Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches OLE Zero-Day Vulnerability

Posted by Soulskill on from the putting-right-what-once-went-wrong dept.

msm1267 writes: Microsoft today released a patch for a zero-day vulnerability under active exploit in the wild. The vulnerability in OLE, or Microsoft Windows Object Linking and Embedding, enables a hacker to remotely execute code on an infected machine, and has been linked to attacks by the Sandworm APT group against government agencies and energy utilities. Microsoft also issued a massive Internet Explorer patch, but warned organizations that have deployed version 5.0 of its Enhanced Mitigation Experience Toolkit (EMET) to upgrade to version 5.1 before applying the IE patches. Version 5.1 resolves some compatibility issues, in addition to several mitigation enhancements.

37 comments

  1. why is it red? by Anonymous Coward · · Score: 0

    why is it red?

    1. Re:why is it red? by The+New+Guy+2.0 · · Score: 1

      Red headlines indicate the story's not ready yet for comments, but cued up ready to run next. Subscribers see it, an occasionally they open it up to everybody to promote subscriptions, and prove there's a breaking story worth extra attention coming. In this case, if you just checked slashdot expecting a slow news day story, you got this must-upgrade-or-else Patch Tuesday release.

    2. Re:why is it red? by _merlin · · Score: 1

      Stories only visible to subscribers have the red background. All stories are initially only visible to subscribers before being made available to everyone, but there's some delay between the story being made available to everyone and the colour being changed to the standard green.

    3. Re:why is it red? by Anonymous Coward · · Score: 4, Funny

      why is it red?

      Comments are disabled to allow Microsoft time to assemble a team of Social Media Manglers (SMMs). Their job is to ensure discussion of yet another failure is framed so as to minimize the harm to their client's reputation.

      It's part of Microsoft's TOS with the very dicey new Slashdot.

  2. Re:Good job MS by Anonymous Coward · · Score: 3, Funny

    This anonymous guy is right, at least with Microsoft you're paying for top vulnerabilities versus with Linux, you just get the vulns which people half heartedly create... I know where my money is going!

  3. Is There A Fix for XP? by Anonymous Coward · · Score: 0

    Or can I disable OLE?

    1. Re:Is There A Fix for XP? by The+New+Guy+2.0 · · Score: 3, Insightful

      This is the knockout blow to XP... an announced unpatched flaw!

    2. Re:Is There A Fix for XP? by Anonymous Coward · · Score: 0

      Assuming XP has the dllhost.exe, use ASR in EMET 5.x to block the packager.dll for the process and for every other protected application using the library. EMET 4.1 Upadate 1 supports XP still but doesn't have ASR, so if the 5.x doesn't instal or work, another blocking method is needed.

    3. Re:Is There A Fix for XP? by Anonymous Coward · · Score: 0

      Don't be rediculous. Nobody running XP outside the business world (and none in the business world with a competent administrator) has used any OLE since the late 90s. This is a total non-issue.

  4. Happy Patch Tuesday everybody! by The+New+Guy+2.0 · · Score: 3, Interesting

    It's Patch Tuesday falling on Veteran's Day this year... so this may catch some IT staff sleeping. Everybody checking Slashdot at home who maintains one of these things... log in an apply the update!

  5. Re:Good job MS by The+New+Guy+2.0 · · Score: 0

    "Zero day" means the first exploit hasn't been spotted... Microsoft announced the patch and the problem at the same time, and did so on its designated day of the month (2nd Tuesday) so it looks like they had it right.

  6. Re:Good job MS by The+New+Guy+2.0 · · Score: 0

    Yep, you pay for Microsoft becomes it comes with the promise they're paying people to set mistakes right... you can't get that with Linux unless you pay somebody like Red Hat/

  7. Re:Good job MS by pushing-robot · · Score: 3, Insightful

    "Zero day" means the first exploit hasn't been spotted

    What?

    Microsoft announced the patch and the problem at the same time

    Did you even read the summary?

    --
    How can I believe you when you tell me what I don't want to hear?
  8. Re:Good job MS by The+New+Guy+2.0 · · Score: 1

    Good catch... the summary has wrong use of the term "zero-day"... please count the number of days this has been out!

  9. XP vulnerabilities are exaggerated. by Futurepower(R) · · Score: 1, Interesting

    In many cases, XP vulnerabilities are minimal. Don't use Internet Explorer. Every user should have limited rights. Users should be trained not to open files that haven't been arranged in advance. Use a software firewall that monitors outgoing traffic.

    Most writers for technical publications have limited technical knowledge. What is not said in the article linked by Slashdot is that computers that run software firewalls that monitor outgoing traffic are far more protected.

    Quoting from the article: "For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object."

    Another quote: "A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights."

    This article explains some of the issues: Microsoft Windows XP "end of life": Conflict of interest.

    1. Re:XP vulnerabilities are exaggerated. by The+New+Guy+2.0 · · Score: 3

      This amounts to "Don't run Office" on XP. If XP can't run IE or Office, better switch to the open source Firefox and OpenOffice... but if you're going to do that, why not bring in Linux?

    2. Re:XP vulnerabilities are exaggerated. by MachineShedFred · · Score: 1

      For several use cases, it similarly won't work just like newer versions of Windows.

      For example - you support a logistics center that has a several million dollar palette stacking machine that saves shloads of money. The computer that runs it uses Windows XP, and the software that runs it will *only* work on Windows XP. The manufacturer of the device is not going to update the software because that particular piece of equipment is 10 years old, so to get rid of Windows XP, you need to get rid of the perfectly functional stacker, which will cost several million dollars.

      Linux does nothing to fix this problem, unless you spin up a team of developers to reverse engineer the software and redevelop it for Linux, which won't fix the prompt issue of Windows XP being attached to the network to run a palette stacker; and it will still cost a shload of money.

      The only options here are to lock that box down as hard as possible, and figure out if you can get it onto a private network with an air gap. And this isn't a specific case - when you have an operating system that was supported and ubiquitous for 13 years, there are lots of very expensive and very nitpicky things developed to work on it.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    3. Re:XP vulnerabilities are exaggerated. by sound+vision · · Score: 1

      I have a netbook ca. 2009 that shipped with XP. It has 1 GB of memory and an Atom N270 - 32-bit, single core, single thread. Linux isn't an option due to the wireless drivers being horribly broken in Linux. Vista and Win 7 aren't options since the hardware would choke under the weight.
      Eventually what I did was turn the the thing into a low-powered, headless Debian server - I can run that off Ethernet. It should be noted that it was somewhat difficult to even find a distro for it - I was going with Ubuntu Server first, then found out it's only available in 64-bit.

    4. Re:XP vulnerabilities are exaggerated. by Anonymous Coward · · Score: 0

      better switch to the open source Firefox and OpenOffice... but if you're going to do that, why not bring in Linux?

      Probably because when compared to IE, MS Office, and Windows: Firefox, *especially* the execrable OpenOffice, and Linux are all horrible to use, not as compatible as their developers pretend, and (in the case of Firefox) slow?

  10. 0 Day???? ROFLLLLLLLLLULzx by Anonymous Coward · · Score: 0, Interesting

    how is this zero day.. ithe summary says -> released a patch for a zero-day vulnerability under active exploit in the wild. - how the heck is that a zero day ploit? more like shudda beeen paytched looooong time ago.

    1. Re:0 Day???? ROFLLLLLLLLLULzx by The+New+Guy+2.0 · · Score: 1

      Score that zero-day mention as worth zero!

    2. Re:0 Day???? ROFLLLLLLLLLULzx by Kythe · · Score: 1

      It would appear it's actually a "zero day [plus 18 years]".

      --

      Kythe
  11. Re:Good job MS by Bite+The+Pillow · · Score: 2

    In opposition, OLE has been a zero-day since at least two years after it was introduced.

    Anything using OLE, or any of the later labels for OLE, should have assumed that it, somehow, was infected.

    It could have been done securely, I assume, but I can't tell you how. I can say that every OLE book has told me, indirectly, how to fuck up a dude's 'puter.

  12. Re:Good job MS by Anonymous Coward · · Score: 0

    Not really. The summary says it was an ole one.

  13. Re:Good job MS by Anonymous Coward · · Score: 0

    Are you really this stupid?

  14. Doh! by Anonymous Coward · · Score: 0

    At first glance, the headline read "Microsoft Patents OLE Zero-Day Vulnerability". My bad.

  15. no dice, not zero day. by Gravis+Zero · · Score: 2

    this was a zero day vulnerability... THREE WEEKS AGO.

    --
    Anons need not reply. Questions end with a question mark.
  16. Re:Good job MS by gweihir · · Score: 1

    You seem to have missed the "under active exploit in the wild" part...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. Re:Good job MS by Anonymous Coward · · Score: 0

    Newsflash: bug fixing is work too, and is greatly accelerated by paid developers.

  18. "Enables a hacker" by Anonymous Coward · · Score: 0

    But only a hacker. So just round up all those cyberbogeymen, lock'em away, and the world is safe again.

    No? That not how it works? Why do you keep saying it like that, then?

  19. ... an infected machine by megaronic · · Score: 1

    That's a refreshingly honest description of a Windows computer.

  20. First Poop!!!!!!! by Anonymous Coward · · Score: 0

    #1 #1 #1 #1 #1

  21. NOT a remote exploit. by MrL0G1C · · Score: 1

    From the summary

    The vulnerability in OLE, or Microsoft Windows Object Linking and Embedding, enables a hacker to remotely execute code on an infected machine,

    100% wrong, the exploit is of the trojan type and needs either code to be run by a user or an MS Office document to be opened locally before the machine is pwned.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  22. Right, or it'd be DCOM (not just COM/OLE)... apk by Anonymous Coward · · Score: 0

    See subject-line: For OLE to be actually REMOTELY marshallable, it's got to be DCOM (vs. COM/OLE)... correct?

    APK

    P.S.=> IIRC, That's the MAIN DIFFERENCE between straight (interchangeable terms in OLE/COM) COM-OLE & DCOM (distributed COM)... apk

  23. Re:Good job MS by Kythe · · Score: 1

    "IBM corp's cybersecurity research team discovered the bug in May, describing it as a 'significant vulnerability' in the operating system.

    "'The buggy code is at least 19 years old and has been remotely exploitable for the last 18 years,' IBM X-Force research team said in its blog on Tuesday."

    http://www.nbcnews.com/tech/se...

    I know you guys recently made a big deal out of attacking free software projects, and tried to exploit a couple of recent bugs in them to evangelize for paid development, so this reminder of how bad bugs frequently are in paid development software is pretty embarrassing. But in context, pretending this somehow demonstrates how good paid development models are just looks silly.

    --

    Kythe
  24. Re:Good job MS by Kythe · · Score: 1

    If you're talking about the IE vulnerability: according to IBM: 6,935.

    Of course, if you want to count from the time IBM found the bug and reported it: roughly 180.

    --

    Kythe