Attacks Against Unpatched Microsoft Bug Multiply

← Back to Stories (view on slashdot.org)

Attacks Against Unpatched Microsoft Bug Multiply

Posted by kdawson on Tuesday July 14, 2009 @10:59AM from the how-not-to-excel dept.

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

25 of 122 comments (clear)

server side scanning by gad_zuki! · 2009-07-14 11:07 · Score: 5, Insightful

Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.
1. Re:server side scanning by koreaman · 2009-07-14 11:32 · Score: 4, Informative
  
  You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?
  If so, probably just a case of lazy and/or clueless administrators.
  
  --
  Le français vous intéresse?
2. Re:server side scanning by PitaBred · 2009-07-14 13:51 · Score: 3, Insightful
  
  Why wouldn't you be able to? Unless you signed some agreement otherwise, or are trying for common carrier status, there's no reason you can't. There's no law against not allowing unwanted advertising to appear on your property. If a Christian site didn't want porn ads, they are not required to carry them because they carry other ads.
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
3. Re:server side scanning by Cstryon · 2009-07-14 15:43 · Score: 3, Informative
  
  I agree that if there is a company that always has faulty products, that people would stop buying products from them. But nobody has stopped using windows (In this case the problem is IE, activex yada yada) because it generally works in most cases, for what people want it for.
  I used to do tech support in a call center. The company I worked for made networking hardware, so the internet service that packaged our products the most, hired us to also do tech support for the customers with our products. Literally, my boss, his boss, as far up the chain at this company I could see, were a bunch of geeks ( we used to have prizes for good performances, that included the WoW expansion). What did they all use? What was working for our customers when it came to our products? What did our quality control guys, and the guys who lay out the plans for these products test them on? Windows.
  Some of our Networking hardware would work on linux, Sometimes we would write drivers for linux, but when I would go and speak to the guys that had to write the software, they hated the linux part. (Of cause the major bullet point here is that not everyone believes Linux to be as practical as you do.)
  So it's a double edged sword, if linux becomes popular, that would be cool! But once it becomes popular, any vulnerability, will be exploited.
  
  --
  Indoctrinate : to instruct especially in fundamentals or rudiments Educate : to develop mentally, morally, or aestheti
4. Re:server side scanning by Stan+Vassilev · 2009-07-14 16:29 · Score: 4, Insightful
  
  You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?
  If you read the small print in the ToS you'll see they entitle themselves to doing anything they could imagine. Even if it was not in the ToS, adding it in there is trivial.
  
  The reason they don't do it is one of pure economy. Integrating and running antivirus programs daily on a server is not free. It slows down the server (so they can pack less sites per server), it means license/support contracts (even if the basic software is free), means the staff spending time on integrating and supporting this feature.
  
  At the same time, browser exploits are simply small static files that don't affect or abuse the server in question in any significant way. If they scan, it would be just to protect the site visitors, which are not a party that matters to web host providers. So, unless site owners decide they would rather take their business with a host who scans, the hosts have no interest to implement this.
5. Re:server side scanning by EvilIdler · 2009-07-14 21:45 · Score: 3, Insightful
  
  How are web hosts going to handle dangerous files they find, if they start searching the users' stuff? That upload of the latest Conficker might not be malicious (user rents serverspace to host virus/trojan/worm research), the upload might be referenced in a database by the CMS (whoops, it's gone - does the user know how to fix the now-apparent bug in the CMS' filehandling?).
  How does a virus scanner even know if the file is visible to the outside world? You have .htaccess files, scripts which may or may not display the files in an index (and it doesn't have to be anywhere near the same directory) and non-Apache/IIS systems which serve up content based on Python, Java or whatever.
  Lots of issues with automated scanning/removal before you even start to consider the processing power to scan. Although that could be handled by having a reasonably beefy cluster of pure file servers which the web servers get their user directories from.
Firefox 3.5? by HTH+NE1 · 2009-07-14 11:08 · Score: 4, Funny

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
1. Re:Firefox 3.5? by Anonymous Coward · 2009-07-14 12:52 · Score: 5, Insightful
  
  That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.
  False analogy. Better analogy:
  It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.
2. Re:Firefox 3.5? by recoiledsnake · 2009-07-14 13:24 · Score: 4, Insightful
  
  Wrong. The details are public and exploits could be happening in the wild. How do you know they're not?
  From http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html
  
  Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online.
  
  --
  This space for rent.
Re:Ohh noes.... by erroneus · 2009-07-14 11:18 · Score: 5, Interesting

Apparently, a lot given that the attacks are becoming more intense and frequent.
My guess is that when Office installs, various ActiveX controls are linked into the OS and by extension, the web browser MSIE. But there are lots of places where this should never have happened.
1. ActiveX has been proven time and time again to be a very bad idea. It is not sandboxed. There is no way to keep it away from the rest of the OS.
2. The web browser's integration with the OS. Not only has it been ruled illegal by various nations antitrust courts, but any exploit of the browser also exploits the OS by extension.
kill bits by HTH+NE1 · 2009-07-14 11:20 · Score: 5, Informative

A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.
Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it rather than wait until the end of the article where they may not associate it as being the aforementioned solution.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
My solution for ActiveX (no, not installing Linux) by istartedi · 2009-07-14 11:25 · Score: 5, Informative

I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).
Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.
Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.
And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.

--
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Only 9 posts? by Culture20 · 2009-07-14 11:29 · Score: 5, Funny

Apparently everyone using IE or FF 3.5 is waiting for updates before posting.
Active X again? by Midnight+Thunder · 2009-07-14 11:30 · Score: 3, Funny

With the number of ActiveX related security issues you would have thought they would simply drop it or at least sandbox it?

--
Jumpstart the tartan drive.
1. Re:Active X again? by mkavanagh2 · 2009-07-14 11:42 · Score: 4, Insightful
  
  I believe Microsoft thinks ActiveX is sandboxing.
2. Re:Active X again? by Penguinshit · 2009-07-14 12:00 · Score: 4, Insightful
  
  Sandbox?
  
  What ActiveX needs is a pine box
  
  --
  I have something in common with Stephen Hawking...
3. Re:Active X again? by causality · 2009-07-14 18:44 · Score: 3, Informative
  
  Whores only exist to lure married men from their wives, right? Kill 'em all, right? Just like ActiveX controls, whores have a purpose... not necessarily in line with their intended nature. What should we do with them?
  I think I see the part you're missing that would explain to you why some (including me) think ActiveX is fundamentally flawed.
  
  In terms of security, I think we can agree that the Internet including the Web is rightly regarded as a hostile network. We can also probably agree that good security is done in overlapping layers in order to minimize single points of failure. That's important for many reasons, not the least of which is that a glaring, single point of failure increases both the severity of exploits and the ease with which they may be carried out.
  
  The problem with ActiveX is the lack of sandboxing. A control has the full privileges of the user running the browser. With XP machines that user tends to be an Administrator, compounding the problem. Trusting this environment to reliably and securely handle remote code on a hostile network is just begging for trouble. The idea is fundamentally flawed and tinkering with it may mitigate the problem but will not fix it. It needs to be abandoned and replaced.
  
  Java is more suitable for this kind of task. That is, the needed sandboxing capabilities are an integral part of its design, which is not the case with the Windows DLL-type ActiveX controls. If you really want a Microsoft solution, Silverlight can run applications (both remotely and downloaded for local off-line use) and has its own sandbox. Even Flash apps are a better idea than ActiveX, which is saying something considering Flash's security history.
  
  A solution with a good sandbox combined with running as an unprivileged user is a hell of an improvement. This means that an attacker who wants to own the machine has multiple hurdles. The more this is the case, the more difficult it is for an automated script to pull off a successful exploit. The fact that the malware is fully automated and can rapidly spread is part of why there are so many botnets and other problems. Think of it as something like a captcha: the more a successful exploit requires a determined human being, the fewer massive botnets there are. Fewer botnets mean less spam and fewer DDoS attacks and the like. Nowhere does the low-hanging fruit of ActiveX (and similarly flawed ideas) fit into that picture.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
They have by Sycraft-fu · 2009-07-14 11:53 · Score: 5, Informative

If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.
So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.
1. Re:They have by Dunbal · 2009-07-14 14:05 · Score: 3, Interesting
  
  Good thing everyone's bashing Vista like it has no features of value
  No, we bashed it because it didn't have features of $200+ value.
  
  --
  Seven puppies were harmed during the making of this post.
Hear Hear, and let me add.... by wowbagger · 2009-07-14 11:57 · Score: 3, Interesting

Hear hear on your ActiveX rant, and let me add "What you have said about ActiveX also applies to Javascript."
I see too many sites that will have almost every link be of the form <a href="#" onclick="follow_link(some_damn_link.html)"> - in other words the only way to follow the link is to use Javascript. This is just sloppy and stupid-lazy - such pages are usually machine generated, and there is NO REASON why the tool couldn't have filled in an appropriate href.
Yes, there are good uses for Javascript - but do we really want to be allowing J. Random Website to run code in a Turing-complete[*] language on every potential page load? I don't - and that is why I have NoScript installed, and no web site gets to run Javascript by default on MY browser - and since the Securina exploit against Firefox is Javascript based, that reduces (but does not eliminate) my exposure.
([*] - Javascript is as Turing complete as C/C++/Java or whatnot - the only thing that makes it NOT truly Turing-complete is the absence of infinite storage, just like C/C++/Java or whatnot).

--
www.eFax.com are spammers
Re:Ohh noes.... by sc0ob5 · 2009-07-14 12:04 · Score: 4, Informative

You'd be surprised how many people do it. In fact so many people do it where I work that I put a reghack in the logon script to make it so that all XLS files are opened with excel and not IE.
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags",00000008,"REG_DWORD"
I didn't put it in place for this vulnerability though, just because a lot of people use macros and don't know how to save as.
More than multiplying, I'm afraid by Curate · 2009-07-14 12:35 · Score: 3, Funny

These attacks are exploiting a flaw in an ActiveX control for displaying Excel worksheets. Right now they are just multiplying. You just know that they will eventually start adding. What happens if they start subtracting? Let's not even mention dividing at this point. God help us all...
Re:Ohh noes.... by sc0ob5 · 2009-07-14 13:11 · Score: 3, Informative

My users don't have admin rights, elevated privileges via the logon script.
You are totally correct in saying that Office Web components won't be affected, I was just replying to the previous poster. Still anyone worth their weight as an admin wouldn't install Office Web components on anything.
Exploit (FX3.5) by t0y · 2009-07-14 14:15 · Score: 3, Informative

Here's the exploit code for firefox.
Apparently, it should crash and open up calc.exe. On my machine (win7 RC1) it crashes bringing up the error report thingy.
No calc.exe for me. :(

Does this mean I'm "safe"?
Re:Ohh noes.... by OverZealous.com · 2009-07-14 14:20 · Score: 5, Funny

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
My head didn't stay unexploded while I wasn't unreading this unstatement.