Black Hat Talk Demonstrates New Document Exploits

← Back to Stories (view on slashdot.org)

Black Hat Talk Demonstrates New Document Exploits

Posted by timothy on Saturday August 6, 2011 @07:38AM from the send-you-this-file-in-order-to-have-your-advice dept.

darthcamaro writes "Remember the days of the viruses embedded in email attachments? They're coming back, according to a pair of researcher talking at Black Hat this week: '"If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel document?" TT asked the audience. "The answer is no."'"

35 of 60 comments (clear)

Min score:

Reason:

Sort:

Is this really news? by Anonymous Coward · 2011-08-06 07:45 · Score: 3, Insightful

Anybody worth their salt knows that any attachment can be dangerous. You can hide all sorts of things in them. Especially for files that allow arbitrary things to be embedded in them, like Word documents.
Well duh... by Oxford_Comma_Lover · 2011-08-06 07:46 · Score: 3, Funny

Of course it's not safe to open the document. It could be a "Starbuck should be a dude" rant.

--
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
1. Re:Well duh... by girlintraining · 2011-08-06 07:55 · Score: 3, Funny
  
  "Starbuck should be a dude"
  Sir, we're going to have to ask you to leave. Turn in your man card at the front office. You can pick it up on monday at the Men's Rules Enforcement Department off 7th street. You'll need to explain to them why you, as a heterosexual male, asked to replace a hot female actress with a pudgy male one. Depending on your answer, there may be a fine.
  Thank You,
  The Internetz
  
  --
  #fuckbeta #iamslashdot #dicemustdie
2. Re:Well duh... by Ethanol-fueled · 2011-08-06 07:56 · Score: 1, Funny
  
  Of course it's not safe to open a document when running Windows. My Ubuntu desktop Linux operating system never gets viruses no matter what I open, because it uses a robust security model with actual file permissions. For example, instead of simply clicking "yes" to everything, I also have to enter my password so I know I give things a second thought before executing them.
  
  Of course, even if Linux just had a Yes/No dialog, I could click "yes" until I'm blue in the face and my system would never get a single virus because it's Linux and Linux doesn't get viruses. UNIX doesn't get viruses either. Even Mac's get viruses because they're based on a phone operating system(I/OS) and phone operating systems are made easy to exploit because AT&T have to spy on people for the government.
  
  Be safe. Be sensible. Be Linux.
3. Re:Well duh... by Oxford_Comma_Lover · 2011-08-06 08:11 · Score: 1
  
  Dear Internetz,
  I promise to make it up with lots of Kara/Lee fanfic.
  Kisses,
  OCL
  
  --
  -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
4. Re:Well duh... by John+Bresnahan · 2011-08-06 08:13 · Score: 1
  
  When I tried this, it just said "Permission denied".
  I must be doing it wrong.
5. Re:Well duh... by cynyr · 2011-08-06 08:34 · Score: 2
  
  the AC forgot to turn that into a ubuntu style tip...
  sudo cat /dev/urandom > /dev/sda
  That should do it for the unbuntu people.
  for the rest of every body, clearly this needs to run as root.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
6. Re:Well duh... by PopeRatzo · 2011-08-06 09:36 · Score: 1
  
  asked to replace a hot female actress with a pudgy male one.
  
  Why he gotta be pudgy? Can't he be a hot Jack Harkness-style Starbuck?
  Some of us long for the days when the only women in science fiction were the ones with three breasts on the cover of Del Ray paperbacks.
  Three nicely-shaped breasts.
  
  --
  You are welcome on my lawn.
7. Re:Well duh... by JAlexoi · 2011-08-06 10:24 · Score: 1
  
  Are you calling a comma-phile a heterosexual? (Oxford_Comma_Lover)
  ...you insensitive clod!
8. Re:Well duh... by stderr_dk · 2011-08-06 11:13 · Score: 2
  
  sudo cat /dev/urandom > /dev/sda
  I don't have an Ubuntu-box (or other "sudo"-using box) at hand, so can't test it myself, but doesn't the shell try to open /dev/sda before trying to execute sudo? In other words: Before you got root permission.
  I.e. the same reason sort foo >foo gives you an empty file.
  Maybe something like
  cat /dev/urandom | sudo tee /dev/sda >/dev/null
  would work. I think, I used something like that last time I had to work around the shell opening std{in,out,err} before executing commands.
  
  --
  alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
9. Re:Well duh... by hairyfeet · 2011-08-06 17:55 · Score: 1
  
  Because having a hot babe you want to bang be your wingman in a bar is just.....well weird? The reason Apollo and Starbuck worked well together was Apollo could be kind of a stick in the mud so Stabuck would come and bail his ass out with the jokes, as a good wingman should. Hot babe? not only will hot babe make it worse but it will make dude in trouble look even MORE lame, not less.
  As for TFA... attachments are bad mmmkay? what sucks is how many years have we been trying to drum this into users heads? I know I have since the days of Win 95 and Outhouse Excrement. I have actually sat beside a user and said "DO NOT open that password protected zip, are you nuts? Its a virus!" only to get told "Awww you worry too much! Its from my BFF Kim see? She wouldn't do that" and damned if she didn't do EXACTLY what the email told her to with me practically trying to throw myself in front of the keyboard. That is why as a PC repairman i have this face as my standard face every. single. day.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
10. Re:Well duh... by Derek+Pomery · 2011-08-07 02:19 · Score: 1
  
  sudo sh -c "cat /dev/urandom > /dev/sda"
  There you go.
  That's also necessary in ubuntu 11.04 if you need to attach gdb to a running process...
  sudo sh -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
11. Re:Well duh... by Yamioni · 2011-08-09 06:51 · Score: 1
  
  Point of all this silliness is that you can hose your 'puter no matter what the OS is just it is one heck of a lot easier to re- install a linux distro than to install Windows or Mac OS for that matter.
  Lacking experience with Mac OS I do not speak for it. However regarding optimized installs (Silent installs using scripts to select all options beforehand and remove user interaction) Windows 7 will install on my home machine in about 20 minutes and Random Linux Distro in 15-20. If you really need that 5 minutes, you probably should have made images and restored from those instead of reinstalling in the first place. I'll concede that Windows played 2nd fiddle to other OSes with regard to install time for pretty much all of recent history, but Microsoft has made great strides in making it much much much faster than it used to be. Saying that Linux is "a heck of a lot easier" to reinstall now simply isn't true.
  
  Yami
  
  --
  Cool post bro, highfive \o
Re:At least I'm safe by Lord+Juan · 2011-08-06 07:56 · Score: 2

Now that is the definition of a self-defeating post.
Re:At least I'm safe by Sulphur · 2011-08-06 07:56 · Score: 2

I'm not connected to the internet. Workaround that!
If you did, then others can.
Re:At least I'm safe by Anonymous Coward · 2011-08-06 07:59 · Score: 1

I'm not connected to the internet. Workaround that!
USB stick? Do you install software? Play music from CD? Video from DVD? Send posts to /.?
At least you THINK you're safe! :-)
In other news... by girlintraining · 2011-08-06 07:59 · Score: 1, Insightful

In other news, embedding executable code into data files still considered stupid. Researchers continue to emphasize that executable code should only exist in (wait for it) -- executable files!
Now, we all understand that Intel and Microsoft had drunken money sex one evening and out of that relationship DOS was born... a retarded child that couldn't tell the difference between its food (the data) and the plate (executable code), and regularly ate both.
I'm just wondering why we're still entertaining this 'precious snowflake' and it's plate-eating habits twenty years on. Didn't we learn from the retarded kid that isolating data from executable code from the hardware level up was the Right Thing?

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:In other news... by networkzombie · 2011-08-06 08:27 · Score: 4, Interesting
  
  Your argument restricting executable code covers a variety of technologies from OLE to html email. The same reason these technologies suck is also why they are so popular. On one hand you can embed stuff and do more! On the other hand they can embed stuff and do more.
2. Re:In other news... by SuricouRaven · 2011-08-06 08:40 · Score: 4, Interesting
  
  A lot of the time that executable code is to do shinystuff, like embed fancy animated charts in documents. One of the worst cases of all is in Windows Media, which will happily run scripts (Exploitable scripts) in media files without prompting or informing the user - and will do this based on magic bytes to identify filetype rather than extension. This lead to the proliferation of fake-mp3 malware on p2p networks. The purpose of the scripts is to allow for updating of the DRM technology and to allow for unauthorised media files to automatically direct the player to a website to purchase a licence.
3. Re:In other news... by Anonymous Coward · 2011-08-06 08:59 · Score: 1
  
  In other news, embedding executable code into data files still considered stupid.
  Nobody designing data file formats is actually putting in official ways to run executable code. The ability to do that comes entirely from implementation bugs. And no, embedded scripting languages don't count - they're not intended to be able to affect anything outside the document; when they can, it's again always the result of an implementation bug.
4. Re:In other news... by sjames · 2011-08-06 11:46 · Score: 1
  
  Embedded scripts certainly DO count! You can RUN them can't you? When you do, they do what the writer wanted, don't they?
  Of course they're not INTENDED to be able to affect anything outside, but in over 10 years, nobody has yet been able to stop them. That's called a failure. Perhaps it's time to rip that 'feature' out.
5. Re:In other news... by abigsmurf · 2011-08-07 00:42 · Score: 2
  
  I've seen a lot of fake media files require you to purchase a licence you get a "this requires a licence, do you want to retreive it" type yes/no dialogue and only take you to a website on a yes click.
  
  I'm calling BS on your claim it does anything more than this. If MP3s were exploitable outside of encouraging you to visit a questionable site, you'd see a whole lot more malware infected MP3s sent as email attatchments. It's not unthinkable this could be exploited but I doubt it's any easier exploting that than just generally finding a vulnerability in a common codec. Especially with DEP and ASR.
6. Re:In other news... by inglorion_on_the_net · 2011-08-07 03:27 · Score: 2
  
  There line between code and data is rather fuzzy. In the end, both are big lumps of bytes that will be processed by some software, which will then cause your computer to take certain actions. The problem is that the software processing the bytes will often happily allow things to happen that would generally be considered undesirable (e.g. sending spam).
  In my view, the problem of malware is so persistent, because the vast majority of software vendors have an insecure by default approach. Software is developed in unsafe languages (allowing exploits like buffer overruns), runs on operating systems that will happily run any code they are told to run, and we are trying to secure this mess by patching the holes after they are found.
  If we wrote software in languages that were memory-safe, this would prevent attacks such as embedding executable code in data files, and getting it to run through buffer overruns. If we used whitelists for software that is allowed to run (I imagine this like the repositories in Debian/Ubuntu/..., where you can choose your own trusted providers), this would stop untrusted code from running.
  This would bring us closer to secure by default, where you would have to do extra work to make your system insecure, instead of having to constantly fight an uphill battle to keep up some semblance of security.
  
  --
  Please correct me if I got my facts wrong.
7. Re:In other news... by SuricouRaven · 2011-08-07 07:26 · Score: 1
  
  I do confess to never having encountered such a file myself, but I have heard from others who have claimed that the file infected them with some form of malware. A likely explanation would be that the website is the true location of the exploit - I imagine WMP would open IE to get the license, which means any scammer not only has a way to lure in visitors but also knows what browser they'll be using and thus what exploits to use.
  
  MP3 files are not the problem ones. It's WMA/WMV/ASF (all the same internally). The extension is merely changed to make the file look more tempting, as most pirates are looking for mp3 files. WMP doesn't use extension to identify files, so it doesn't care.
  
  As for the scripts, I think I can answer that. I actually wrote an ASF header study tool years ago, and I believe I recall it... I shall just find the specification from MS.
  
  http://download.microsoft.com/download/7/9/0/790fecaa-f64a-4a5e-a430-0bccdab3f1b4/ASF_Specification.doc
  
  That's completly useless, by the way. Microsoft has the format patented, and has threatened to sue at least one independent developer (of Virtualdub) for implimenting it without agreeing to their very restrictive (You can read it, note that is specifically prohibits releasing the source of any implimentation) license. If you go to section 3.6, script command object... there it is. Scripting support, of a very limited form. The actual script commands available are not defined by the ASF specification, but left to the specific implimentation. WMP includes at least the 'open URL' and 'open a specified media file' commands, as those are given as examples, but I don't know just how powerful ASF scripting is.
  
  Note that ASF, WMA and WMV are identical formats. The extension is merely a convenience to allow video files to be more easily told from purely audio.
8. Re:In other news... by Carnildo · 2011-08-08 09:13 · Score: 1
  
  Nobody designing data file formats is actually putting in official ways to run executable code.
  Nobody?
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Re:At least I'm safe by girlintraining · 2011-08-06 08:04 · Score: 1

If you did, then others can.
Well yeah, but it's unlikely others will be able to match the level of stupidity displayed by making a statement on a website stating they don't have internet. I mean, certain customer service representatives, perhaps... like the kind that e-mail you your new password after you tell them you're locked out of your e-mail account. But it's unlikely they'd be able to find slashdot if you gave them the name and set google as their homepage, so YMMV.

--
#fuckbeta #iamslashdot #dicemustdie
Flash? by unkaggregate · 2011-08-06 08:22 · Score: 2, Insightful

The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.
Ok Microsoft... why the hell are you allowing Flash inside Word and Excel documents in the first place?!?
1. Re:Flash? by game+kid · 2011-08-06 10:25 · Score: 1
  
  How else do you want Microsoft to support future printable YouTube videos that play right on the paper when you touch them with a pen?
  
  --
  You can hold down the "B" button for continuous firing.
2. Re:Flash? by WrongSizeGlass · 2011-08-06 11:02 · Score: 1
  
  Ok Microsoft... why the hell are you allowing Flash inside Word and Excel documents in the first place?!?
  Because exploits, um, I mean macros via JavaScript & HTML5 won't be available until Office 15.
Re:Did someone say Blackhat, retard, and Microsoft by kvvbassboy · 2011-08-06 08:24 · Score: 2

NSFW image! Mod down!
Re:Safe to open Word documents in gmail by SuricouRaven · 2011-08-06 08:41 · Score: 1

I work in IT support. The smarter users are able to figure out the abstract concept of a file. Most of them just know that if they go to 'recent documents' all their stuff is in there. Except when it isn't. Then they call me.
Re:It's not a virus, and require user approval by nonades · 2011-08-06 09:02 · Score: 1

Will some click ok and run the trojan? Most probably, but that is a different kind of problem for all platforms. If I open a Word document and suddenly IE9 pop ups with an access request to run something, the answer *should* be no thanks.
FTFY
Re:It's not a virus, and require user approval by man_of_mr_e · 2011-08-06 10:04 · Score: 1

That's why IE8 and 9 (in Vista and 7) have protected mode. It runs the browser in a sandbox that doesn't let the user get attacked in the way you mention (by the way, the phrase "user-mode rootkitting" is an oxymoron. A rootkit requires root access by definition.

--
If you need web hosting, you could do worse than here
"and there are no 0 day vulnerabilities" by Anonymous Coward · 2011-08-06 11:01 · Score: 2, Insightful

Yes... THAT YOU KNOW ABOUT - of course, if you know about them, they're not zero-day vulnerabilities.
What a load of crap. YES there are, probably, vulnerabilities that you don't know about (I.E. zero-day vulnerabilities). NO you can't EVER say "there are no 0 day vulnerabilities", because if there are, you won't know about them until you find them! Who the fuck wrote that, anyway? A 0-day vulnerability is a vulnerability that you DON'T KNOW EXISTS.
Anyone who THINKS that there are no zero-day vulnerabilities is, statistically speaking, WRONG. There are. And therefore, yes:

If you have installed all Microsoft Office patches ... will it be safe to open a Word or Excel document? ... The answer is no.
Because a Word or Excel document could always exploit a vulnerability that you DON'T KNOW ABOUT.
That's sort of the whole fucking point, right?
Re:It's not a virus, and require user approval by Anonymous Coward · 2011-08-06 22:43 · Score: 1

I remember working in a developer support team for a software component company
So we were all programmers, and thus computer literate ...
Strange mails started popping up, so we knew something was wrong ...
Like someone in the non-technical departments was infected opening a mail from an infected friend lol
A guy from the IT help desk comes and says: do not click on the attachments!
Almost everyone answered something like: is it a virus? who got it? and so on ...
Except one guy, who asked with a feeble voice: we should not click on what?
lol
He just got a stern look from everybody else, and an "unplug your machine from the network and wait!"
lol
He just had the habit of clicking on everything indiscriminately, like a noob
Nobody's perfect I guess
lol