Slashdot Mirror

← Back to Stories (view on slashdot.org)

Black Hat Talk Demonstrates New Document Exploits

Posted by timothy on from the send-you-this-file-in-order-to-have-your-advice dept.

darthcamaro writes "Remember the days of the viruses embedded in email attachments? They're coming back, according to a pair of researcher talking at Black Hat this week: '"If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel document?" TT asked the audience. "The answer is no."'"

14 of 60 comments (clear)

  1. Is this really news? by Anonymous Coward · · Score: 3, Insightful

    Anybody worth their salt knows that any attachment can be dangerous. You can hide all sorts of things in them. Especially for files that allow arbitrary things to be embedded in them, like Word documents.

  2. Well duh... by Oxford_Comma_Lover · · Score: 3, Funny

    Of course it's not safe to open the document. It could be a "Starbuck should be a dude" rant.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    1. Re:Well duh... by girlintraining · · Score: 3, Funny

      "Starbuck should be a dude"

      Sir, we're going to have to ask you to leave. Turn in your man card at the front office. You can pick it up on monday at the Men's Rules Enforcement Department off 7th street. You'll need to explain to them why you, as a heterosexual male, asked to replace a hot female actress with a pudgy male one. Depending on your answer, there may be a fine.

      Thank You,

      The Internetz

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:Well duh... by cynyr · · Score: 2

      the AC forgot to turn that into a ubuntu style tip...

      sudo cat /dev/urandom > /dev/sda

      That should do it for the unbuntu people.

      for the rest of every body, clearly this needs to run as root.

      --
      All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
    3. Re:Well duh... by stderr_dk · · Score: 2

      sudo cat /dev/urandom > /dev/sda

      I don't have an Ubuntu-box (or other "sudo"-using box) at hand, so can't test it myself, but doesn't the shell try to open /dev/sda before trying to execute sudo? In other words: Before you got root permission.

      I.e. the same reason sort foo >foo gives you an empty file.

      Maybe something like
      cat /dev/urandom | sudo tee /dev/sda >/dev/null
      would work. I think, I used something like that last time I had to work around the shell opening std{in,out,err} before executing commands.

      --
      alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
  3. Re:At least I'm safe by Lord+Juan · · Score: 2

    Now that is the definition of a self-defeating post.

  4. Re:At least I'm safe by Sulphur · · Score: 2

    I'm not connected to the internet. Workaround that!

    If you did, then others can.

  5. Flash? by unkaggregate · · Score: 2, Insightful

    The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.

    Ok Microsoft... why the hell are you allowing Flash inside Word and Excel documents in the first place?!?

  6. Re:Did someone say Blackhat, retard, and Microsoft by kvvbassboy · · Score: 2

    NSFW image! Mod down!

  7. Re:In other news... by networkzombie · · Score: 4, Interesting

    Your argument restricting executable code covers a variety of technologies from OLE to html email. The same reason these technologies suck is also why they are so popular. On one hand you can embed stuff and do more! On the other hand they can embed stuff and do more.

  8. Re:In other news... by SuricouRaven · · Score: 4, Interesting

    A lot of the time that executable code is to do shinystuff, like embed fancy animated charts in documents. One of the worst cases of all is in Windows Media, which will happily run scripts (Exploitable scripts) in media files without prompting or informing the user - and will do this based on magic bytes to identify filetype rather than extension. This lead to the proliferation of fake-mp3 malware on p2p networks. The purpose of the scripts is to allow for updating of the DRM technology and to allow for unauthorised media files to automatically direct the player to a website to purchase a licence.

  9. "and there are no 0 day vulnerabilities" by Anonymous Coward · · Score: 2, Insightful

    Yes... THAT YOU KNOW ABOUT - of course, if you know about them, they're not zero-day vulnerabilities.

    What a load of crap. YES there are, probably, vulnerabilities that you don't know about (I.E. zero-day vulnerabilities). NO you can't EVER say "there are no 0 day vulnerabilities", because if there are, you won't know about them until you find them! Who the fuck wrote that, anyway? A 0-day vulnerability is a vulnerability that you DON'T KNOW EXISTS.

    Anyone who THINKS that there are no zero-day vulnerabilities is, statistically speaking, WRONG. There are. And therefore, yes:

    If you have installed all Microsoft Office patches ... will it be safe to open a Word or Excel document? ... The answer is no.

    Because a Word or Excel document could always exploit a vulnerability that you DON'T KNOW ABOUT.

    That's sort of the whole fucking point, right?

  10. Re:In other news... by abigsmurf · · Score: 2

    I've seen a lot of fake media files require you to purchase a licence you get a "this requires a licence, do you want to retreive it" type yes/no dialogue and only take you to a website on a yes click.

    I'm calling BS on your claim it does anything more than this. If MP3s were exploitable outside of encouraging you to visit a questionable site, you'd see a whole lot more malware infected MP3s sent as email attatchments. It's not unthinkable this could be exploited but I doubt it's any easier exploting that than just generally finding a vulnerability in a common codec. Especially with DEP and ASR.

  11. Re:In other news... by inglorion_on_the_net · · Score: 2

    There line between code and data is rather fuzzy. In the end, both are big lumps of bytes that will be processed by some software, which will then cause your computer to take certain actions. The problem is that the software processing the bytes will often happily allow things to happen that would generally be considered undesirable (e.g. sending spam).

    In my view, the problem of malware is so persistent, because the vast majority of software vendors have an insecure by default approach. Software is developed in unsafe languages (allowing exploits like buffer overruns), runs on operating systems that will happily run any code they are told to run, and we are trying to secure this mess by patching the holes after they are found.

    If we wrote software in languages that were memory-safe, this would prevent attacks such as embedding executable code in data files, and getting it to run through buffer overruns. If we used whitelists for software that is allowed to run (I imagine this like the repositories in Debian/Ubuntu/..., where you can choose your own trusted providers), this would stop untrusted code from running.

    This would bring us closer to secure by default, where you would have to do extra work to make your system insecure, instead of having to constantly fight an uphill battle to keep up some semblance of security.

    --
    Please correct me if I got my facts wrong.