Microsoft Confirms Excel Zero-Day Attack 199
Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."
unnamed business (Score:1, Insightful)
Why read the article? (Score:5, Insightful)
I don't need to RTFA, I can just wait for the movie.
NOT TO FEAR! (Score:4, Insightful)
Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.
It's part of Microsoft's plan (Score:4, Insightful)
Microsoft lets these exploits run free to keep the cattle in line. They need to keep people upgrading and buying the latest versions of their products to keep the cash flowing. If they released a well-written, stable, secure piece of software, what reason would people have to upgrade?
Re:Hackers can't do it? (Score:5, Insightful)
Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).
Not a popularity problem (Score:5, Insightful)
News? (Score:5, Insightful)
Yes, OpenOffice will be full of holes as well.
Not news.
As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though.
Typically, the difficulty in prosecuting crackers (Score:3, Insightful)
In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.
So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"
Presumably they could but... (Score:5, Insightful)
Re:news? (Score:5, Insightful)
There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?
Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.
No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.
If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.
No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.
Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.
Just in time (Score:5, Insightful)
I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.
Re:Hackers can't do it? (Score:2, Insightful)
Re:Hackers can't do it? (Score:3, Insightful)
Re:stupid (Score:1, Insightful)
Ever heard of Osirusoft? How about Blue Security more recently? A targeted spamming attack can be pretty damn effective.
Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mail.
This could not be the e-mail users I am used to working with. They'll open anything.
Re:unnamed business (Score:2, Insightful)
I'm just waiting... waiting for a virus, attack or whatever you will which will simply turn all the threes into eights in every .xls file...
Until something like that happens, no-one will bother learning about security... really learning.
Re:Another reason to have an open file format (Score:2, Insightful)
So you expect the "malicious code" to be well labeled in the XML stream?
Seriously you can only trap a narrow set of possible exploits this way (ones dealing with XML parser exploits generally). Scripts/macros/etc. would need to be interpreted to understand if was utilizing an exploit in the target product (assuming the vulnerability was known). Also the document can be a valid document but the organization and composition of elements in the document could be used to exploit a vulnerability.
I don't think it would net you as much of a benefit as you believe it would.
Comment removed (Score:3, Insightful)
Re:Another reason to have an open file format (Score:1, Insightful)
The closest already widespread format was PDF documents (multiple writers) and there have been plenty of exploits associated with that format, though not as many as Word, Excel, etc.
Re:Presumably they could but... (Score:2, Insightful)
All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).
Re:news? (Score:1, Insightful)
After having to live through dozens of MS Office macro viruses before MS finally turned them off by default, I can tell you, that's exactly what MS developers thought. Fools.
Re:Hackers can't do it? (Score:2, Insightful)
That's how it's done (Score:3, Insightful)
Microsoft's fuckup is not in choosing to release their patches on a scheduled basis. They really had no choice in the matter. Their fuckup is in letting their security situation get so bad, they had to produce a large number of patches every month.
Re:It's part of Microsoft's plan (Score:2, Insightful)
Re:That's how it's done (Score:3, Insightful)
No, that's BILL'S excuse - "It doesn't make me any money, so we're not doing it."
If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.
The problem for BILL is the number of people he has to pull off his "upgrade" and "new" products like Vista - which DO make him money - to the problem of security which does NOT make him any money.
It's that simple. It always has been and always will be - which is why Microsoft Windows will NEVER be secure.
Note that most other companies do what's necessary to issue patches when the fix is done. Microsoft doesn't solely and entirely because of Bill Gate's attitudes about money.
Re:NOT TO FEAR! (Score:2, Insightful)
There's a simple formula to determine how secure and relaible any software is (OS or application). As you add to the total lines of code, regardless of who is writing the code, the opportunities for unexpected errors and security issues grows at a logorythmic scale. I loaded my VISTA DVD and the friggin OS takes 12 GIGs of HDD space. Office 2007 beta is out and it's install footprint is larger than Office 2003. As you add complexity and features, you add to the error rate on software, hardware, cars, etc.
I'm probably showing my age here, but the thing that was bashed into my head when I started programming was that the next version of software should be SMALLER and MORE RELIABLE than the last version. If Microsoft (and plenty of other folks including some of the current LINUX projects) embraced making what they've already tried to build and provide better instead of pushing for something new, we'd be in a hell-of-a-lot-better-shape than we are today.
As long as we live in the "bigger is better" and "people only buy the next version if there's more features" era of computing, then security and bugs are a fact of life we have to accept. Nobody's saying Microsoft won't try or isn't getting better, but the plain truth is they will never get rid of these issues if the driving force in their organization is to innovate and expand the feature set.
IMHO, we didn't need to get anything else into MSOffice after 4.1 was released. You could copy & paste, put an excel spreadsheet in a powerpoint presentation, and write a letter. Any Office 4.1 exploits released...ever?
Re:Long term, that is a losing strategy (Score:2, Insightful)
Of course, such a thing will never happen. Sooner or later the OSS community is going to catch up, they are going to come up with an Exchange killer, and they are going to come up with an accounting package to rival the likes of Platinum / Sage / AccPac for the SMB market, and then Microsoft is going to be in serious trouble. However until the OSS world gets the necessary applications to slay the dragon with, we're stuck with Microsoft for the forseeable future.