Duqu Installer Exploits Windows Kernel Zero Day

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

First post

[GameboyRMH]

Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER

Re:First post

[LordLimecat]

Well, its a good thing the network protocol sanitizes the files you share with it. Its very reassuring that the virus cant simply place that infected document onto NFS and spread that way.

Seriously, do you really think that has any relevance to the issue?

Word document for a remote exploit?

[kervin]

I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

Re:Word document for a remote exploit?

[denis-The-menace]

to access undocumented APIs.

MS has been known to used them.

Re:Word document for a remote exploit?

[0100010001010011]

1) Word document exploits hole.
2) Exploited hole now allows remote code execution.
[3) Pictures of exploited hole now show up constantly on new website "Slashdot"]

Re:Word document for a remote exploit?

[The+MAZZTer]

It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

Re:Word document for a remote exploit?

[billcopc]

What, you don't open ports to your passwordless MS terminal server ?

It's a Word document, which means it exploits a weakness in MS word to deliver the payload.

But seriously, what is this, Digg ? Who is this "Unknown Lamer" and why doesn't he go fuck himself ? We used to have standards around here...

Re:Word document for a remote exploit?

That's OK, Slashdot won't become a vector for the exploit, because Slashdotters instinctively avoid pictures of exploited holes.

Yeah. You know exactly what picture I mean.

Re:Word document for a remote exploit?

[ArhcAngel]

How long until this is used to create a script to jailbreak windows so we can install what we want on it?

Re:Word document for a remote exploit?

That would be the most stupid definition of "remote code execution" ever.

Re:Word document for a remote exploit?

Been coming here since 5digit users, and have yet to see said hole. I plan to keep it that way too!

Re:Word document for a remote exploit?

[hesaigo999ca]

Depends what type of hole you are talking about, I have been here since you have, and seen plenty of Aholes!

Re:Word document for a remote exploit?

I need to sign up for this /. thing so I can upvote your answer.

Re:Word document for a remote exploit?

Done. This will even let you install Linux on it.

Re:Word document for a remote exploit?

[rb12345]

It could be another WMF-style exploit, too.

Re:Word document for a remote exploit?

um, duqu has already done it...

Re:Word document for a remote exploit?

[AftanGustur]

I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

From the FA:
"The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine. "

The answer, my dear Watson, is that it is much easier to get people to click on a .doc email attachment, than it is to get them to click on a .exe

Word document?!

[masternerdguy]

Once again, don't open email attachments from unknown senders.

Re:Word document?!

This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.

This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).

The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.

Re:Word document?!

[bmo]

>Once again, don't open email attachments from unknown senders.

>unknown senders

If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

The "From:" header can be anything, Anon, and it can be trivially set.

Go ahead, blame the victim. It doesn't make you any less of a douche.

--
BMO

Re:Word document?!

[Synerg1y]

Worse things exist in opening attachments from remote senders than malware, http://www.pcworld.com/article/103992/the_worlds_worst_viruses.html

On that note, people need to stop telling others to not open attachments from unknown senders, let natural selection separate the users who know how to use computers (aka maintain their machine in a working state) and those who do not, it's just not fair to have to fix some dumbshit's machine cause s/he is too dumb to apply common sense.

Re:Word document?!

[Darkinspiration]

Right, So evolution will decide if my servers are going to get hacked or not ? No thanks. I'm so glad i'm running Novell OES right now.

Re:Word document?!

that is too lose/insecure

Lose vs. Loose. You dumb motherfuckers just can't get this right, can you? Oh no, they look a little similar so now you have to constantly confuse them.

At least this was one where "loose" finally would have been the correct word. Normally you functionally illiterate types write "loose" where you should have written "lose" but not you!

Re:Word document?!

[bmo]

Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.

--
BMO

Re:Word document?!

[sootman]

Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.

Re:Word document?!

[Vicarius]

Once again, don't open email attachments from unknown senders.

Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.

Re:Word document?!

>Once again, don't open email attachments from unknown senders.

>unknown senders

If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

The "From:" header can be anything, Anon, and it can be trivially set.

Go ahead, blame the victim. It doesn't make you any less of a douche.

-- BMO

The "victim" who runs an insecure and widely-targeted system and then won't learn the most basic things about how to secure it?

Yeah. Totally absurd to think anyone would mess with them. Hey I know. Let's tell them they are total victims. Let's tell them the decisions they make have absolutely no bearing on what they experience. They are merely giant leaves carried by the wind with zero control over their lives. Let's embrace total fatalism just because there are bad people! Nope, no free will here, we rejected that because it might mean telling somebody to wise up and quit being such a wide-open target in the face of well-known threats.

Let's do it in an irritable emotional way that can't resist doing some name-calling, you douche, because disagreement with me is the definition of being a douche. People who approach it that way are always the ones with the truth, dontcha know that from their impeccable logic?

Re:Word document?!

[mikechant]

I might know it's a fake if there were grammatical errors

In most companies, you'd know it was bogus if it came from the CEO and *didn't* contain grammatical errors...

Re:Word document?!

[Runaway1956]

SOPHOS
        Free Trials Security News/Trends

Stopping Fake Antivirus
How to keep scareware off your network
Download now.

I found that in my inbox a short while ago. At the time, the irony hit me like a sledgehammer - Sophos wants to make me aware of fake AV, Sophos should be warning me against downloading and installing random shit from the internet - so they invite me to download some random shit from the internet which may or may not be a legitimate random shit. Hmmmm. Yeah - I'll save my clicks, thank you . . . .

Re:Word document?!

[Runaway1956]

I think you should take your uptight ass for a nice long walk, off of a very short pier. Some of you people seem to have learned nothing in school, except spelling and grammar. It was the only place where you ever earned any praise. Since you are in no way superior to anyone else in any other field, you feel the need to make your inane grammar nazi posts here, there, everywhere.

Sux2bU, huh?

Re:Word document?!

[Runaway1956]

AHHHH-HAA-HAAA!

I don't read much of anything in my inbasket. I guess that makes me a high level employee?

COO: Did you read my email?
Me: Well, hell no! I'm to busy to read mail.
COO: Well, it said you'd be fired if you didn't read it.
Me: Cool. Six months paid vacation, courtesy of the Employment Commission!
COO: To hell with that, I have some shit jobs that need to be done before you go anywhere.
Me: Well, Fuck you very much, Sir!

Re:Word document?!

[lgw]

The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

The only good answer (today) to rootkits is host-based scanning. Do everything on VMs, and do your AV from the host. Eventually that too will fall, but so far there aren't any credible "VM escape" attacks (there are some interesting beginnings), so you can keep the host safe, and a rootkit on the guest should present no real obstacle to the host. Sadly, there's not much to choose from to scan from a thin hypervisor yet.

Eventually, the only good answer will be to cryptographically lock down the host/hypevisor with something like TC/TPM - if we can ever get such a thing that's not totallly corrputed for DRM purposes!

Re:Word document?!

[lgw]

It would be glorious if that were a phishing attack.

"Your OC has spyware, click here"

Becomes

"Your network has users vulnerable to spyware phishing, click here"

And of course people would fall for it.

Re:Word document?!

[Synerg1y]

Lol, my bad I wanted to find an article of viruses that do more shit than this one from attachments, didn't read it too closely, oh well still too lazy to find another one.

Re:Word document?!

[bmo]

You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.

--
BMO

Re:Word document?!

You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.

-- BMO

So more childish name-calling then? Is that your substitute for explaining why you think the idea of personal responsibility is unsound and can't work? That's ... disappointing.

Anyway, if wanting to do whatever is necessary to actually solve a problem that continues to grow in scope with no end in sight makes me an asshole, then okay, an asshole I am! We've tried everything except: hardening the targets through education and an expectation of due diligence. To date no serious effort has been put into that. Time to try something that might work. I like that better than telling people they are at the mercy of every bad actor who wants to screw with their computers. But I am the asshole. Okay then.

What you call "blaming the victim" I call "empowering the victim" so they no longer need to be so easily victimized. Yes part of that includes expecting them to take basic steps to safeguard their own interests. I see that as an option because I don't view serious security issues in terms of puerile blame games. I think that kind of drama is better reserved for soap operas. Got anything to say about that, perhaps a few more names to call me? I'm all ears.

Re:Word document?!

[bmo]

Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.

It's not ad-hominem if the person really is an asshole.

You're an asshole. Deal with it.

--
BMO

Re:Word document?!

Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.

It's not ad-hominem if the person really is an asshole.

You're an asshole. Deal with it.

-- BMO

Well at least you made a weak attempt at making an actual point. Unfortunately it's only one-fifth of those five sentences but at least it's an improvement.

Joe Employee can be expected (by the IT department) to do a few things. One, to not configure Word to auto-execute any scripting or other code in a Word document, nor to defeat IT's attempts to make sure it is not configured this way. Two, the extended headers of an SMTP message are not difficult to read. You can tell at a glance whether that e-mail actually originated from within the company. That's a training issue, and since all employees who handle these workstations must be part of following security procedures, it would apply to both IT and Joe Employee. IT can't do a whole lot if other employees continually undermine its policies and fail to be on board.

As for the asshole comment, take a look in this little thread of yours and mine. See who is actually constructing a viewpoint and putting it forth versus who is spending the majority of time resorting to childish ad-hominem name-calling. Yeah. You read that the same way I do? You know you do, even if you don't care to admit it.

It's a shame you don't know the difference between a real asshole and me. See, a real asshole deliberately constructs things designed to cause anger and emotional distress (sort of like name-callers, imagine that) with no regard for truth or falsehood. Me, I say what I believe to be true. I am not trying to offend anyone, but I don't think it's my problem if honestly saying what I believe to be true and backing it up with reason happens to cause offense. In fact, I say anyone who gets offended over that has a lot of growing up to do no matter their age. I am what you would call neutral here. I am trying to keep the discussion about host security and computing. You, on the other hand, are trying to make it personal. You can figure out for yourself which is the high road.

I have a hard time anyway believing that such a big-hearted concern for "the victims" comes from someone who is so eager to insult and make ad-hominem attacks and make impersonal matters into personal contests. Your concern for anyone wronged by cybercriminals is questionable and I do not believe it is genuine. Otherwise your first priority would be equipping them to no longer be wronged by criminals, not calling people names because they suggest maybe "changing nothing and learning nothing new" is not the best advice for those likely to be victimized. I suppose next you will tell people not to put locks on their doors since it's all the thieves' fault if anything gets stolen. As to me, I never felt any obligation to make a thief's job easy.

Re:Word document?!

[bmo]

You expect Joe Employee to be an expert in IT.

Right off the bat "Should be smart enough to configure Word to not execute attachments"

No, this is the IT department's responsibility.

I'm not going to read any more because your argument is full not doing your job if you are an actual IT support person.

Have a great day.

--
BMO

Re:Word document?!

So expecting Joe Employee to follow the security policies set out by IT is the same thing as expecting him to be an IT expert?

I know when someone is as wrong as you are they have to distort the truth and pretend to misunderstand or conflate things in order to keep going. I mean hell, what's your alternative, to admit I have a point? I seriously doubt your ego can handle that, nor could that of any name-caller. But c'mon, man. Who do you think you're fooling?

Oh and the "not going to read anymore" thing is cute. That's just like the way the Church authorities refused to look through Galileo's telescope. You see, if they had done that, they'd have seen with their own eyes that Galileo was right about the heavenly bodies not being perfectly smooth spheres. But that contradicted their dogma. So they refuse to look just as you refuse to read. Some closed minds are happy to be shown how to open. Then there are closed minds like yours that want very badly to stay that way, within their little comfort zone.

Enjoy that, if somehow you can. I don't envy you for one moment.

How would a Windows virus infect a Nintendo game?

[tepples]

With a name like "game boy" and a comment about "SMB shares", I think for half a second about this kind of SMB share.

Why / How?

Why / How can a *Word Document* exploit a kernel vulnerability?

I mean really.

Re:Why / How?

[Megane]

It's Windows. Why should you be surprised?

Re:Why / How?

[RightSaidFred99]

You guys don't know much about computers, do you? You laughably seem to think only privileged processes have access to kernel calls and can exploit bugs in them.

Re:Why / How?

[bsDaemon]

Because of binary file formats, binary fonts, etc. All data is just data, including code. A is the same as \x41 which is the op code for INC EAX, for example. That's effectively a NOP as far as shell code is concerned, though. Others do other things, of course. It's the same reason you can do exploits in PDF or other file format attacks.

Re:Why / How?

If you don't know, just say so.

Re:Why / How?

[X0563511]

I hope that was sarcasm.

Re:Why / How?

[h4rr4r]

I think the better question is why does it have to be word, as opposed to any other user space unprivileged process. My guess would be because of all the macros/scripting and other bad ideas in word.

Re:Why / How?

[masternerdguy]

If you don't know, just say so.

The anonymous coward computer security experts are coming out of the woodwork for this one.

Re:Why / How?

[228e2]

^what he said . . . . geez . . . .

Re:Why / How?

[RightSaidFred99]

Probably because it's easier to get someone to open a Word document than e.g. an executable, and yes because Word has limited code execution capabilities.

Re:Why / How?

[RightSaidFred99]

It wasn't. Go take an OS course, please.

Re:Why / How?

[ConceptJunkie]

This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.

Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could ever compete was to build secret doors into Windows that would allow their apps to do things their competitors couldn't.

Although MS has gotten better about these sorts of criminally incompetent things, they were all built in from the ground floor, so they'll never be completely eliminated until we get Windows "NTNT".

Re:Why / How?

[lgw]

Fortuantelty, all that scripting stuff is off by default in Office now. Unfortunatly, there are still companies that use the scripting nonsense (especially in Excel), so those users are used to clicking OK on the "enable scripting" pop-up.

Must say...

[ackthpt]

I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.

Re:Must say...

[hedwards]

Well, that can mean anything except one thing. Today isn't opposite day.

Re:Must say...

[johnthorensen]

I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

Re:Must say...

[Riceballsan]

More like they actually have competition making them sweat a bit (no I'm not talking about the hypothetical year of the linux desktop, I'm talking about the actually approaching significant decline in use of the home PC). I still have to say I'm a bit nervous on them going after botnets directly, not because I don't want those scumbags shut down and/or put behind bars, but because corporations playing vigilantes in general is a bit nerve-wracking. What we approve for one company in one circumstance, is approved for all companies in all circumstances. It is hypocritical to cheer microsoft for shutting down a botnet, and then boo apple for raiding gizmodo, or the RIAA for raiding a teenagers house.

Re:Must say...

[Caesar+Tjalbo]

I think someone in Redmond made a calculation of just how big the rug needed to be in order to sweep everything under. Fairly soon after that we saw the "Microsoft (R) Trusted Responsible Vulnerability Admission Program (TM)".

Re:Must say...

>It is hypocritical to cheer microsoft for shutting down a botnet, and then boo apple for raiding gizmodo, or the RIAA for raiding a teenagers house.

The teenager downloads music to listen to. Gizmodo publishes data about a lost smartphone. Botnets steal people's credit card information and DDoS sites critical of oppressive governments.

One of these things is not like the others.

And?

[ledow]

I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.

This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute directly against the server remotely anyway), then you weren't really doing your job in the first place.

Next you'll be telling me that I shouldn't let filesharing ports open to the world.

Re:And?

You go girl, if the traffic isn't scrutinized from, at least, layer 3 on then you're a zombie waiting to happen.

Re:And?

You had windows computers on the internet in 1991? Very cool. I couldnt manage that feat until about 1993 and even then in a very round about way.

The internet of 1991 is *VERY* different from 2011. People believe it or not want people to use their file shares... They even wrote indexers to help you find their files.

Firewalls didnt become vogue until about 1997. *Most* people would plug raw right into the internet. But guess what. There wasnt that many worms out there... Most of those were actual flaws in the TCP stacks (more important to fix right away). It wasnt until some bright spark started putting the drop by default into the minds of most users.

Would I plug my computer today into the 'raw' internet. No thank you. Back then? Didnt think twice about it.

Re:And?

You did read the story correctly - right?
You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

Re:And?

If you *need* a firewall for security on your border you are doing it wrong.

Re:And?

[X0563511]

You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

Re:And?

[couchslug]

"Next you'll be telling me that I shouldn't let filesharing ports open to the world."

You shouldn't let filesharing ports open to the world.

HTH!

Re:And?

[doctorcisco]

Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all .doc/.docx files from any source, you are vulnerable to something like this.

So ... you do block all possible access to .docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 years old are also already out of date. The game has changed.

doc

Re:And?

I'm pretty sure his main point is about firewall rules, not scanning attachments. If the firewall doesn't allow a network connection, the remote exploit is more or less useless.

Re:And?

[adonoman]

Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?

Re:And?

i have only ever seen one zombie, and it happened after a 136 days of uptime on my firewall/server at the time. i rebooted, the machine kept on plugging until i tried to give it a new hdd. which 6 months later was the kiss of death for that server. my point? don't have 15 amps worth of computers just to chat, game, and read news.

Re:And?

Irrelevant to his point. If you don't have ACL's and firewalls setup to block any kinds of connections (ie. remote exploits) you don't want, you aren't really doing your job.

Re:And?

[DarkOx]

If you don't think you need a firewall on your boarder and you don't have one any way you are doing it wrong. Defense in depth is the only thing that works, think about security at every layer.

Re:And?

[LordLimecat]

Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you.

Im not seeing why it follows that kernel vulns do not require root to do their worst. The kernel interacts with userland as much as anything else, right?

Re:And?

[X0563511]

Yea, and firewalling SMTP is a good way to stop you getting any mail.

Re:And?

[Gilmoure]

* golf clap *

Re:And?

You should get a clue. Firewalls and ACLs are irrelevant to this malware/problem.

Unless by "block any kinds of connections you don't want" you mean blocking email access entirely.

FWIW word documents can also be transferred via usb drives.

Re:And?

[Dr.+Spork]

Yeah, I'm afraid you're right and I don't like it. Antivirus programs now are an incredible PITA already - in many cases, they degrade the system more than do viruses. If this really is tick-tock in the security area, I dread to contemplate what "tock" the security companies will come up with in answer to this kind of thing.

Re:And?

Well yes... and no..

If people are willing to rethink things from a different way, at least in an initial 'tick' you might get a level of control back. The downside is it really is 'control' and by that I mean so controlling it immediatly hits a level of 'impractical' that means giving it to people, persuading people, and cajolling people is painfully required.
And that is white listing.

Allowing a very short list of executables/processes or access changes the game. Its a list of 20-100 items (or whatever) that *are allowed to run*. And not a very deep and wide and stupid list of 890,000 you have to scan over each file with a quantity of guestimation, HIPS, and 'have we seen' this sig/type before CPU munching horrors.

Now, this won't stop the exploit via word. Word would be in the whitelist in probability. And it won't likely stop the exploit at all. But whatever mechaniscs are used to bring a new executable into the play will bump into 'nope'. Whitelisting seems to offer more hope than blacklisting does at this time. blacklisting simply isn't working at all and its sinking fast..

However, kernel exploits mean you might be able to just close/shutdown the whilelist product like they shut off AV software today, so no silver bullet, just a tick or tock in the long war thats raging..

Re:And?

[dskzero]

I like how the AC security expers come out, spit something that sounds almighty, and don't offer any explanation.

Re:And?

Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?

considering the joys of OLE it might be anything

Re:And?

[lgw]

I'm probably wrong, but I'd just assume that any modern malware would reach out from the infected machine to hit port 80 on some botnet controller machine. If your goal is to infect vast quantities of end-user PCs, you can bet almost all of them get through to port 80, even if just about everything else is blocked.

Is it really about market share?

There are those who say that the reason OS X has so much less malware is simply because it has a smaller market share.

I'm sorry, that's not the reason at all. The reason is because of crap like this where a word processor document can exploit a kernel vulnerability. The reason is because of crap like Outlook, which is not only happy to execute code for any data type it sees, but does it in the preview pane. (And IE and Excel doing the same thing.) The reason is because it will happily embed crap like Flash into documents, opening up a whole new world of vulnerabilities. The reason is because of crap like ActiveX, where random native code on the internet can be executed on the main CPU, with full access to the API. The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.

Etc.

Re:Is it really about market share?

[Amouth]

so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.

Re:Is it really about market share?

[RightSaidFred99]

Get a clue. You don't know what a "kernel vulnerability" is, judging by your rhetoric you seem to think only silly OS's like Windows have them and allow user-land processes to exploit them. Not true.

Re:Is it really about market share?

[masternerdguy]

There are already OSX Trojans that are effective because Mac users feel invincible because they aren't running Windows. The fact that those exist is a warning to Apple that their market share is getting large enough to be targeted, but nobody seems to care about educating their users.

Re:Is it really about market share?

Apple has fixed the PDF exploits, over and over again. People just keep finding new ones.

And if Appletards believe these exploits are only used for good (jailbreaking) and not evil (spearfishing attacks), they are kidding themselves.

Re:Is it really about market share?

The most secure operating system in the world is no match for a user with the root password.

You can't protect an operating system 100% against trojans because you can't fix stupid*.

* and you can't fix lack of knowledge because joe public doesn't care as long as his computer keeps doing what he needs.

Re:Is it really about market share?

There are those who say that the reason OS X has so much less malware is simply because it has a smaller market share. I'm sorry, that's not the reason at all. The reason is because of crap like this where a word processor document can exploit a kernel vulnerability.

so explain to me how Apple doesn't do any of these things?

The previous poster overstates it a bit, but does have a point. When your OS vendor is also your word processor vendor and when the two are coupled tightly using undocumented APIs without regard for security concerns... you have a big problem. Apple also makes a word processor, but does not use undocumented APIs and does not have the same level of exposure area to an exploit (although Apple's application security practices are hit and miss based on the project).

...you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device..

This is interesting, but sort of proves the point. On the iPhone Apple makes both the PDF rendering libraries, the reader, and the OS and they are tightly coupled (since PDF is used for all the UI elements of the OS as well).

Re:Is it really about market share?

[LordLimecat]

Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.

As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.

The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.

If you want to deserve an informative mod, you might want to cite a source on that. Pics, or it didnt happen.

Also, if OSX is so much better, how come at Pwn2Own Every Single Year, OSX / Safari falls first?
(2010 MIGHT have been a tie, or someone else first, but OSX was done on day 1 regardless-- couldnt find the exact order). You will also note that this is DESPITE Apple's attempt to slip in last-minute fixes prior to the contest.

Listen, if you want to rely on your OS to provide "Security" and "Hacker Prevention", go right ahead. The more folks you convince to use your platform, the more quickly the playing field is leveled, and the quicker we see the reality of the situation with regard to OS security. Hope you have your bootkit removal tools ready.

Re:Is it really about market share?

[lgw]

The most secure operating system in the world is no match for a user with the root password.

SE Linux does a good job of addressing this - of course it's not perfect, and chance are this particular strategy would work even in SE Linux. Note that the user doesn't need the root password for this one. Yuck.

Reverse the exploited hole

[tepples]

But how do you reverse such a hole? Like this.

Re:Reverse the exploited hole

[hedwards]

lol reverse goatse.

Borg Bill is gone!

Hey! Where is Borg Bill? Put it back right now!

Re:Borg Bill is gone!

[Jeng]

No, Borg Bill should have been retired long long ago, but I disagree with what has replaced it.

Instead what I would like to see is a dancing monkey throwing chairs.

Re:Borg Bill is gone!

Bill Borg was perfect for Slashdot because most posters here are still living in the 1990s.

Re:Borg Bill is gone!

[lgw]

Never have I agreed more with a /. comment. Give me chair throwing monkey now!

MOD PARENT UP

That is all

remote code execution?

[SirDice]

"A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution." It's an exploit embedded inside a Word document. You can't get more local then that.

HOW the HELL

[v1]

do you have a kernel security bug in a word processor?

Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.

Re:HOW the HELL

The same way iPhones keep getting jailbroken through PDF viewer vulnerabilities.

The article is short on details, but likely, the exploit is limited to older versions of word that would still actually run macro code on internet-sourced documents. Either that, or someone's given the malware authors a code-signing certificate, which I suppose is possible, but makes the fix as easy as revoking the certificate.

Once you are running a Word macro, it's not that hard to find some exploit that will let you run arbitrary code. Once you're running arbitrary code, any old kernel-privilege escalation exploit will work as a vector for root-kitting an OS.

The article also doesn't comment on whether this applies to Windows 7 / Vista with ASLR and DEP, or whether it requires running as admin.

Re:HOW the HELL

do you have a kernel security bug in a word processor?

It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on their systems to catch up with the state-of-the-art from ten years ago, Microsoft is blazing forward, creating new and innovative violations such as drive-by downloads in IE, invisible trojans from downloads, and now even their lowly word processor can cause a complete rooting at the kernel level.

Microsoft. They still lead innovation.

Re:HOW the HELL

[Dr_Barnowl]

Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

The selection of Word as an attack vector was probably influenced by a combination of...

• Word is probably the number 1 application that most professionals open after the browser.
• Word has the extra advantage that it's not received as much hardening as the browser.
• Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
• The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.

Re:HOW the HELL

[BitZtream]

You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?

Your super leet little Linux box works the same way.

All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lifting, but in the end, the video drivers are in the kernel space, and to make any changes to the display, you gotta talk to the kernel.

The kernel delivers your keystrokes to the application.

The kernel plays sound that the application asks it too.

The kernel displays whats on your monitor.

The kernel is the only things that talks to ANY hardware on your machine directly, everything else in useland talks to it via the kernel.

All most all 'kernel exploits' are done via user land code. There are extremely rare exceptions like exploiting kernel netcode and such like the old winnuke, teardrop and all those did. Those directly exploit bugs in the kernel because the kernel is the first thing that handles all network activity in and out of the machine. Otherwise, your two options for exploiting the kernel are userland applications and kernel loadable modules. Well, if you can load a klm, you own the machine anyway, thats a feature, not an exploit.

So basically the only way any exploit happens (or the vast majority of them really) is by using a userland application to make a kernel API call that can be exploited due to a bug. The kernels job is to play police officer and make sure nothing like this happens, but, its not perfect, regardless of what OS you're running, and those bugs get found, someone crafts an exploit and figures out a good vector for delivery. That may be through a network connection via Apache or IIS (these are both userland applications) or in this case, I get you to open a word doc that materializes the exploit. It doesn't even have to be a word problem, could be an image with bad data that gets loaded by the default libraries and something weird happens there, Word is just a way to start the process.

Re:HOW the HELL

[ticktickboom]

at least they stopped bundling their browser with the os....back with windows 98 you could get web bugs and never turn IE on...oh, wait, they started that again n/m this post

Re:HOW the HELL

[tlhIngan]

In Linux, a kernel exploit from an application is also known as a "priviledge escalation" bug. Basically, a non-root user exploits the kernel in some way and gets root priviledges.

And yes, there have been many of those - usually some combination of oddball flags and little used options leading to an overflow.

And no, forcing the user to do the escalation for you don't count.

Re:HOW the HELL

Sigh, do you really think that they run word in ring0?
The kernel bug can probably be triggered any usermode application where the attacker controls the respective syscall parameter(s).

Re:HOW the HELL

[LordLimecat]

So those WinNuke etc network-based attacks are known as "privilege escalation"? In school we were taught that those were categorized as DoS, not escalation.

Re:HOW the HELL

[DeadCatX2]

Another attack vector is plug-and-play drivers. For instance, the PS3 jailbreak exploited the USB driver. That's not coming from userland.

Re:HOW the HELL

[Megane]

at least they stopped bundling their browser with the os

oh, wait, they started that again

Yep.

Re:HOW the HELL

[Megane]

Sigh, do you really think that they run word in ring0?

If only the Beatles had kept Pete Best as their drummer, this wouldn't have been a problem.

Re:HOW the HELL

Because there are things you can do in VBA still that could possibly exploit bad behavior in undocumented WinAPI calls? Or maybe there's lingering bad behavior in some of the really really obscure format codes still waiting to be discovered (sort of like using the {print} format code to change the printer messages on HP printers, send raw postscript, etc)?

Re:HOW the HELL

[ticktickboom]

well, at least its not as bad as the stuxnet flaw http://it.slashdot.org/story/10/07/18/1950210/microsoft-has-no-plans-to-patch-new-flaw

Re:HOW the HELL

WinNuke etc are a type of DoS attack, DoS stand for Denial of Service, AKA interrupting what is currently happening. In the case of WinNuke the goal is to blue screen of death (reboot) or possible even lockup the target machine. Also sometimes it would just make the network stack choke and die (causing internet connection issues).

Now what the person you replied to was talking about are "priviledge escalation" bugs. Something like qpopper as an example of a popular exploit. These attacks try not to actually harm the target system, rather they give you higher access than you previously had. In the case of qpopper you went from having basic mail service access to root access. Most of the exploits are generally also referred to as root exploits. As the goal of the exploit it to give a regular user root access. Root access basically gives you control over the system. So you can either gather all the information available, or use the machine to further exploit other machines, or say have the machine launch the nuclear missile without any launch codes.

Re:HOW the HELL

[yuhong]

Yea, during year 2006, Office in fact was a big target of zero-day attacks, forcing MS to released Office 2003 SP3 in Sept 2007, and also MOICE around the same time which converts files to OOXML in a sandbox before opening it. Later MS introduced Office File Protection in Office 2010 and later backported this to 2003/2007 which validates Office binary formats before opening it.

Article is FUD. Requires user running as root.

"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executable—the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duqu’s activities and may allow certain behaviors to bypass some security
products."

Re:Article is FUD. Requires user running as root.

[rabbit994]

By root you mean Administrator privileges and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

I wonder if this bug is XP only or XP/Vista/7. If it Vista/7, will UAC stop it?

This article is light on details and doesn't give Admins alot to work with. Microsoft generally will release KB articles describing the exploit and workaround/prevention methods to prevent it.

Re:Article is FUD. Requires user running as root.

[LordLimecat]

and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.

On XP, you are right, but I believe the XP marketshare is getting smaller every day.

Re:Article is FUD. Requires user running as root.

[hairyfeet]

Well if it needs root that pretty much leaves out Vista and 7, unless you have a user that is dumb enough to click yes on "Hey you didn't try to install anything but this (insert huge random number) wants to have admin rights, yes or no" which if they click yes you have worse problems. I'm also gonna assume that Office 2K10 does like 2K7 and by default disables scripting and running code unless you specifically enable it (since TFA is seriously light on any details more than "ZOMG weesa gonna die!") so that removes Office 2K7 and 2K10.

So you are looking at XP users, running as root, accepting Word docs and having Word 2k or 2K3. Not a small number but most businesses shouldn't be letting users run as root and should have all incoming docs scanned for malware so that should seriously cut down the numbers. I wouldn't be surprised if a lot of their infections can't be traced down to luring the suckers, using age old tricks like "Free porn passwords.doc" or "Free WoW keys.doc" or some other classic social engineering trick. Most of the infection I see nowadays can be traced straight to PEBKAC, either wanting something for nothing, ala "New_Hit_Pop_Song.mp3.exe" or trying to see teh boobies ala "Free porn passwords.doc". In the end there is only so much you can do about stupid and still let them have control over their machines.

Re:Article is FUD. Requires user running as root.

[BlackSnake112]

Still the first user created is an administrator of the machine. Most people use that account (home users anyway). They still just press OK to the pop up. Or they want the pop to just go away. I still see people running windows 7 and their machines are malware factories. They said OK to one thing that downloads the rest. If they had created a non admin account and used that non admin account they would only hose that account not the whole machine. I have people that believe that they have to be admin to work. They refuse to do anything unless they are admin on the machine. I am not allowed to fire them. I wish I could.

Re:Article is FUD. Requires user running as root.

[krinderlin]

I shouldn't have to be admin on my computer at my job. In fact, they took those rights away from me once. The conversation at 2 a.m. was pretty awesome:

"I can't log on to the VPN from here."

"Well they took away my admin rights and the Juniper VPN plug-in won't run."

Yeah, I'd love to come into the office, but I'm in Florida for the weekend. Atlanta's a bit far away, and I'm on my third vodka and tonic."

"I don't have enough money in my checking account to cover a plane ticket that you'll reimburse me for next month. It'd be a few days to get it transferred from my savings account at another bank."

"I guess you'll just have to find someone who can work on it. Have you tried turning it off and on again? Is it definitely plugged in?"

"You've SEEN THAT SHOW?!?! I love you. Oh hold on, people are getting naked in the pool, ciao!"

Re:Article is FUD. Requires user running as root.

[LordLimecat]

Not correct. I believe out of the box the "administrator" account is disabled on Vista and 7. They forced people to do non-admin, which was what the entire UAC debacle in vista was about.

Re:Article is FUD. Requires user running as root.

[Coren22]

The problem I foresee with this is that in Win 7, once you hit yes to a UAC prompt, it caches that yes for a bit. It works kind of like Ubuntu in that respect.

There is already a fix out:

[chomsky68]

wipe your disk and reinstall Windows.

Re:There is already a fix out:

[SadButTrue]

wipe your disk and reinstall anything but Windows.

FTFY

Re:There is already a fix out:

[masternerdguy]

ReactOS?

Re:There is already a fix out:

wipe your disk and [b]don't[/b] reinstall Windows.

There fixed it for you.

Re:There is already a fix out:

[LordLimecat]

This just in-- OSX and Linux have no kernel bugs.

Except for the ones used to pwn them every year at pwn2own, of course.

Re:There is already a fix out:

[SadButTrue]

Well, they don't have this one at least. Something you may wish to consider if you ever drop your absolutist view of the world.

Re:There is already a fix out:

[The+Mr.K]

Yeah, but, it isn't cool to talk about those security problems. Only Microsoft ones.

Article is FUD. Requires user running as root.

"Duqu consists of a driver file, a DLL (that contains many embedded files), and a
configuration file. These files must be installed by another executableâ"the installer. The installer registers the
driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe.
From here, the main DLL begins extracting other components and these components are injected into other pro-
cesses. This process injection hides Duquâ(TM)s activities and may allow certain behaviors to bypass some security
products."

Ooh! I have a solution for this one!

[DeadCatX2]

Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.

Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.

Boot to Recovery Console, use DISABLE

Command there, on the driver9s) it uses cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys. This will stop their operations upon next reboot (assuming they do NOT protect the registry init. area that is - I haven't read if they do, or don't: Someone provide proof of that please one way or the other, & thanks).

As to the injected DLL(s), if it is OLE type, unregister it!

Otherwise, delete it (& if held open by another process? Simply use ProcessExplorer.exe to freeze/halt the parent calling process, & then destroy the dll on disk - you will need to have the DLL pane view active, & highlite exe's running to see what dll's they using (or other libs) & "paralyze away" as noted above...).

* Should take care of that end of it, "lickety-split, no shit" - DONE!

(Be aware of the tools you have as Windows users already, from your installation media, as they can do a hell of a job on rootkits too!)

APK

P.S.=> If anyone has any other ideas, or weaknesses in this plan? Let me know, we'll discuss it, & figure out more "work-arounds" (if need be)...

... apk

Re:How would a Windows virus infect a Nintendo gam

[gl4ss]

if it infected ds roms, that would be friggin brilliant.

You don't

[samjam]

You don't have a kernel security bug in the word processor, you have it in the kernel.

The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.

Opening a file and locking a file requires a kernel call.

Re:You don't

[v1]

so it's (A) a kernel bug with a kernel API, and (B) an application bug that passes the exploit on to the kernel? So it's not one bug, but two, one in the kernel and one in the app?

Re:You don't

[lgw]

No app bug needed, most likely. I have no idea what the bug is, but it could be something like trying to save a file with a really creative filename, or otherwise coercing Word into calling whatever kernel API with your exploitive string, which is just normal data in the document from Word's point of view.

It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).

Re:You don't

[v1]

It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).

Just like all those SQL-using web apps. that's been such an effective solution there, leaving security in the hands of the application developers.

Re:You don't

[lgw]

Different worlds. I've never heard of a SQL-injection attack that worked with stored procedures, which is the better analogy here. If you're not religiously checking your inputs for validity, kernel programming is not the career for you.

Customers' Fault

If all you people would stop demanding that word processing files have any networking capabilities, this would stop happening.

Microsoft just provided a way to work easier.

Ok, maybe not, but I'm hard pressed to blame MS for many of these features. They just gave us what we demanded as customers.

I guess the old adage to **never** trust anything that a user can enter wasn't part of this code in MS-Office.

Is it really?

[DeadCatX2]

The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.

Legally Responsible Entity?

[BoRegardless]

So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.

Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?

Or is your company responsible for the total loss of its trade secret intellectual property?

Now who do the aggrieved shareholders sue?

Re:Legally Responsible Entity?

[thetoadwarrior]

They should be but their EULA means they're no responsible for anything even if their software causes your building to burn down.

WWOT fp

Has ground to a distributions Of a solid dose they 4re Come parts. The current FUTURE AT ALL against vigorous Most people into a

New ECMA compatabiliy

[Anomalyst]

#666 Fall prey to exploit like docx

this FP for GNaA..

When done playing to decline for At this point That supports AMERICA) is the on baby...don't Is wiped off and 3 simple steps! mo5t. Look at the Fortunately, Linux again. There are had become like file was opened of reality. Keep Uncover a story of To say there have I Won't bore you towels on the floor OpenBSD wanker Theo All our times have Incompatibilities are looking very beyond the scope of over a quality = 36400 FreeBSD intentions and Paper towels is part of the see. The number irc.secsup.org or and the Bazaar lubrication. You my calling. Now I users of BSD/OS. A I thought it was my mire of decay,

Fitting fortune

[jad4]

I saw this next to the story:

It is important to note that probably no large operating system using current
design technology can withstand a determined and well-coordinated attack,
and that most such documented penetrations have been remarkably easy.
-- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20

Re:Fitting fortune

[williamfrench4]

Insightful. Unfortunately I have no mod points.

Re:Ooh! I have a solution for this one!

[Dewin]

Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.

Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.

This works well, right up until the point where you need an attachment from someone outside the company.

Say... the latest revision to a requirements doc being sent back and forth between a client and a vendor...

Re:Ooh! I have a solution for this one!

[DeadCatX2]

Give the outside consultant VPN access to a restricted share.

Does this affect OpenOffice/LibreOffice?

[msobkow]

I haven't seen any mention of whether the document attack vector affects OpenOffice and LibreOffice users as well.

Powerful you have become, Duqu

Much to learn you still have

Re:Ooh! I have a solution for this one!

[BlackSnake112]

Or use the company's website or intranet to access docs. You could send/phone the remote person an ID to get in.

AddressOf & callback functions in VBA

If I understood you correctly, since Word Macros as VBA (VB for applications scripting), said macros can use the AddressOf method for external lib calling (which allows for callback functions correct address pointer retrieval for data coming out of said methods) -> http://msdn.microsoft.com/en-us/library/aa165194(v=office.10).aspx

"The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions.." - by DeadCatX2 (950953) on Wednesday November 02, @01:05PM (#37922290)

Now, using what you stated - some of which I am NOT SURE what you meant (see next quote below)? You're correct that many Win32 API calls are just "fronts" to Native NtAPI calls (many in NTDLL.DLL in fact). That's where what I wrote above can help (for callback functions).

"If this was some undocumented API call in Word, then the exploited function might not validate inputs very well." - by DeadCatX2 (950953) on Wednesday November 02, @01:05PM (#37922290)

Uhm... MOST of the time, exploits done from MS' compound OLE doc structures (Excel, Word, etc.) use VBA to generate macros (bogus ones too)... so, as far as "validating inputs" (which is easy enough to do in VB for various datatypes filtering, on say/for example, keypress events), & especially from callback methods that go thru the Win32 API and even into the native NtAPI layer API??

The AddressOf method, helps...

APK

P.S.=> This has been true since OfficeXP in fact... but, do you mind being a BIT MORE SPECIFIC on your "validating inputs" portion I quoted above though? apk

Re:AddressOf & callback functions in VBA

[DeadCatX2]

I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used. In my head, I imagined a kernel function that took a LPSTR type input and didn't bother checking to see how long it was (classic buffer overflow). It's probably more complicated than that, but ultimately my bet is that the kernel did not sanitize userland inputs very well.

I guess undocumented API call on account of it being unknown. Most of the known API calls would probably have been poked and prodded by now, so that the vuln wouldn't be unknown. All speculation on my part.

You can use TRIM/LTRIM/RTRIM then

To "trim off" excessive whitespace (even in null terminated strings) via those methods in VB/VBA. I doubt this uses input fields though (like text boxes for example), so using keypress events (as I noted last post as where I usually perform data input validations in programs @ least typically) is out... & so is using length limits on said inputs in textbox built in methods. Trim/LTrim/RTrim are all that's left for that much.

AddressOf can handle LPSTR (Long pointer to string) - but, as you said, if the dorks who created this are out to exploit a buffer overflow possible in a system lib?

You may be right! Why? Well, lol, they're NOT out to "create good code that does constructive things", but rather, to "f'up" the OS into doing buffer overflow & then privelege escalations would be my guess!

* Anyhow/anyways: We'd have to see the code (source, not assembly dumps) to even BEGIN to make "educated guesses" though (takes too long to go thru asm statements in debuggers - I've always hated that about them)...

APK

P.S.=>

"I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used." - by DeadCatX2 (950953) on Wednesday November 02, @04:02PM (#37924804)

Well, I'm no "expert" on its EXACT mechanics either (& the articles the past few days have been pretty "substandard" on those details imo), but, I *think* I have a way to "knock the chocolate" out of this thing, easily enough, & with tools you already own (IF you're a "Windows man", & sounds like you are):

http://it.slashdot.org/comments.pl?sid=2505686&cid=37921376

It worked on "the indestructible rootkit" (from around a month or so back), it SHOULD work on this too (provided its multiple drivers aren't functioning to protect one another, but more importantly, their registry init areas)...

... apk

Re:You can use TRIM/LTRIM/RTRIM then

[DeadCatX2]

x86 ASM is horrible on the eyes, so I don't blame you for not wanting to really look at it. Most of my disassembly experience hacking comes from PowerPC (I hack Wii games as a hobby). PowerPC ASM is very easy to read.

However, I would imagine that the exploit should be pretty easy to see from just an ASM dump; it's probably written in ASM as it is, because a compiler wouldn't write good shellcode. Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tricks on thick.

This thing has encrypted resources out the wazoo, though. That makes it difficult to read. I hear IDA is a good disassembler for understanding encryption and other obfuscation techniques. But the exploit itself is probably not encrypted.

I doubt they'd be using text input or keypress events. More likely, it's probably some innocuous call, e.g. GetVersionOfWord(LPSTR path). Except that the path variable is strcopied into a stack variable which was only MAX_PATH+1 in length, or something tragic like that.

PC World Bogosity

[sakshale]

Based on its contents, that article was written sometime late 2001, but nowhere does PCW show any indication of its original publication date! Now that is true bogosity in action.

What's in my last posts' "p.s." should work

Which was from another posting in this thread exchange here can kill it MOST likely:

"Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tricks on thick." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)

It's not that bad, seriously (provided the registry init areas for the drivers are NOT protected for, this is what made killing "the indestructible rootkit" easy to do in fact - it's lone driver, hello_tt.sys, wasn't protecting that registry load area for its bogus bootsector protecting driver!)

---

"But the exploit itself is probably not encrypted." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)

I agree - it's probably more or less, "configuration information" for what C&C to talk to, etc./et al...

---

"I doubt they'd be using text input or keypress events." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)

As did I (per my last reply)... I was looking @ this from the perspective of writing GOOD code that actually does decent things (from a GUI) - I just gave a validation example using those is all.

---

"More likely, it's probably some innocuous call, e.g. GetVersionOfWord(LPSTR path). Except that the path variable is strcopied into a stack variable which was only MAX_PATH+1 in length, or something tragic like that." - by DeadCatX2 (950953) on Wednesday November 02, @04:31PM (#37925122)

That's where I was thinking that Trim type commands in VBA would help, but again: I am talking about writing GOOD code...

LOL, not like these guys who made this malware (well, for them it's "good", hehe, causing a buffer overflow priv. esc. error - depends on your definitions of "good" vs. "evil" here, & who's doing the judging).

* Good "geek speak" here, by the way...

APK

P.S.=> I cannot wait until MS or others release WHAT EXACT API/LIB/DLL houses the error, & which API call it is that's being abused here... it would help discussions of this a GREAT deal! Yes, they keep it "undercover" to stop more dorks from doing malware exploits using it, but this is the downside for those of us that combat these things!

... apk

DLL name to delete... apk

NETP191.PNF DLL (this is per Symantec's updated notes on it here http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf )

Ha - the malware makers use a technique of internal containment for it INSIDE other executables!

(I've done stuff like this in screensavers - housing video they playback as an internal resource that's extracted out to disk or memory & loaded for playback - makes for "1 piece/1 moving part" installations & runs, no installer needed type apps: However, in this case, in a malware? Heh - VERY sneaky!).

* This "update" of mine's per my last post, & using ProcessExplorer.exe to destroy the libs this malware uses -> http://it.slashdot.org/comments.pl?sid=2505686&cid=37921376

APK

P.S.=> In real essence though, this lib (that I assume, hopefully correctly) loads ONLY in usermode (correct me IF I am wrong/off guys, I only skimmed the updated docs on it from Symantec) - so, that said?

ProcessExplorer.exe MIGHT NOT EVEN BE NECESSARY! You can use Recovery Console's DEL command instead to destroy the DLL while in usermode IF it is still on disk, & doesn't just "extract" for injection in usermode only...

... apk

It's because on MS any local means root...

This has been demonstrated years and years ago and *nothing* has been done to fix it. Any single local exploit on any version of Windows can be priviledge-escalated to "admin" / root / you-name-it.

There's apparently nothing they can do about it: they're fighting that for years and still cannot fix it.

So everytime an exploit is found in any software : IE, Word, Excel, whatever that gives local access, they can escalate it to admin.

It's not the escalation that is zero day: escalation has been known to work since forever. It's the Word exploit giving local that is zero day.

Re:It's because on MS any local means root...

Any single local exploit on any version of Windows can be priviledge-escalated to "admin" / root / you-name-it.

[citation needed]

Open/Libre office

[sglines]

Does Open/Libra Office have the same problem?

ROM

How do you infect that which you can not write?