Microsoft Warns of Zero-Day Attacks

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

Already there

[suso]

Don't they already put that warning on the box?

Re:Already there

[GoodNewsJimDotCom]

It is like Microsoft Windows doesn't even try to be secure. It isn't too incredibly hard for executables to be unable to hammer system files if a modicum of sandboxing was involved. An example would be if applications couldn't touch things outside their installed directory. There would be a specific protocol for communication between different installed aps. This should have been done back in the win98 era. Because applications are not secure, everyone is paranoid about downloading an untrusted .exe. If Windows was made for the Internet, you should be able to download any application and it be harmless.

Re:Already there

[mstefanro]

I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists.
Its main purpose is to enforce a huge blacklist of .exe files that can harm you. Instead
of keeping track of million of apps that are evil, why not just apply some least privilege
principles and sandboxing already so that we can run an application without granting it
access to all our resources?

It comes as no surprise that everything gets moved to the web nowadays. One can safely
open a website without worrying that all his personal data can be accessed (such as Firefox
stored passwords). On the other hand, opening an application requires complete trust in the author,
which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
and be easily accessible whenever you want, as opposed to having to go through a browser. They
generally have less overhead and are more powerful. If Windows had a decent package manager
and proper privilege separation we would probably be living in a different world today.

For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/

Re:Already there

[recoiledsnake]

You just described Windows RT.

Re:Already there

[ArsonSmith]

Windows is fine if you don't read emails or browse the web.

Re:Already there

[smash]

It's called code-signing, and every time someone suggests it, the /. crowd are up in arms about how you're not free to run what you want on your own computer, conveniently disregarding the idea that you can sign code yourself.

And yes, it's the only real solution.

Re:Already there

[stooo]

Code signing ? This does not remove exploitable holes in that cleanly signed (but shitty) code.

Re:Already there

[TheP4st]

Why only pick on Windows? http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

Because we picked on apple for that one on August 29th and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.

Re:Already there

[fuzzyf]

The real problem is with the x86 architecture. As long as it's possible to hijack threads and inject code to running processes it doesn't matter what the filesystem allows or not.

Creating a secure system would need a different architecture to begin with. the way stack is handled in x86 is just asking for buffer overflow exploits.

Re:Already there

[mstefanro]

Antiviruses are blacklisting, code signing is whitelisting. Both bad solutions in a world
where we have so many apps that keeping track of all of them is very difficult.
Besides, code signing does not solve the problem of too relaxed permissions. In the
situation presented in the article, MS Office is a signed piece of software.

Re:Already there

[mcgrew]

It's funny, just yesterday I was having a slashdot conversation with someone who was talking about Microsoft's "superior QA", a day after the slashdot story about W8.1 breaking mice and other stuff.

I clicked on the story expecting to see a Windows problem (I still have W7 on this notebook, too lazy to install kubuntu) and it turns out I'm safe; I don't use IE or MS Office (I'm using Oo to write my books).

WOW

[noh8rz10]

so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?

I bet NSA is pissed, because one of their favorite pwnage tools is now public :(

Re:WOW

[ljw1004]

No, the advisory said that it affects Vista and Server2008.

It explicitly says that Win7, Win8, Win8.1, WinRT, Server2008-R2 and Server2012 are unaffected.

Caveat: although I work at Microsoft, I know nothing about this alert other than what I read in TFA.

Re:WOW

[smash]

Additionally, to delete a message within outlook you must click on it first. Which means if you have the preview window displayed, it will be parsed and displayed in the preview window.

Re:WOW

So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

You are not affected, you are not software. Your OS, Windows 7, is not affected, as explicitly stated. One of your programs, Office 2010, is affected, as explicitly stated.

Re:New Attack? 0 Day?

[tbuddy]

Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.

Re:I got burned by the font rendering bug last tim

[theshowmecanuck]

I guess Linux has never and never will have any security exploits possible against it. So yeah, good luck with that. And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.

So...

[msobkow]

They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

Kudos. That's the laziest response to a vulnerability I've ever heard of.

Re:So...

[Bite+The+Pillow]

I'm much more concerned that to disable a codec, you have to create a new registry key for GDIPlus, then add "DisableTIFFCodec" specifically to disable Windows-wide the built-in TIFF rendering.

There's not a whitelist so that you can search for what's enabled - there's a hidden key that is queried every time a Microsoft application *starts* so that if it is already running making the change has no effect.

That it is called "DisableTIFFCodec" - I'm not even sure what the words are to properly object to that. If someone wants to disable TIFF, they have to know what it's called. And a registry watcher is going to note the GDIPlus failure, and it won't even try to check the actual values so you will never know they exist unless you create a key for every failure and see what else is queried.

I'm sure this is a short circuit optimization to test fewer keys. I'm just as sure there is a better solution. With dynamic linking, couldn't I just remove a file and let the loader eat the error? System files which are properly protected sound like the obvious answer to these sorts of enable/disable toggles.

To actually have a workaround, I have two choices. One, let some binary from Microsoft run. They have never had problems with patches, right? Wrong. Or to view the details, I have to have JavaScript enabled because the page loads as display:hidden which sucks. Or of course view source which is always slightly painful.

It's obscure and arcane and just dirty.

And at this point, the attack surface is so huge and ingrained, they have an officially supported "Enhanced Mitigation Experience Toolkit " which, I assume, adds precautions that cause degraded performance or incompatibility in some applications. So you have to choose between things working and being insecure.

It's like a reverse Metasploit. But even that requires a commandline:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\Office application filename.exe"

The decisions that were made were probably reasonable independently. In fact I can probably argue for each one without knowing specifics. But someone has to answer to the monstrosity this has become.

I'm not worried about the amount of time the patch will take, because I would rather it work, and testing the various combinations and ensuring it works right takes time. The amount of third party software that might rely on this is probably a huge impact - they can't break Adobe or Mozilla or Google products, and the huge amount of business-critical COTS software that does strange things has to be a headache. I saw a list years ago of all the titles that Windows specifically has hacks to support, and I'm sure it has only grown, even with throwing old titles off the list. But even without that, this should be disturbing.

Re:New Attack? 0 Day?

[Michalson]

Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address. By changing the return address you can point it back at the buffer, which when the CPU tries to read those bytes as code instead of data it turns out they do bad things.

Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.

For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.

No problem, then

[Trailer+Trash]

"To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."

Thankfully it's proven difficult over the years to get a Windows user to do any of those things....

Translated summary

[Gravis+Zero]

"Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."

Re:New Attack? 0 Day?

TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:TIFF

[smash]

Problem is, most email to fax gateways use either TIFF or PDF, and most of them are TIFF. Though PDF isn't any better (in fact, historically it is much worse, security wise) given that most people seem to use adobe reader to open them.

Use Linux.

[stooo]

Microsoft Warns of Zero-Day Attacks
Use Linux.