Re: Microsoft warns of new attack on Word in Security

Re: Microsoft warns of new attack on Word in Security http://www.dslreports.com/forum/r20211036 en Sun, 20 Jul 2008 04:57:43 EDT Sun, 20 Jul 2008 04:57:43 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20264041 SilverSurfer :

said by caffeinator

:

Yet those MSJet files are still there. Why? I have no idea.

you might want to get a processor identifier like the free kind from winternal or whatever it's name is, I can't recall at the moment. it may help you ID whatever MSJ is doing.

the only other thing I can see the MSJ file coming into play for is if you attempt to download from MS any kind of template. I did that the other day because I couldn't find any decent 28 line pleading paper templates for OO. MS had one, but it first had to check my system before it would even think about letting me look at it. When it couldn't find Word, it brought me to a manual download screen for the template and then I just modified it to writer. Works great now. :D]]> http://www.dslreports.com/forum/remark,20264041 Tue, 01 Apr 2008 13:42:55 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20260288 caffeinator : I agree with you and jouno53

, but when I bought this used machine I did remove Office from this computer.

Yet those MSJet files are still there. Why? I have no idea.

Is something still needing them? If so, then why like most any Installer since 1998, did it not ask if I wanted them still as they may be in use?

Apparently, since it was used at 2am yesterday.

[att=1]

I was asleep so what app used it? WinDefender? MSupdate?

I have yet to find any way of removing Jet on it's own except just deleting the files, which obviously is a bad plan. Manual removal you say? Nope..check this: »support.microsoft.com/kb/q124902/

The computer came with no disks, no restore partition, nada. So, how?

More to my point, since I'd removed Office, naturally MS won't see fit to offer an update for the leftovers.

I don't see a real risk to me, as I don't even use a mail client on the PC, nor am I click-happy. Fact is, exe/doc/xls/etc. are blocked by my mailserver unless you Zip them.

BUT, I resent having this trail of acknowledged insecure crap left on this otherwise perfectly functional computer. You'd think the almighty Microsoft could create a un-installer that worked.

Since the workaround does nothing here, according to MS, I should just let it be...or upgrade to Vista. Ha!

With a P3-1Ghz/512Mb RAM Optiplex GX-150, that'd work really swell.

I swear, if I didn't need a windows PC for some things, I'd DBAN the ****** and install anything else.

Bleh. :hmm:

-CaFF
--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages

]]> http://www.dslreports.com/forum/remark,20260288 Mon, 31 Mar 2008 20:25:35 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20260100 SilverSurfer : That's why I use OO "Writer." None of this kind of BS. ]]> http://www.dslreports.com/forum/remark,20260100 Mon, 31 Mar 2008 19:42:46 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20260068 jouno53 : Thanks for the info.

But that's why I use OpenOffice]]> http://www.dslreports.com/forum/remark,20260068 Mon, 31 Mar 2008 19:37:56 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20259601 mysec : Someone else will have to help you deal with cleaning up an infected machine.

(For myself, if I ever suspected an infection, I would reformat and start over)

Once you are sure it's clean, there is no reason why she can't resume on-line banking. You might review security measures with her.

----
rich]]> http://www.dslreports.com/forum/remark,20259601 Mon, 31 Mar 2008 18:10:52 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20259532 lotusracer :

said by mysec

said by lotusracer

:

How can I determine if the file was 'infected',

Since most of these exploits drop an executable, run the file in a test environment to see what happens.

I've not been able to get the PoC examples to work, so I would like to see the file you have.
----
rich

Thank you for your assist... checked with her and she must have completely deleted the file. Looked around for it myself and found nothing.

Like caffeinator said in his case, I tried the workaround and got the same error message saying it can't find echo.

What would be your suggestions on dealing with this potentially compromised machine? Should I suggest she no longer do on-line banking, or suggest a complete re-format of this XP system?

Or is there some program in particular that can tell me if she has indeed 'oops'ed' her machine.]]> http://www.dslreports.com/forum/remark,20259532 Mon, 31 Mar 2008 17:59:30 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20257468 mysec :

said by lotusracer

:

How can I determine if the file was 'infected',

Since most of these exploits drop an executable, run the file in a test environment to see what happens.

I've not been able to get the PoC examples to work, so I would like to see the file you have.

said by lotusracer

:

Seems to be a lot of discussion on the possible danger, but none on how to deal with it. Thanks for sharing any thoughts.

1) Be wary of Word files received unsolicited.

2) If sender is unknown, delete. If received from a known sender (as in your sister's case) open the file in a text editor, such as WordPad, which will not run code

3) Have White List protection which will prevent the installing of any unauthorized executable (see my first post above).

I estimate that in the past few years I've opened hundreds of Word files submitted by students, and from sites on the internet, with no worries.

----
rich
]]> http://www.dslreports.com/forum/remark,20257468 Mon, 31 Mar 2008 12:00:21 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20256215 lotusracer :

said by caffeinator

:

Interesting. Oh, and the workaround just throws an error saying it can't find echo. Do I even need this stuff, and how can it be removed if I don't? I don't need all this detritus lying around waiting to be exploited.
-CaFF

I've got a similar question.... my Sister, although being warned did open a Word file she received in an e-mail. She "thought" she knew the person that sent it. I may be able to upload the file from her computer if necessary.

How can I determine if the file was 'infected', and how best should I deal with this?

Seems to be a lot of discussion on the possible danger, but none on how to deal with it. Thanks for sharing any thoughts.]]> http://www.dslreports.com/forum/remark,20256215 Mon, 31 Mar 2008 06:46:46 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20232994 daveinpoway : Somewhat scary:

No matter what kind of patch it produces or when it pushes a fix to users, Microsoft can't change the .mdb file format to make it less dangerous, according to Reavey. "Jet database files (file type .mdb) will remain on the unsafe file type list because they can run code by design," he noted. "Even if we tried to, we could not secure this file format, it will always present attackers an opportunity to run code."]]> http://www.dslreports.com/forum/remark,20232994 Thu, 27 Mar 2008 06:15:23 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20228849 caffeinator : Interesting.

I had Office on this computer when first I got it, but later removed it since I never used it. However, I still have all the Jet files leftover. Argh.

Oh, and the workaround just throws an error saying it can't find echo.

Do I even need this stuff, and how can it be removed if I don't? I don't need all this detritus lying around waiting to be exploited.

-CaFF
--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages]]> http://www.dslreports.com/forum/remark,20228849 Wed, 26 Mar 2008 14:03:07 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20228761 jaykaykay : "Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources," Microsoft said in a security advisory posted to its Web site late in the day."

"It thought users were safe, but is now scrambling for a solution"

This, of course, is so obvious but still so open to any hole in any program from MS or anyone else. Social engineering has programmed humans to be all too much like Lemmings and we still, even knowing not to, open that which we shouldn't. Not that that gives MS any excuse for not patching this hole which should have been done years ago, but since they've put what not to do in writing, they're played at CYA and exonerated themselves. I wish my mistakes wee that easy to solve! :(
--
JKK:-)

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay

]]> http://www.dslreports.com/forum/remark,20228761 Wed, 26 Mar 2008 13:43:34 EDT Microsoft admits it knew about, didn't patch, bugs http://www.dslreports.com/forum/remark,20227932 SUMware : From your link:

said by CW :
Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors.

A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago.

In a post to the Microsoft Security Research Center (MSRC) blog late Monday afternoon, Mike Reavey, the MSRC's operations manager, admitted that outside researchers had notified Microsoft in 2005 and 2007 of separate bugs in Jet, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic.

In both cases, Microsoft told the researchers that it would not fix the flaw because it considered users safe.

Wrong.]]> http://www.dslreports.com/forum/remark,20227932 Wed, 26 Mar 2008 11:11:12 EDT Re: Update http://www.dslreports.com/forum/remark,20227855 daveinpoway : Some new info regarding the problem: »www.computerworld.com/action/art···&nlid=37]]> http://www.dslreports.com/forum/remark,20227855 Wed, 26 Mar 2008 10:57:22 EDT Update http://www.dslreports.com/forum/remark,20218793 mysec : Maarten Van Horenbeeck of sans.org has updated the diary I referred to:

Overview of cyber attacks against Tibetan communities
»isc.sans.org/diary.html?storyid=4177

You don't often find thorough analyses of attacks, so it's worth a careful reading.

This particular attack is described as "targeted."

The term Targeted has been used in a couple of ways in the security community:

1) attacks aimed at a particular group of people, such as the organization described in the diary; or, a company or corporation

2) those aimed at specific people in an organization. This requires compromising an email list.

This example uses both types of targeting.

While targeting has been used in the past, this example shows a sophistication in technique often missing:

==> A good command of the English language;

==> thoroughly researched details of the subject of world condition (Tibet in this case) which make the "social engineering" part of the exploit more convincing - here, including published articles in different formats (.doc, .pdf, .ppt) which embed the packed trojan.

Note that some victims have been home users.

Note again that use of a msjet40.dll exploit first surfaced in 2005.

----
rich]]> http://www.dslreports.com/forum/remark,20218793 Mon, 24 Mar 2008 18:47:12 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20212915 anon : Thanks for the additional info.]]> http://www.dslreports.com/forum/remark,20212915 Sun, 23 Mar 2008 15:34:29 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20211036 mysec : This isn't the first time we've seen msjet40.dll exploited:

»ww3.ps-sp.gc.ca/opsprods/advisor···20_e.asp
Advisory Number: AV05-020
Microsoft Jet DB engine vulnerabilities
15 April 2005

said by article :

The purpose of this advisory is to bring attention a report of a vulnerability in Microsoft Jet Database Engine.

Microsoft Jet database is a lightweight database widely used by MS Office applications. The main component of the Microsoft Jet database engine is msjet40.dll,... Sufficient data validation is not performed when msjet40.dll parses the database file.

Also, from 2007:

»Zero-Day Microsoft Access Exploit

Quick: What does this exploit do?

From the code of the PoC:

For calc.exe, substitute the latest and greatest trojan.

Evidently a patch has not been forthcoming. Microsoft's solution:

»www.microsoft.com/technet/securi···627.mspx

said by article :

Suggested Actions

Protect Your PC

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software.

(Question: Why isn't White Listing ever suggested?

Possible answer: because MS pushes AV solutions?)

For some insights in these types of exploits:

»isc.sans.org/diary.html?storyid=4177

said by diary :

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community.

The messages contain an attachment which exploits a client side vulnerability. Generally these are:

CHM Help files with embedded objects;
Acrobat Reader PDF exploits;
Microsoft Office exploits;

The handler who wrote this diary presented a paper (.pdf file linked in the diary) in which he analyzes the actions of the exploit:

said by paper :

Application document
Exploitation Shellcode
Shellcode
Embedded executable Installs trojan code
or executesmalicious action

See page 10 of his .pdf paper for a nice diagram.

Often I can substitute a trojan file (not-white listed on my machine) to really test the exploit. This PoC, however, does not work on my Win2K machine. Here is an old one, a document with embedded trojan attempting to drop a .dll file:

___________________________________________________________________________

Essentially, this is nothing more than a remote code execution exploit packaged in a different wrapper, easily blocked by White Listing.

The MS Security Bulletin offers a workaround to disable the offending jet.dll file. But what about the next exploit using another vulnerable file? And the next?

As suggested some years ago, White Listing removes the need for such workaround patching:

An Ounce of Prevention
»www.infosec.co.uk/ExhibitorLibra···tion.pdf

said by article :

This approach can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency.

I've seen this approach used effectively in education institutions. Today, there are many home solutions available in the various security products providing execution protection, thus completely neutralizing this particular common exploit.

---------------------------------------------

Other references:

Microsoft Office Security, part one
Overview of recent MS Office vulnerabilities
»www.securityfocus.com/infocus/1874

»www.f-secure.com/weblog/archives···406.html
PDF file exploit:

said by article :

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org.

»www.avertlabs.com/research/blog/···victims/
CHM (MS Help File) exploit

said by article :

As the two cases looked similar (both drop a file named music.exe... drops and loads zipfldr.dl

Cyber Attacks Target Pro-Tibet Groups
»www.washingtonpost.com/wp-dyn/co···605.html

said by article :

attached Microsoft Word document... included a Trojan horse program that opened a "backdoor" on any computer used to open the file, giving the senders remote access over the system.

Van Horenbeeck [of sans.org] said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.

"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.

----
rich]]> http://www.dslreports.com/forum/remark,20211036 Sun, 23 Mar 2008 05:24:44 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20208963 anon : Correction:
The following exploit caused my SAVCE(updated today) to quarantine"Trojan Horse"]]> http://www.dslreports.com/forum/remark,20208963 Sat, 22 Mar 2008 18:43:59 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20208520 NICK ADSL UK : As posted here
»Microsoft Security Advisory (950627)]]> http://www.dslreports.com/forum/remark,20208520 Sat, 22 Mar 2008 17:12:00 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20208483 anon : Microsoft Jet DataBase Engine MDB File Parsing Remote Buffer Overflow Vulnerability

To exploit this issue, an attacker must entice a user into opening a malicious file.

*Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Restrict the Microsoft Jet Database Engine from running.

To implement the workaround, enter the following command at a command prompt:

echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N

*To undo the workaround, enter the following command at a command prompt:

echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /R everyone

Impact of Workaround: Any application requiring the use of the Microsoft Jet Database Engine to make data access calls will not function.
Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution
Published: March 21, 2008:
»www.microsoft.com/technet/securi···627.mspx

The following exploit caused my SAVCE(updated today) to quarantine "Trogen.Horse"...

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product.

The following exploit is available. Symantec has not verified this exploit.

* /data/vulnerabilities/exploits/26468.mdb
»www.securityfocus.com/bid/26468/exploit]]> http://www.dslreports.com/forum/remark,20208483 Sat, 22 Mar 2008 17:07:10 EDT Re: Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20208138 SUMware : Thanks for the heads-up.

From »www.pcworld.com/article/id,14374···l_d:xnws

"At this time, we are aware only of targeted attacks that attempt to use this vulnerability," the company [Microsoft] said. "Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited."

Following its usual policy, Microsoft didn't say when -- or if -- it planned to patch the bug. But in a statement sent to the press, the company did not rule out the possibility of an emergency patch, released ahead of its next set of security updates, which are expected on April 8.

Users of many versions of Word, including Word 2007, 2003, 2002 and 2000 are at risk, unless they are running Windows Vista or Windows Server 2003, Service Pack 2. Those two operating systems include a newer version of the Jet Database Engine that does not have the bug, Microsoft said.

For the technically savvy: this means that PCs with a version of the Msjet40.dll that is lower than 4.0.9505.0 are vulnerable.

[Above pic from »support.microsoft.com/kb/239114 ]

]]> http://www.dslreports.com/forum/remark,20208138 Sat, 22 Mar 2008 15:49:19 EDT Microsoft warns of new attack on Word http://www.dslreports.com/forum/remark,20208015 daveinpoway : Read about it here: »www.pcworld.com/article/id,14374···l_dnxnws]]> http://www.dslreports.com/forum/remark,20208015 Sat, 22 Mar 2008 15:23:12 EDT