can throw their way.

      This attitude is why Microsoft products have such a poor record for stability and security.

      Computers SHOULD be designed for people who have no knowledge of the intricacies of operating systems.
      Computers SHOULD be designed to be safe for beginners to use.
      Computers SHOULD be designed so an unintended error does not result in a compromised system.
      Computers SHOULD be designed to be robust enough to use without fear.

      Operating system progress has virtually halted for more than a decade because of the Windows monopoly. THAT is the problem here, not users trying to come to grips with a needlessly complicated and inconsistent tool.

      I HATE the way Microsoft's evangelists have switched to this "Blame the user" mentality to try shift attention from their failures. It's hypocritical, dishonest, and most of all, it allows them to sit on their laurels and continue serving up variations of the same stale OS they've been facelifting for the past 15 years.

      --
      "I've got more toys than Teruhisa Kitahara."
    14. Re:I don't understand by K.+S.+Kyosuke · · Score: 3, Informative

      Just read this...

      --
      Ezekiel 23:20
  2. That's good thinking... by Loibisch · · Score: 5, Insightful

    Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

    Clever.

    1. Re:That's good thinking... by moderatorrater · · Score: 5, Informative

      They've been doing this for over a year now at least. It's the greatest weakness in patch tuesday and shows how monopolies are often caught between a rock and a hard place. Corporations demand a set cycle for patches, but if you do that then the attackers can optimize their attacks so that they arrive one month from when the next patches come out. It's a lose-lose situation for them.

    2. Re:That's good thinking... by _Sprocket_ · · Score: 4, Interesting

      Not at all. You see - exploits are only developed by analyzing patches. What you have here is a very advanced malware developer. For they had gazed on the patch and, instead of seeing the vulnerabilities being patched, they saw the one that was not. It's all very Zen.

      Actually - it's not the first time Microsoft's patch cycle has been gamed.

  3. no problem by gEvil+(beta) · · Score: 5, Funny

    Pffff. What could possibly happen in only a month?

    --
    This guy's the limit!
  4. ::yawn:: nothing to see here, as usual. by Shados · · Score: 5, Informative

    From the article (i know I know, slashdot...), Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable. I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003 (which is quite popular), but for people at home, if your machine is up to date, you're fine.

    So seriously, whats the big deal?

    1. Re:::yawn:: nothing to see here, as usual. by ed.mps · · Score: 4, Insightful

      Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file -- most likely delivered as an e-mail attachment.

      exploiting the weak link in the chain: your average user

      --
      !sig
    2. Re:::yawn:: nothing to see here, as usual. by AGSHender · · Score: 5, Informative

      Well, considering that like many businesses that rely on specialized pieces of software to function (mine in particular being a law firm), we have held off on deploying both XP SP3 and not even put thought into Vista because our document management software and change-tracking/metadata scrubbing software are incompatible with anything above XP SP2 for the moment.

      We can't keep entirely up to date because it breaks the software my firm relies on, and replacing them isn't an option. From my experience at the law firms I've worked at, they move at one of two speeds: slowly or not at all.

    3. Re:::yawn:: nothing to see here, as usual. by Shados · · Score: 3, Informative

      If you have servers that old that you can't upgrade, thats fine (I mean, Win2k Server is still supported until 2010 I think? So thats fair).

      Just be careful about what you do while you're logged in (as you always should on a server anyway). I agree it IS unacceptable for something like this to happen on a supported OS, but my original post merely pointed out that its not like everyone will get hacked by doing nothing tomorrow. It only affects 2 versions of Windows if you're up to date, and only if you touch a malicious file. The people using these 2 versions still probably know what they're doing (I don't think grandma is using WinServer 2003)

    4. Re:::yawn:: nothing to see here, as usual. by Ilgaz · · Score: 4, Insightful

      I wouldn't really think long before opening a .wri file. I must admit. .wri doesn't have script etc. capability to start with.

      I am sure most admins didn't set policies about .wri attachments like they did for .doc stuff either. It makes it a big threat since for most people, wri (or RTF) is basically styled text file, nothing else.

  5. Details to come... by Anonymous Coward · · Score: 5, Funny

    I will shortly be posting more details on this exploit in Wordpad format. Stay tuned!

  6. Re:WordPad exploitable? by Java+Pimp · · Score: 3, Informative

    Send a specially crafted word document (i.e. code embedded) and trick the user into opening it with WordPad (i.e. using the .wri file extension).

    --
    Ascalante: Your bride is over 3,000 years old.
    Kull: She told me she was 19!
  7. Re:WordPad exploitable? by Shados · · Score: 5, Informative

    Its not remotely exploitable. From the article, a user has to open a maliciously crafted file. So its just the fairly typical exploit where a document viewer poorly handles documents it can open.

    It needs user interaction to work, someone has to open a file that they don't trust (I guess it MAY be possible to trick a user into opening the file from the web, since there is a Word viewer that potentially use the same file converter that is responsible for the exploit).

    Also, XP SP3, Vista and WinServer 2008 aren't vulnerable at all.

  8. Re:WordPad exploitable? by fotbr · · Score: 3, Insightful

    IIRC Wordpad can handle some embeded objects in .rtf (and other??) files. I'm guessing the exploit takes advantage of a vulnerability with one of those embedded types or the handling of them.

    Just a guess, and I'm posting before reading.

  9. Re:WordPad exploitable? by Java+Pimp · · Score: 4, Informative

    Word files are not binary executables. They are (pre OOXML) binary file formats. I don't know what the exact exploit is (probably some sort of buffer overflow) but the idea is to craft a Word document such that it contains executable code and exploits the flaw in wordpad that causes the executable code to execute.

    --
    Ascalante: Your bride is over 3,000 years old.
    Kull: She told me she was 19!
  10. Re:WordPad exploitable? by Surreal+Puppet · · Score: 3, Informative

    This type of bug relies on "glitches" in the memory management (simplifying it a bit...) of the program, not on any high-level misses in the actual mechanisms of the code. Any program written in a programming language without automatic memory management can be exploited in this way, if the programmer "misses his step" somewhere. They can also be devilishly hard to find, because data can be structured and handled in memory in very complex and abstract ways.

  11. Corrupt Memory, and it works on server 2003 by nathan.fulton · · Score: 3, Informative

    When you're running everything as root, everything can be exploitable. And it looks like this is a character set or file format converter, which is considerably more than simple typing and copy/paste (the extend.) From the Security Focus page (disucssion tab), it looks like it could be a buffer overflow ("prone to a remote code-execution vulnerability because of...corrupted memory.")

    The info page shows that it does indeed affect Server 2003, one of the more populat versions out there, as noted by another comment

    1. Re:Corrupt Memory, and it works on server 2003 by Shados · · Score: 4, Informative

      If you have an MSDN Subscription and are a developer, thats actually your best bet (well, now its Windows Server 2008, which is superior in every way, but...)

      Windows Server editions have been better desktops than their actual "home" or "professional" editions for a while. The only drawback is they are harder to setup initially (2003 and 2008 are fairly locked down by default), and that they have higher hardware requirements (but use the hardware better). Oh, and the price, of course (but if you use it for development purpose, you can use the MSDN version. Even without that, its expensive, but its not 10 grands either)

      Add that some stuff only works on Windows Server (let say, Sharepoint), and unless you feel like running Windows XP or Vista, only to spend 99% of your time in a VM, Windows Server is a vastly superior option.

  12. Re:WordPad exploitable? by ukyoCE · · Score: 5, Insightful

    People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.

    For data files like .jpg or .wri, neither the user or the system probably consider the file dangerous. So these type of exploits should be considered more dangerous than the completely-idiotic "e-mail people virus executables".

    Especially considering many of these viruses propagate through address books (ie: trusted contacts)

    But yes, at least it's not a completely automatic remote exploit.

  13. Re:WordPad exploitable? by dedazo · · Score: 5, Informative

    so when executed by Wordpad

    Wordpad does not have the capability to execute those macros, because it does not have an embedded VBA interpreter. The macros are binary gibberish without the VBA runtime, much like a Perl file is just text without the Perl interpreter.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  14. OMG! RLY? How will the human Race Survive?!?!?11 by Real1tyCzech · · Score: 3, Informative

    Control Panel - Folder Options - File Types - WRI - Edit - Open - Change to Microsoft Word.

    Problem solved.

    Next!

  15. Re:WordPad exploitable? Just click by quaero_notitia · · Score: 4, Funny

    You mean all someone has to do is click on an attachment called "biggest breasts ever.wri"? Oh, NOBODY would be that dumb!

    --
    -- Wondering how long until the internet becomes fully corporatist, like television.
  16. Re:WordPad exploitable? Just click by lord_sarpedon · · Score: 4, Funny

    I'd put a notice at the top of the file. "This naughty image is only compatible with the following versions of Windows: ..."

    I'm sure many victims would kindly downgrade as needed to make my exploit work.

    --
    "Strangers have the best candy" -Me
  17. Re:Terrorist computer virus infects hospitals by Ilgaz · · Score: 3, Informative

    They don't have such chance to make it non vulnerable unless they scrap entire backwards compatibility.

    A more mad solution would be the thing Apple did. Run the older OS in a virtual machine in its own thread (trublue, MacOS Classic support).

    MS can't take such big decisions so, anything claimed for Windows 7 is a joke. If one can run Wordpad from XP in Windows 7, it is not secure.

  18. Re:Fedora bug .. by Entropius · · Score: 3, Informative

    That's a lot more userfriendly than Windows.

    Linux: "There's a problem. If you're technically able, here is a fix."

    Windows: "There is a problem. You're boned, sorry."

  19. It's all about the timing by rderr · · Score: 3, Insightful

    Patch Tuesday, exploit Wednesday. -Rob