Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of Zero-Day Attacks

Posted by Soulskill on from the welcome-to-tuesday dept.

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

10 of 165 comments (clear)

  1. Already there by suso · · Score: 4, Funny

    Don't they already put that warning on the box?

    1. Re:Already there by mstefanro · · Score: 3, Interesting

      I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists.
      Its main purpose is to enforce a huge blacklist of .exe files that can harm you. Instead
      of keeping track of million of apps that are evil, why not just apply some least privilege
      principles and sandboxing already so that we can run an application without granting it
      access to all our resources?

      It comes as no surprise that everything gets moved to the web nowadays. One can safely
      open a website without worrying that all his personal data can be accessed (such as Firefox
      stored passwords). On the other hand, opening an application requires complete trust in the author,
      which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
      platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
      and be easily accessible whenever you want, as opposed to having to go through a browser. They
      generally have less overhead and are more powerful. If Windows had a decent package manager
      and proper privilege separation we would probably be living in a different world today.

      For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/

    2. Re:Already there by recoiledsnake · · Score: 5, Informative

      You just described Windows RT.

      --
      This space for rent.
    3. Re:Already there by TheP4st · · Score: 3, Informative

      Why only pick on Windows? http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

      Because we picked on apple for that one on August 29th and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  2. WOW by noh8rz10 · · Score: 3, Insightful

    so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?

    I bet NSA is pissed, because one of their favorite pwnage tools is now public :(

  3. Re:New Attack? 0 Day? by tbuddy · · Score: 5, Informative

    Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
    It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.

  4. So... by msobkow · · Score: 3, Insightful

    They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

    Kudos. That's the laziest response to a vulnerability I've ever heard of.

    --
    I do not fail; I succeed at finding out what does not work.
  5. Re:New Attack? 0 Day? by Michalson · · Score: 4, Insightful

    Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address. By changing the return address you can point it back at the buffer, which when the CPU tries to read those bytes as code instead of data it turns out they do bad things.

    Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.

    For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.

  6. Translated summary by Gravis+Zero · · Score: 4, Funny

    "Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."

    --
    Anons need not reply. Questions end with a question mark.
  7. Re:New Attack? 0 Day? by Anonymous Coward · · Score: 5, Interesting

    TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).