Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oops! Missed One Fix — Windows Attacks Under Way

Posted by timothy on from the don't-blame-microsoft-alone dept.

CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"

17 of 292 comments (clear)

  1. That's good thinking... by Loibisch · · Score: 5, Insightful

    Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.

    Clever.

    1. Re:That's good thinking... by moderatorrater · · Score: 5, Informative

      They've been doing this for over a year now at least. It's the greatest weakness in patch tuesday and shows how monopolies are often caught between a rock and a hard place. Corporations demand a set cycle for patches, but if you do that then the attackers can optimize their attacks so that they arrive one month from when the next patches come out. It's a lose-lose situation for them.

  2. no problem by gEvil+(beta) · · Score: 5, Funny

    Pffff. What could possibly happen in only a month?

    --
    This guy's the limit!
  3. ::yawn:: nothing to see here, as usual. by Shados · · Score: 5, Informative

    From the article (i know I know, slashdot...), Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable. I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003 (which is quite popular), but for people at home, if your machine is up to date, you're fine.

    So seriously, whats the big deal?

    1. Re:::yawn:: nothing to see here, as usual. by AGSHender · · Score: 5, Informative

      Well, considering that like many businesses that rely on specialized pieces of software to function (mine in particular being a law firm), we have held off on deploying both XP SP3 and not even put thought into Vista because our document management software and change-tracking/metadata scrubbing software are incompatible with anything above XP SP2 for the moment.

      We can't keep entirely up to date because it breaks the software my firm relies on, and replacing them isn't an option. From my experience at the law firms I've worked at, they move at one of two speeds: slowly or not at all.

  4. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

    I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp

  5. Details to come... by Anonymous Coward · · Score: 5, Funny

    I will shortly be posting more details on this exploit in Wordpad format. Stay tuned!

  6. Re:I don't understand by V!NCENT · · Score: 5, Informative

    How can code in the wordpad text editor leave a machine vulnerable?

    It can be used to execute a malicious program that makes the system vulnerable. Wordpad just works as a launcher for the malicious program.

    --
    Here be signatures
  7. Re:WordPad exploitable? by Shados · · Score: 5, Informative

    Its not remotely exploitable. From the article, a user has to open a maliciously crafted file. So its just the fairly typical exploit where a document viewer poorly handles documents it can open.

    It needs user interaction to work, someone has to open a file that they don't trust (I guess it MAY be possible to trick a user into opening the file from the web, since there is a Word viewer that potentially use the same file converter that is responsible for the exploit).

    Also, XP SP3, Vista and WinServer 2008 aren't vulnerable at all.

  8. Re:I don't understand by show+me+altoids · · Score: 5, Informative

    It has to trick the user into opening a Word 97 file with Wordpad, which can be done by changing the extension of the file to .wri. So as long as you don't open any attachments to bogus email, you'll be OK. This information is in the article, BTW.

    --
    I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
  9. Re:I don't understand by Anonymous Coward · · Score: 5, Informative

    The attacker sends you a .wri file in an email. By default this will be opened using WordPad. WordPad will attempt to decode the Word97 content of the .wri file and in doing so will trigger some sort of attack code (the article and security advisory are vague about this part).

    Basically, don't open weird files that you find on the internet.

  10. Re:I don't understand by arootbeer · · Score: 5, Informative

    I can only wonder how wordpad of all programs can allow this over some self-made app that does the same thing?

    It's easier to get someone to open a .wri or .doc file than a .exe file.

  11. Re:WordPad exploitable? by ukyoCE · · Score: 5, Insightful

    People know not to open executable files (.exe) and even for more obtuse executables (.scr, .cmd) most systems and mail clients are smart enough to warn that it's executable content.

    For data files like .jpg or .wri, neither the user or the system probably consider the file dangerous. So these type of exploits should be considered more dangerous than the completely-idiotic "e-mail people virus executables".

    Especially considering many of these viruses propagate through address books (ie: trusted contacts)

    But yes, at least it's not a completely automatic remote exploit.

  12. Re:WordPad exploitable? by dedazo · · Score: 5, Informative

    so when executed by Wordpad

    Wordpad does not have the capability to execute those macros, because it does not have an embedded VBA interpreter. The macros are binary gibberish without the VBA runtime, much like a Perl file is just text without the Perl interpreter.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  13. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

    This information is in the article, BTW.

    In the what, now?

  14. Re:I don't understand by Anonymous Coward · · Score: 5, Funny

    It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.

  15. Re:I don't understand by clone53421 · · Score: 5, Funny

    Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.