Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 0-Day Exploited In Ongoing Attacks

Posted by Soulskill on from the gift-that-keeps-on-giving dept.

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

15 of 114 comments (clear)

  1. Re:Only for root users by fisted · · Score: 4, Insightful

    You do know the common way for users to deal with UAC prompts, right?

    --
    CLI paste? paste.pr0.tips!
  2. Re:Only for root users by afidel · · Score: 4, Insightful

    Yes, but in a well managed environment users won't get a UAC prompt because they won't be local admins, if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  3. Damn linux by ruir · · Score: 4, Funny

    Linux is not good, damn full of bugs, heartbleed, shellsock and now THIS!!! Crap, wait, I must have made some mistake ;)

    1. Re:Damn linux by 93+Escort+Wagon · · Score: 3, Insightful

      It's mildly funny that Server 2003 doesn't have this bug, and also was the last Windows Server that still used some Unix/BSD code.

      (No, I'm not claiming a causal relationship...)

      --
      #DeleteChrome
  4. Oh Microsoft Windows... by technomom · · Score: 3, Funny

    ....Don't ever change you magnificant bastard.

  5. Don't worry, I have a slideshow explaining this! by Grantbridge · · Score: 4, Funny

    Just download this handy powerpoint slideshow and I think you'll find it explains how this attacks works in perfect detail...

  6. Re:Definitely Users by CauseBy · · Score: 5, Interesting

    It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

    When 100% of past warnings were unnecessary people don't pay attention to warnings anymore. This isn't a problem with human behavior, this is a problem with the warnings. Warnings need to have a memorably high rate of indicating actual danger -- five or ten percent is enough. One in a million is not enough.

    Windows is like the crazy guy on the corner who says "the end is near!" Yeah, sure, maybe this time he's right, but we've heard that false message too many times to even bother listening to it.

  7. Windows = Job Security by __aaclcg7560 · · Score: 4, Insightful

    If you're a security remediation specialist for the I.T. department, Windows is job security as these problems will never go away.

  8. Re: Only for root users by parkinglot777 · · Score: 3, Insightful

    I think even most casual users will wake up and cancel the request

    This actually makes me laugh :P Sadly, a casual user is not as logical as you think.

  9. Re: Yikes by neilo_1701D · · Score: 4, Insightful

    ... and if the one rendering engine was used, the moment an exploit becomes available, all systems are vulnerable. Haven't we learned about the dangers of monocultures yet?

  10. Re:Wait one cotton pickin' minute by neilo_1701D · · Score: 4, Insightful

    Visio charts, Project Gantt charts, Excel charts... it's actually a very useful technology, especially if you're pulling data from a live source (eg. query data into Excel, which generates charts). Much easier than querying the data in Excel, updating the graph, exporting (or copying) the graph as PNG then updating the PowerPoint.

  11. Re:Definitely Users by Zalbik · · Score: 4, Funny

    It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

    Well, then you should take a look at the attached powerpoint presentation! It gives an in-depth analysis of exactly why you should be careful when answering "Yes" to UAC prompts.

  12. Re:Only for root users by Bacon+Bits · · Score: 3, Informative

    No, you just use the Application Compatibility Toolkit which allows you to run an application with the exact level of permissions it requires to get things done regardless of the permissions assigned to the current user. Does your application need to be able to write to it's own program folder, but you want to prevent everything else from doing that, too? Application Compatibility Toolkit.

    Is it easy to use? No, but it does work very well. The tools exist to get what you need done regardless of your environment. Granting users admin rights when they don't need them is just lazy.

    --
    The road to tyranny has always been paved with claims of necessity.
  13. Re:hum by TemporalBeing · · Score: 3, Informative

    The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff. But now, with windows 8 during the install, you can create any type account you like, but again, no tutorial.

    The problem is one of history for Windows.

    Windows was originally a place where every user was an Administrator. This encouraged developers to not pay attention to APIs used, so then applications came to be reliant on running only under users that were Administrators. Even Microsoft Office did that for a long time.

    Then Microsoft split users up and now there was a special Administrator account and group. Except users wanted to continue using all the software they had from before that split. The solution? Make all users administrators. Developers kept designing software that required administrative access - even Microsoft Office.

    Then came Windows Vista and UAC. Microsoft Office got fixed up; but many developers did not listen to years of warning. So then UAC started prompting the hell out of everyone. Windows 7 came along and most developers had fixed their software so UAC could be scaled back in its prompting some (really, that's the only difference between Win7 and Vista - the default threshold setting for UAC - in this matter).

    Of course no where along the road did Microsoft make it easy to switch between users. Sure, there's "Run As..." but it's (a) not well known, (b) a PITA to use, and (c) doesn't solve every use case. UAC doesn't quite either. In neither case do either work like the priviledge escalation in Linux/Unix with "su" and "sudo" and their graphical equivalents. So everyone still must have the administrative access to do certain tasks.

    And of course people are still trained that their user needs to be the Admin user for the system.

    So there's still work to be done on Windows to bring a real "su"/"sudo" experience to Windows; but overall it's still very much a user issue since they're all trained to and expect that their Windows user will have admin rights whether they really need them or not.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  14. Libreoffice? by BellyJelly · · Score: 3, Interesting

    Well, we mostly use Libreoffice at work. Are we vulnerable if we open a powerpoint file in Impress?