Slashdot Mirror
Windows 0-Day Exploited In Ongoing Attacks
An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.
UAC will display a warning, this exploit only touches users who run as admin.
I don't think any still supported version of Windows defaults to admin.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Linux is not good, damn full of bugs, heartbleed, shellsock and now THIS!!! Crap, wait, I must have made some mistake ;)
....Don't ever change you magnificant bastard.
Yeah, you defflinitely have "allow" it. But most people don't read half the messages excel or powerpoint throw at them. Just accept, accept, open, enable, install, install. Why do we even make botnets... I'm sure the users would do it on their own if they were prompted.
Just download this handy powerpoint slideshow and I think you'll find it explains how this attacks works in perfect detail...
Dont ask...we had a fantastic team of System administrators here that fortunately when one left the other had the good sense of leaving too, that installed EVERYTHING they could into the servers. The Windows servers had Office, and Linux servers had 30-40GB of software.
If you're a security remediation specialist for the I.T. department, Windows is job security as these problems will never go away.
... and if the one rendering engine was used, the moment an exploit becomes available, all systems are vulnerable. Haven't we learned about the dangers of monocultures yet?
Visio charts, Project Gantt charts, Excel charts... it's actually a very useful technology, especially if you're pulling data from a live source (eg. query data into Excel, which generates charts). Much easier than querying the data in Excel, updating the graph, exporting (or copying) the graph as PNG then updating the PowerPoint.
The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff.
The actual problem is that unlike Linux, doing this doesn't help you do a lot of the "administrative stuff" you need to do in Windows.
In Linux, a normal user with sudo permission can run "sudo su -" and everything run from that terminal will have admin privileges. You can do the same thing in Windows with "RunAs" either from a command prompt or from the Start Menu with Shift+RightClick. The problems then start. First, you have to figure out what command to enter to do something that is normally only done with the GUI. Then, you have to remember that everything is being done as the admin user, so any changes don't get put into the normal user's profile. This causes problems for some programs that don't have the "install for all users" functionality set up correctly.
In addition, there are some things that stupidly require elevated privileges but affect only the current account (like Control Panel->System->Advanced System Settings->Performance), which are thus impossible to change if your account isn't a member of "Administrators". There are also some things that even "Administrators" don't have permission to do, but "Administrator" does. And, there are some things that can't be done because you can't actually become the account that you need to be in order to do them (like "TrustedInstaller").
The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff. But now, with windows 8 during the install, you can create any type account you like, but again, no tutorial.
The problem is one of history for Windows.
Windows was originally a place where every user was an Administrator. This encouraged developers to not pay attention to APIs used, so then applications came to be reliant on running only under users that were Administrators. Even Microsoft Office did that for a long time.
Then Microsoft split users up and now there was a special Administrator account and group. Except users wanted to continue using all the software they had from before that split. The solution? Make all users administrators. Developers kept designing software that required administrative access - even Microsoft Office.
Then came Windows Vista and UAC. Microsoft Office got fixed up; but many developers did not listen to years of warning. So then UAC started prompting the hell out of everyone. Windows 7 came along and most developers had fixed their software so UAC could be scaled back in its prompting some (really, that's the only difference between Win7 and Vista - the default threshold setting for UAC - in this matter).
Of course no where along the road did Microsoft make it easy to switch between users. Sure, there's "Run As..." but it's (a) not well known, (b) a PITA to use, and (c) doesn't solve every use case. UAC doesn't quite either. In neither case do either work like the priviledge escalation in Linux/Unix with "su" and "sudo" and their graphical equivalents. So everyone still must have the administrative access to do certain tasks.
And of course people are still trained that their user needs to be the Admin user for the system.
So there's still work to be done on Windows to bring a real "su"/"sudo" experience to Windows; but overall it's still very much a user issue since they're all trained to and expect that their Windows user will have admin rights whether they really need them or not.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Well, we mostly use Libreoffice at work. Are we vulnerable if we open a powerpoint file in Impress?
If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the reporting tool actually called Excel to fill in the fields.
This may have been correct 5 to 10 years ago, but you should never do this in a modern installation if you can possibly help it. Microsoft's official position is that "Microsoft does not recommend or support server-side Automation of Office."
You should be using the Open XML SDK to create Office documents in your web application. The default classes and methods are somewhat opaque, but fortunately, there are a lot of helper toolkits that run on top of OOXML SDK to make things much easier. I used Simple OOXML, which hasn't been updated for a while and has limited documentation, but works pretty well, and is free. These solutions are not only much more robust in a server-side situation, but you don't have to devote an Office license to the server.