Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 0-Day Exploited In Ongoing Attacks

Posted by Soulskill on from the gift-that-keeps-on-giving dept.

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

9 of 114 comments (clear)

  1. Re:Only for root users by fisted · · Score: 4, Insightful

    You do know the common way for users to deal with UAC prompts, right?

    --
    CLI paste? paste.pr0.tips!
  2. Re:Only for root users by afidel · · Score: 4, Insightful

    Yes, but in a well managed environment users won't get a UAC prompt because they won't be local admins, if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  3. Damn linux by ruir · · Score: 4, Funny

    Linux is not good, damn full of bugs, heartbleed, shellsock and now THIS!!! Crap, wait, I must have made some mistake ;)

  4. Don't worry, I have a slideshow explaining this! by Grantbridge · · Score: 4, Funny

    Just download this handy powerpoint slideshow and I think you'll find it explains how this attacks works in perfect detail...

  5. Re:Definitely Users by CauseBy · · Score: 5, Interesting

    It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

    When 100% of past warnings were unnecessary people don't pay attention to warnings anymore. This isn't a problem with human behavior, this is a problem with the warnings. Warnings need to have a memorably high rate of indicating actual danger -- five or ten percent is enough. One in a million is not enough.

    Windows is like the crazy guy on the corner who says "the end is near!" Yeah, sure, maybe this time he's right, but we've heard that false message too many times to even bother listening to it.

  6. Windows = Job Security by __aaclcg7560 · · Score: 4, Insightful

    If you're a security remediation specialist for the I.T. department, Windows is job security as these problems will never go away.

  7. Re: Yikes by neilo_1701D · · Score: 4, Insightful

    ... and if the one rendering engine was used, the moment an exploit becomes available, all systems are vulnerable. Haven't we learned about the dangers of monocultures yet?

  8. Re:Wait one cotton pickin' minute by neilo_1701D · · Score: 4, Insightful

    Visio charts, Project Gantt charts, Excel charts... it's actually a very useful technology, especially if you're pulling data from a live source (eg. query data into Excel, which generates charts). Much easier than querying the data in Excel, updating the graph, exporting (or copying) the graph as PNG then updating the PowerPoint.

  9. Re:Definitely Users by Zalbik · · Score: 4, Funny

    It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.

    Well, then you should take a look at the attached powerpoint presentation! It gives an in-depth analysis of exactly why you should be careful when answering "Yes" to UAC prompts.