Slashdot Mirror
Duqu Installer Exploits Windows Kernel Zero Day
Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."
Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?
With a name like "game boy" and a comment about "SMB shares", I think for half a second about this kind of SMB share.
Why / How can a *Word Document* exploit a kernel vulnerability?
I mean really.
I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.
A feeling of having made the same mistake before: Deja Foobar
I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.
This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute directly against the server remotely anyway), then you weren't really doing your job in the first place.
Next you'll be telling me that I shouldn't let filesharing ports open to the world.
But how do you reverse such a hole? Like this.
This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.
This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.
so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Get a clue. You don't know what a "kernel vulnerability" is, judging by your rhetoric you seem to think only silly OS's like Windows have them and allow user-land processes to exploit them. Not true.
Hey! Where is Borg Bill? Put it back right now!
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
--
BMO
There are already OSX Trojans that are effective because Mac users feel invincible because they aren't running Windows. The fact that those exist is a warning to Apple that their market share is getting large enough to be targeted, but nobody seems to care about educating their users.
To offset political mods, replace Flamebait with Insightful.
"A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution." It's an exploit embedded inside a Word document. You can't get more local then that.
do you have a kernel security bug in a word processor?
Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.
I work for the Department of Redundancy Department.
"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executable—the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duqu’s activities and may allow certain behaviors to bypass some security
products."
wipe your disk and reinstall Windows.
I'm Not Antisocial, I'm Just Not User Friendly
Right, So evolution will decide if my servers are going to get hacked or not ? No thanks. I'm so glad i'm running Novell OES right now.
"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executableâ"the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duquâ(TM)s activities and may allow certain behaviors to bypass some security
products."
Apple has fixed the PDF exploits, over and over again. People just keep finding new ones.
And if Appletards believe these exploits are only used for good (jailbreaking) and not evil (spearfishing attacks), they are kidding themselves.
Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.
Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.
:(){
Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.
--
BMO
Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Once again, don't open email attachments from unknown senders.
Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
-- BMO
The "victim" who runs an insecure and widely-targeted system and then won't learn the most basic things about how to secure it?
Yeah. Totally absurd to think anyone would mess with them. Hey I know. Let's tell them they are total victims. Let's tell them the decisions they make have absolutely no bearing on what they experience. They are merely giant leaves carried by the wind with zero control over their lives. Let's embrace total fatalism just because there are bad people! Nope, no free will here, we rejected that because it might mean telling somebody to wise up and quit being such a wide-open target in the face of well-known threats.
Let's do it in an irritable emotional way that can't resist doing some name-calling, you douche, because disagreement with me is the definition of being a douche. People who approach it that way are always the ones with the truth, dontcha know that from their impeccable logic?
if it infected ds roms, that would be friggin brilliant.
world was created 5 seconds before this post as it is.
The most secure operating system in the world is no match for a user with the root password.
You can't protect an operating system 100% against trojans because you can't fix stupid*.
* and you can't fix lack of knowledge because joe public doesn't care as long as his computer keeps doing what he needs.
There are those who say that the reason OS X has so much less malware is simply because it has a smaller market share. I'm sorry, that's not the reason at all. The reason is because of crap like this where a word processor document can exploit a kernel vulnerability.
so explain to me how Apple doesn't do any of these things?
The previous poster overstates it a bit, but does have a point. When your OS vendor is also your word processor vendor and when the two are coupled tightly using undocumented APIs without regard for security concerns... you have a big problem. Apple also makes a word processor, but does not use undocumented APIs and does not have the same level of exposure area to an exploit (although Apple's application security practices are hit and miss based on the project).
...you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device..
This is interesting, but sort of proves the point. On the iPhone Apple makes both the PDF rendering libraries, the reader, and the OS and they are tightly coupled (since PDF is used for all the UI elements of the OS as well).
Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.
As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.
The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.
If you want to deserve an informative mod, you might want to cite a source on that. Pics, or it didnt happen.
Also, if OSX is so much better, how come at Pwn2Own Every Single Year, OSX / Safari falls first?
(2010 MIGHT have been a tie, or someone else first, but OSX was done on day 1 regardless-- couldnt find the exact order). You will also note that this is DESPITE Apple's attempt to slip in last-minute fixes prior to the contest.
Listen, if you want to rely on your OS to provide "Security" and "Hacker Prevention", go right ahead. The more folks you convince to use your platform, the more quickly the playing field is leveled, and the quicker we see the reality of the situation with regard to OS security. Hope you have your bootkit removal tools ready.
You don't have a kernel security bug in the word processor, you have it in the kernel.
The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.
Opening a file and locking a file requires a kernel call.
blog.sam.liddicott.com
If all you people would stop demanding that word processing files have any networking capabilities, this would stop happening.
Microsoft just provided a way to work easier.
Ok, maybe not, but I'm hard pressed to blame MS for many of these features. They just gave us what we demanded as customers.
I guess the old adage to **never** trust anything that a user can enter wasn't part of this code in MS-Office.
The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.
:(){
I might know it's a fake if there were grammatical errors
In most companies, you'd know it was bogus if it came from the CEO and *didn't* contain grammatical errors...
So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.
Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?
Or is your company responsible for the total loss of its trade secret intellectual property?
Now who do the aggrieved shareholders sue?
#666 Fall prey to exploit like docx
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
SOPHOS
Free Trials Security News/Trends
Stopping Fake Antivirus
How to keep scareware off your network
Download now.
I found that in my inbox a short while ago. At the time, the irony hit me like a sledgehammer - Sophos wants to make me aware of fake AV, Sophos should be warning me against downloading and installing random shit from the internet - so they invite me to download some random shit from the internet which may or may not be a legitimate random shit. Hmmmm. Yeah - I'll save my clicks, thank you . . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I think you should take your uptight ass for a nice long walk, off of a very short pier. Some of you people seem to have learned nothing in school, except spelling and grammar. It was the only place where you ever earned any praise. Since you are in no way superior to anyone else in any other field, you feel the need to make your inane grammar nazi posts here, there, everywhere.
Sux2bU, huh?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
AHHHH-HAA-HAAA!
I don't read much of anything in my inbasket. I guess that makes me a high level employee?
COO: Did you read my email?
Me: Well, hell no! I'm to busy to read mail.
COO: Well, it said you'd be fired if you didn't read it.
Me: Cool. Six months paid vacation, courtesy of the Employment Commission!
COO: To hell with that, I have some shit jobs that need to be done before you go anywhere.
Me: Well, Fuck you very much, Sir!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I saw this next to the story:
It is important to note that probably no large operating system using current
design technology can withstand a determined and well-coordinated attack,
and that most such documented penetrations have been remarkably easy.
-- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20
This works well, right up until the point where you need an attachment from someone outside the company.
Say... the latest revision to a requirements doc being sent back and forth between a client and a vendor...
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
Give the outside consultant VPN access to a restricted share.
:(){
I haven't seen any mention of whether the document attack vector affects OpenOffice and LibreOffice users as well.
I do not fail; I succeed at finding out what does not work.
Much to learn you still have
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
The only good answer (today) to rootkits is host-based scanning. Do everything on VMs, and do your AV from the host. Eventually that too will fall, but so far there aren't any credible "VM escape" attacks (there are some interesting beginnings), so you can keep the host safe, and a rootkit on the guest should present no real obstacle to the host. Sadly, there's not much to choose from to scan from a thin hypervisor yet.
Eventually, the only good answer will be to cryptographically lock down the host/hypevisor with something like TC/TPM - if we can ever get such a thing that's not totallly corrputed for DRM purposes!
Socialism: a lie told by totalitarians and believed by fools.
Or use the company's website or intranet to access docs. You could send/phone the remote person an ID to get in.
It would be glorious if that were a phishing attack.
"Your OC has spyware, click here"
Becomes
"Your network has users vulnerable to spyware phishing, click here"
And of course people would fall for it.
Socialism: a lie told by totalitarians and believed by fools.
Lol, my bad I wanted to find an article of viruses that do more shit than this one from attachments, didn't read it too closely, oh well still too lazy to find another one.
The most secure operating system in the world is no match for a user with the root password.
SE Linux does a good job of addressing this - of course it's not perfect, and chance are this particular strategy would work even in SE Linux. Note that the user doesn't need the root password for this one. Yuck.
Socialism: a lie told by totalitarians and believed by fools.
If I understood you correctly, since Word Macros as VBA (VB for applications scripting), said macros can use the AddressOf method for external lib calling (which allows for callback functions correct address pointer retrieval for data coming out of said methods) -> http://msdn.microsoft.com/en-us/library/aa165194(v=office.10).aspx
"The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions.." - by DeadCatX2 (950953) on Wednesday November 02, @01:05PM (#37922290)
Now, using what you stated - some of which I am NOT SURE what you meant (see next quote below)? You're correct that many Win32 API calls are just "fronts" to Native NtAPI calls (many in NTDLL.DLL in fact). That's where what I wrote above can help (for callback functions).
"If this was some undocumented API call in Word, then the exploited function might not validate inputs very well." - by DeadCatX2 (950953) on Wednesday November 02, @01:05PM (#37922290)
Uhm... MOST of the time, exploits done from MS' compound OLE doc structures (Excel, Word, etc.) use VBA to generate macros (bogus ones too)... so, as far as "validating inputs" (which is easy enough to do in VB for various datatypes filtering, on say/for example, keypress events), & especially from callback methods that go thru the Win32 API and even into the native NtAPI layer API??
The AddressOf method, helps...
APK
P.S.=> This has been true since OfficeXP in fact... but, do you mind being a BIT MORE SPECIFIC on your "validating inputs" portion I quoted above though? apk
To "trim off" excessive whitespace (even in null terminated strings) via those methods in VB/VBA. I doubt this uses input fields though (like text boxes for example), so using keypress events (as I noted last post as where I usually perform data input validations in programs @ least typically) is out... & so is using length limits on said inputs in textbox built in methods. Trim/LTrim/RTrim are all that's left for that much.
AddressOf can handle LPSTR (Long pointer to string) - but, as you said, if the dorks who created this are out to exploit a buffer overflow possible in a system lib?
You may be right! Why? Well, lol, they're NOT out to "create good code that does constructive things", but rather, to "f'up" the OS into doing buffer overflow & then privelege escalations would be my guess!
* Anyhow/anyways: We'd have to see the code (source, not assembly dumps) to even BEGIN to make "educated guesses" though (takes too long to go thru asm statements in debuggers - I've always hated that about them)...
APK
P.S.=>
"I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used." - by DeadCatX2 (950953) on Wednesday November 02, @04:02PM (#37924804)
Well, I'm no "expert" on its EXACT mechanics either (& the articles the past few days have been pretty "substandard" on those details imo), but, I *think* I have a way to "knock the chocolate" out of this thing, easily enough, & with tools you already own (IF you're a "Windows man", & sounds like you are):
http://it.slashdot.org/comments.pl?sid=2505686&cid=37921376
It worked on "the indestructible rootkit" (from around a month or so back), it SHOULD work on this too (provided its multiple drivers aren't functioning to protect one another, but more importantly, their registry init areas)...
... apk
Based on its contents, that article was written sometime late 2001, but nowhere does PCW show any indication of its original publication date! Now that is true bogosity in action.
For every problem there is a solution that is simple, obvious and wrong.
You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.
--
BMO
Which was from another posting in this thread exchange here can kill it MOST likely:
"Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tricks on thick." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)
It's not that bad, seriously (provided the registry init areas for the drivers are NOT protected for, this is what made killing "the indestructible rootkit" easy to do in fact - it's lone driver, hello_tt.sys, wasn't protecting that registry load area for its bogus bootsector protecting driver!)
---
"But the exploit itself is probably not encrypted." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)
I agree - it's probably more or less, "configuration information" for what C&C to talk to, etc./et al...
---
"I doubt they'd be using text input or keypress events." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)
As did I (per my last reply)... I was looking @ this from the perspective of writing GOOD code that actually does decent things (from a GUI) - I just gave a validation example using those is all.
---
"More likely, it's probably some innocuous call, e.g. GetVersionOfWord(LPSTR path). Except that the path variable is strcopied into a stack variable which was only MAX_PATH+1 in length, or something tragic like that." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)
That's where I was thinking that Trim type commands in VBA would help, but again: I am talking about writing GOOD code...
LOL, not like these guys who made this malware (well, for them it's "good", hehe, causing a buffer overflow priv. esc. error - depends on your definitions of "good" vs. "evil" here, & who's doing the judging).
* Good "geek speak" here, by the way...
APK
P.S.=> I cannot wait until MS or others release WHAT EXACT API/LIB/DLL houses the error, & which API call it is that's being abused here... it would help discussions of this a GREAT deal! Yes, they keep it "undercover" to stop more dorks from doing malware exploits using it, but this is the downside for those of us that combat these things!
... apk
NETP191.PNF DLL (this is per Symantec's updated notes on it here http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf )
Ha - the malware makers use a technique of internal containment for it INSIDE other executables!
(I've done stuff like this in screensavers - housing video they playback as an internal resource that's extracted out to disk or memory & loaded for playback - makes for "1 piece/1 moving part" installations & runs, no installer needed type apps: However, in this case, in a malware? Heh - VERY sneaky!).
* This "update" of mine's per my last post, & using ProcessExplorer.exe to destroy the libs this malware uses -> http://it.slashdot.org/comments.pl?sid=2505686&cid=37921376
APK
P.S.=> In real essence though, this lib (that I assume, hopefully correctly) loads ONLY in usermode (correct me IF I am wrong/off guys, I only skimmed the updated docs on it from Symantec) - so, that said?
ProcessExplorer.exe MIGHT NOT EVEN BE NECESSARY! You can use Recovery Console's DEL command instead to destroy the DLL while in usermode IF it is still on disk, & doesn't just "extract" for injection in usermode only...
... apk
You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.
-- BMO
So more childish name-calling then? Is that your substitute for explaining why you think the idea of personal responsibility is unsound and can't work? That's ... disappointing.
Anyway, if wanting to do whatever is necessary to actually solve a problem that continues to grow in scope with no end in sight makes me an asshole, then okay, an asshole I am! We've tried everything except: hardening the targets through education and an expectation of due diligence. To date no serious effort has been put into that. Time to try something that might work. I like that better than telling people they are at the mercy of every bad actor who wants to screw with their computers. But I am the asshole. Okay then.
What you call "blaming the victim" I call "empowering the victim" so they no longer need to be so easily victimized. Yes part of that includes expecting them to take basic steps to safeguard their own interests. I see that as an option because I don't view serious security issues in terms of puerile blame games. I think that kind of drama is better reserved for soap operas. Got anything to say about that, perhaps a few more names to call me? I'm all ears.
Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.
It's not ad-hominem if the person really is an asshole.
You're an asshole. Deal with it.
--
BMO
Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.
It's not ad-hominem if the person really is an asshole.
You're an asshole. Deal with it.
-- BMO
Well at least you made a weak attempt at making an actual point. Unfortunately it's only one-fifth of those five sentences but at least it's an improvement.
Joe Employee can be expected (by the IT department) to do a few things. One, to not configure Word to auto-execute any scripting or other code in a Word document, nor to defeat IT's attempts to make sure it is not configured this way. Two, the extended headers of an SMTP message are not difficult to read. You can tell at a glance whether that e-mail actually originated from within the company. That's a training issue, and since all employees who handle these workstations must be part of following security procedures, it would apply to both IT and Joe Employee. IT can't do a whole lot if other employees continually undermine its policies and fail to be on board.
As for the asshole comment, take a look in this little thread of yours and mine. See who is actually constructing a viewpoint and putting it forth versus who is spending the majority of time resorting to childish ad-hominem name-calling. Yeah. You read that the same way I do? You know you do, even if you don't care to admit it.
It's a shame you don't know the difference between a real asshole and me. See, a real asshole deliberately constructs things designed to cause anger and emotional distress (sort of like name-callers, imagine that) with no regard for truth or falsehood. Me, I say what I believe to be true. I am not trying to offend anyone, but I don't think it's my problem if honestly saying what I believe to be true and backing it up with reason happens to cause offense. In fact, I say anyone who gets offended over that has a lot of growing up to do no matter their age. I am what you would call neutral here. I am trying to keep the discussion about host security and computing. You, on the other hand, are trying to make it personal. You can figure out for yourself which is the high road.
I have a hard time anyway believing that such a big-hearted concern for "the victims" comes from someone who is so eager to insult and make ad-hominem attacks and make impersonal matters into personal contests. Your concern for anyone wronged by cybercriminals is questionable and I do not believe it is genuine. Otherwise your first priority would be equipping them to no longer be wronged by criminals, not calling people names because they suggest maybe "changing nothing and learning nothing new" is not the best advice for those likely to be victimized. I suppose next you will tell people not to put locks on their doors since it's all the thieves' fault if anything gets stolen. As to me, I never felt any obligation to make a thief's job easy.
You expect Joe Employee to be an expert in IT.
Right off the bat "Should be smart enough to configure Word to not execute attachments"
No, this is the IT department's responsibility.
I'm not going to read any more because your argument is full not doing your job if you are an actual IT support person.
Have a great day.
--
BMO
So expecting Joe Employee to follow the security policies set out by IT is the same thing as expecting him to be an IT expert?
I know when someone is as wrong as you are they have to distort the truth and pretend to misunderstand or conflate things in order to keep going. I mean hell, what's your alternative, to admit I have a point? I seriously doubt your ego can handle that, nor could that of any name-caller. But c'mon, man. Who do you think you're fooling?
Oh and the "not going to read anymore" thing is cute. That's just like the way the Church authorities refused to look through Galileo's telescope. You see, if they had done that, they'd have seen with their own eyes that Galileo was right about the heavenly bodies not being perfectly smooth spheres. But that contradicted their dogma. So they refuse to look just as you refuse to read. Some closed minds are happy to be shown how to open. Then there are closed minds like yours that want very badly to stay that way, within their little comfort zone.
Enjoy that, if somehow you can. I don't envy you for one moment.
This has been demonstrated years and years ago and *nothing* has been done to fix it. Any single local exploit on any version of Windows can be priviledge-escalated to "admin" / root / you-name-it.
There's apparently nothing they can do about it: they're fighting that for years and still cannot fix it.
So everytime an exploit is found in any software : IE, Word, Excel, whatever that gives local access, they can escalate it to admin.
It's not the escalation that is zero day: escalation has been known to work since forever. It's the Word exploit giving local that is zero day.
Does Open/Libra Office have the same problem?
How do you infect that which you can not write?