Windows 0-Day Exploited In Ongoing Attacks

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

Re:Only for root users

[Bacon+Bits]

No, you just use the Application Compatibility Toolkit which allows you to run an application with the exact level of permissions it requires to get things done regardless of the permissions assigned to the current user. Does your application need to be able to write to it's own program folder, but you want to prevent everything else from doing that, too? Application Compatibility Toolkit.

Is it easy to use? No, but it does work very well. The tools exist to get what you need done regardless of your environment. Granting users admin rights when they don't need them is just lazy.

Re:hum

[TemporalBeing]

The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff. But now, with windows 8 during the install, you can create any type account you like, but again, no tutorial.

The problem is one of history for Windows.

Windows was originally a place where every user was an Administrator. This encouraged developers to not pay attention to APIs used, so then applications came to be reliant on running only under users that were Administrators. Even Microsoft Office did that for a long time.

Then Microsoft split users up and now there was a special Administrator account and group. Except users wanted to continue using all the software they had from before that split. The solution? Make all users administrators. Developers kept designing software that required administrative access - even Microsoft Office.

Then came Windows Vista and UAC. Microsoft Office got fixed up; but many developers did not listen to years of warning. So then UAC started prompting the hell out of everyone. Windows 7 came along and most developers had fixed their software so UAC could be scaled back in its prompting some (really, that's the only difference between Win7 and Vista - the default threshold setting for UAC - in this matter).

Of course no where along the road did Microsoft make it easy to switch between users. Sure, there's "Run As..." but it's (a) not well known, (b) a PITA to use, and (c) doesn't solve every use case. UAC doesn't quite either. In neither case do either work like the priviledge escalation in Linux/Unix with "su" and "sudo" and their graphical equivalents. So everyone still must have the administrative access to do certain tasks.

And of course people are still trained that their user needs to be the Admin user for the system.

So there's still work to be done on Windows to bring a real "su"/"sudo" experience to Windows; but overall it's still very much a user issue since they're all trained to and expect that their Windows user will have admin rights whether they really need them or not.