Slashdot Mirror
Microsoft Warns of Zero-Day Attacks
wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."
Don't they already put that warning on the box?
I love the terminology. But what the hell? How does processing an image lead to code execution? And it affects software from a decade ago. Makes you wonder about what vulnerabilities might be out there. Makes you wonder about who knows, and uses them.
so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?
I bet NSA is pissed, because one of their favorite pwnage tools is now public :(
I'm getting awfully tired of exploits from MicroSquishy that I can't do anything to block. If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines.
Fortunately I don't *trust* Windows at all after the last time I got burned, so I do *all* my surfing with Linux/Debian. The *only* time I ever hit the internet from the Windows box is to download software updates or installs.
I do not fail; I succeed at finding out what does not work.
Office 2000 bitches! I knew being too cheap to upgrade would pay off!
Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.
Technically it's not zero day because they collaborate with NSA and give them the exploit before they warn the public.
I guess Linux has never and never will have any security exploits possible against it. So yeah, good luck with that. And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.
-- I ignore anonymous replies to my comments and postings.
They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?
Kudos. That's the laziest response to a vulnerability I've ever heard of.
I do not fail; I succeed at finding out what does not work.
I am glad I am moving our businesses away from proprietary sofware! Feel free to welcome us back into the fold... Cheers, phiber
Had this been a Linux bug, the patches would have been out tonight.
I do not fail; I succeed at finding out what does not work.
NSA agents have been busy last month sending Word documents to the critical staff of major foreing companies.
Microsoft and zero-day attacks go together like .... 2 things that go together really well.
I want to delete my account but Slashdot doesn't allow it.
It's "Yet Another Back Door", which they might get around to disclosing if enough non-MS and non-Gov't exploits are published. It's no different from the DX9 kernel modules looking for MP3s with executable streams.
The crackers don't have to compromise MS products, they just have to find the existing back doors and use them.
Maybe so. The only thing I can tell you is that I have been heavily using Linux on the Internet since the late 90s, on several boxes connected to the Internet, and the number of times any of those boxes has been broken into is exactly 0. No system is safe, but some systems are a joke, when it comes to being exploited. Linux is not one of them.
Because they do not separate code and data.
I want to delete my account but Slashdot doesn't allow it.
The current versions of Microsoft Windows and Office are not affected by the issue (as I read on the BBC website).
Nice way to get all those IT managers to pay out for an expensive upgrade in a panic if they want to keep their jobs I guess.
Guess you didn't read the first link.
-- I ignore anonymous replies to my comments and postings.
With the shape of security in the IT industry right now, I expect the patch to address this will end up bricking 20% of the servers that apply it.
Maybe so. The only thing I can tell you is that I have been heavily using Linux on the Internet since the late 90s, on several boxes connected to the Internet, and the number of times any of those boxes has been broken into is exactly 0. No system is safe, but some systems are a joke, when it comes to being exploited. Linux is not one of them.
That's because as far as normal users go there are virtually no Linux users to target, adoption of Linux as a desktop operating system is a joke but malware runs rampant on Android.
Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address. By changing the return address you can point it back at the buffer, which when the CPU tries to read those bytes as code instead of data it turns out they do bad things.
Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.
For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.
"To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."
Thankfully it's proven difficult over the years to get a Windows user to do any of those things....
Do you have ESP?
maybe it was a zero day, but no longer?
Just today I was telling someone you would have to pay me to go back to Windows.
Mint 15 and damn happy.
TIFF - Nuf sed.
If everyone used Linux, then malware would target linux. And I find it hard to believe your linux box has always worked perfectly. Never had to muck around in configs? Or found out your hardware isn't supported easily? Linux has it's issues too. Not that windows is perfect, but they each have their uses.
this morning i was browsing some porn during the morning fap and my mouse went fucking bezerk even rebooting didn't fix it, switching mice didn't fix it, i was like WTF is happening, this made no sense. i got mad and slam the keyboard and it fixed it. i have no idea what the fuck happened but it was sketchy as fuck.
" If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines. "
Google "Digital River Windows 7 ISOs".
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
... and the number of times any of those boxes has been broken into is exactly 0.
That you know of.
Why is this modded down? People need to know what an NSA backdoor riddled piece of shit Linux really is!
That's because as far as normal users go there are virtually no Linux users to target
So it's the user and not the operating system then? Because Linux has a lot of installs.
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Summary
http://soylentnews.org/~tibman
"Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."
Anons need not reply. Questions end with a question mark.
TIFF gets scary as some of the JPeG header and EXIF struucture is heavily "borrowed" from the TIFF spec and layout. Most people dealing with TIFF files would be publishing professionals, not Joe Average.
TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).
Exactly how many engineered back doors have actually been found and exploited?
I'm wondering, considering the massive amounts of money Microsoft has, the army of developers they have, just the sheer size of corporation, how the heck they cant write a single piece of software that does not have some exploitable vulnerability in it. With that massive amount of resources at its disposal and they write still crappy software... Almost like hey, lets hide all these deliberate backdoors in all these software we ship...
Comment removed based on user account deletion
It sounds like a typical stack buffer overflow bug. Why couldn't ASLR and NX nullify it?
Flaw in the image processing code.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
there's some merit to your argument, but the fact that Windows has images and fonts that can own your system is beyond absurd.
A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?
and I did not warned.. (But I use Unix all day)
Using EMET provides additional layers of protection against this kind of thing.
Microsoft Warns of Zero-Day Attacks
Use Linux.
aaaaaaa
Exactly how do you tell the difference between an accidentally introduced vulnerability facilitating a back door and a back door engineered to look like the former?
There's a phrase you should google: 'plausible deniability'.
Sure this is one? With the time MS normally takes to patch these things, a hundred-day attack would probably have been equally effective.
A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?
that has been a feature in every half-decent mail client for ages, now. surprisingly, a notable absence in thunderbird, but then thunderbird can at least be told never to open images directly in the preview or views and not to render any html. that people still accepts/uses html in email, after decades of exploits and scams, somehow shows to what extent safe communications are a lost battle.
here's another compromise solution, at least for business communications: instead of those absolutely irrelevant 10 lines of pompous and pointless disclaimer that every company likes to include at the end of each and every email, they could write one that explicitly disallows any malicious parsing of embedded images, voilà. that surely would scare the shit out of those nasty exploiters!
that reminds me of the famous "gallician" virus that circulated a while ago. it was a text-only virus, which informed you that by reading it you had just been pwned, appealing to your honor for duely destroying your windows registry after having manually resent the virus to your contacts.
It's not the first time it happens on Windows but similar issues have also affected Linux and most likely OSX too.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Guess you didn't read the first link.
Why all the sensationalism and mock dismay? This Linux vuln is nothing like as severe as the Windows one.
In fact, the perf exploit was just a local privilege escalation vulnerability that was patched in the Linux kernel when it was identified (back in May). In addition, any admin who was concerned about it could load a kernel module patch immediately.
In any event, I tested the supposed exploit on several 64 bit machines with various kernel versions here and got kernel oops but no root.
It's in response to someone once again making like Linux is invulnerable. It isn't. I'm not a Microsoft nor Linux nor Mac fanboy. I have used all three (and OS/2) at work and at home. I don't make any assumptions that any of them are bullet proof like many others here seem to. I think anyone who does is a fool. Especially moderator fanboys who mod me down for pointing out that Linux has its moments too. And I still use all three OSs. My laptop runs Kubuntu by the way... which broke touchpad functionality on its latest upgrade. Just saying that it isn't bullet proof yet again. But I didn't delete it off the laptop, I plugged in a mouse. Stop hating on people who point out the truth of things ... even if you don't want to believe it.
-- I ignore anonymous replies to my comments and postings.
TIFF isn't a huge vector because, for the most part, it's a "write-only" format, whereas attackers rely on files being read. The purpose of TIFF is for interchange, so you can have many programs that write TIFF files, but only a few that can read them and convert them to whatever other format suits your purposes.
I've been using Thunderbird for years now. The default behavior is to not show images or any other potentially harmful material. I'm not sure what you've done wrong but maybe you should reset your settings to default.
Or at least that's what the would be the case if GDI+ didn't add TIFF reading for everything.
I would have expected, in this day and age, where computers are supposed to be much more powerful than needed for the majoirty of users, that C-style management of buffers would have been a thing of the past, especially in major software like Office and browsers.
But, judging from your post, it seems that is not the case. People still use raw buffers without bounds checking.
The principle "peformance first, safety second" has not done good. The majority of problems like this come from the programming language C which does not mandate bounds-checked array access.
The differences are that 1) Linux actually tries to be secure and 2) Linux isn't running unnecessary services you don't need and 3) The patch comes out much more rapidly for Linux, as stated, this is a proven fact. Don't pretend that Windows has parity with Linux, because it doesn't.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
My win8 laptop crashes hard with a kernal_security_check_failure when I plug in *any* mouse while it's running. Trade ya!
Ever notice that Cobra Commander sounds an awful lot like Star scream?
I'm not saying Linux is invulnerable to exploits. But it *is* more secure by design.
Were there a font rendering bug that could be picked up by my browser, the worst it could do is damage my user data and cause the browser or maybe even the desktop to crash (presuming the attack knew which desktop API to target.)
Font and image rendering does not occur in kernel space under Linux.
My bigger point, though, is that Linux vulnerabilities get patched and shipped a *lot* faster than they do for Windows or OS/X.
I do not fail; I succeed at finding out what does not work.
Mod parent "Informative".
Thanks. Downloading now. I've been half-panicked for almost a year that I don't have install media.
I do not fail; I succeed at finding out what does not work.
but the fact that Windows has images and fonts that can own your system is beyond absurd.
It is absurd, but let's not pick on Windows. Both OS X and *NIX systems have suffered from similar vulnerabilities in libtiff, libpng (lots!), libjpeg (almost as many) and FreeType (too many to count). The problem was that all of these were written with the assumption that you could trust the input data and that performance was the primary concern. Now, computers are so fast that no one would notice a 50% slowdown in most of these (although they would in an H.264 decoder, which is another popular vector), and people attack them with fuzzing tools to try to find exploits so the input can't be trusted at all.
I am TheRaven on Soylent News
Windoze exploits = linux exploits * 80,000 = OSX exploits * 10,000
Microsoft Warns of Zero Day-Attacks
Doesn't sound so bad.
If I recall, correctly, certain byte value squences can cause immediate processing of machine code level commands. I'm reminded of SQL Injections. These command codes are CPU dependent. I don't think you'll find this in any HTML5 Specification how-to's; yet?
"in targeted campaigns occurring in the Middle East and South Asia."
So they know its targeted? How do they know that? Are they involved? Did they sell this exploit to some government and are waiting to release a patch because they are not done yet?
Considering that every time a Linux attack appears on Slashdot, it turns out that the user has to purposely install something with elevated privileges beforehand, I'm not too worried.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
There have been vulnerabilities like this discovered many times in the past. It goes all the way back to Windows 95. Windows is monolithic and closed source. Monolithic because attackers can assume certain software will be installed and used by default. Closed source means that MS is less likely to be warned of the vulnerabilities by white hats. These things are the chinks in the armor.
You can dodge these bullets most of the time by using non-MS programs as your default programs.
Thanks! I got a good laugh from that!
It doesn't help that the US government has access to the Windows source code and the ability to spoof Microsoft's CSA to sign anycode they want (see Stuxnet, Duqu)
If you liked that, you'll like to know that you can remove the ei.cfg file from the iso to convert it into a universal iso. There are multiple tools for it, but I've just used rm in the past (granted, the media I used was a USB stick). Here's one such tool: http://code.kliu.org/misc/winisoutils/
Note that your license still has to match the type you select during installation. I have no idea why Microsoft insists on having so many different isos when they could just have one universal iso...
A proud member of the Onion-in-Hand alliance
They've still had exploitable bugs in the HTML parser, which would need to run through the email to convert it into text if it was not a plaintext email.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"Everybody be careful!"
-> Bug #3253368 fixed.
Yeah yeah, I hear you. Just don't say it is invulnerable and that is why you only use it for online stuff. Yes, it is more secure by design, just not invulnerable and people shouldn't treat it as such. But really, I have maybe had two viruses for sure on my Windows PCs since 1990, and one was at work (I didn't get hit by that one at home, but a lot of people did on their office computer). The one at home was in 1996. So unless you are someone who doesn't know better than to open things you don't expect to receive etc. Windows isn't as bad as people make out, especially if you have a good antivirus and firewall. That is my experience. I believe that if more people were using Linux, more issues would be found with viruses etc.
-- I ignore anonymous replies to my comments and postings.
I'm with you on all that. I just get pissed by people intimating stupid things like 'you will never get a virus or be compromised if you use Linux'. That's just plain dumb. All systems are vulnerable. Some maybe more than others. It is harmful to others to make such claims because someone is bound to believe it and not pay attention to suspicious sites, emails, etc. like they should. All because a bunch of asshats make erroneous claims. That is what sets me off.
-- I ignore anonymous replies to my comments and postings.
So what you are saying is nobody has actually uncovered one of these purposeful or accidental backdoors but you will continue to argue they do exist even though there is no evidence?
"plausible deniability" So even though no backdoor has been uncovered those supposedly responsible for these non-existent backdoors are planning to issue a denial for something that doesn't exist?
The first link describes a privilege escalation bug, where an *untrusted user* becomes root. That doesn't describe a linux user browsing the web on his own machine. You need an arbitrary code execution bug as well in order to give this bug teeth.
Also FatPhil on SoylentNews, id 863
Undoing a well deserved upmod here but I had to comment:
Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address.
This is an extremely serious WTF. Okay fine, the header says to expect X amount of data. Okay fine, you allocate a buffer of X size. Why in god's name would you continue writing to the buffer after you reached X? No, really. There is no good reason or excuse for this. The person writing this should NEVER be allowed to write code that could be used in an elevated context.
Why do people accept this as normal or reasonable? For years the excuse was the software was so new and catching everything was so hard... but THIS. This is not hard. This is obvious. Glaringly so. Meh. People piss me off. Utterly unacceptable. No excuse for this.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
After setting the DisableTIFFCodec DWORD and rebooting, it seems a Win7 machine continues to parse tiff files in Windows Photo Viewer. Anyone observe a different behavior? I'd assume the built in photo viewer would use the built in codec?!
Fairly sure I followed MS destructions properly..
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus]
"DisableTIFFCodec"=dword:00000001
I looked at this a couple of times, and I still don't know what your point is. I upgraded my Kubuntu to 13.10 on my laptop and my trackpad stopped working, is that what you wanted? So after a month and an update or two it looks like some of the functionality is back. But really... what??
-- I ignore anonymous replies to my comments and postings.