For those of you worried about this, I tested it at work and it was blocked by our Software Restriction Policy that I put in place just a few weeks ago.
The execution of %TEMP%\PAYLOAD.EXE was blocked.
I highly urge everyone to deploy a strong Software Restriction Policy in whitelist mode. It catches everything we've thrown at it so far.
The SalesOrder.rtf file is safe to try at work. All it does is lock your workstation. It should work behind Software Restriction Policy and Microsoft AppLocker (and Citrix Application thingy).
The RTF opened a zip folder with a .js file in it.
Attempting to open it with the default Windows Based Script Host results in a dialog box from Software Restriction Policy stating that execution was blocked.
It depends how the whitelisting is done. We just have C:\Windows, C:\Program Files, and C:\Program Files (x86) whitelisted.
This means that any exe (or scr, bat, vbs, etc), ran from any other location, will not run at all.
This of course caused problems with GoToMeeting and Google Chrome (and other programs that install to AppData), but the fix was to track down the msi installer for corporate deployments to have it install to Program Files.
> The DLL file hasn't been kept up to date. For example, you can use .PS1
(PowerShell) embeds without any security warning. There's a lot of file
types now you can execute code with without warning, basically.
That's a poor example. Powershell scripts won't execute by default at all, and a lot of enterprise customers will only execute scripts signed by the internal CA.
Off the top of my head I cannot think of too many new ways of running executable code. Microsoft has only been removing them, not adding news ones. Powershell is one of the few new ones and is designed from the ground up expressly not to allow this type of thing.
> Originally, Powershell did NOT have execution policy.
Yes it did. It always had default execution policy to not allow scripts to execute. Not sure how it was set in the Monad days before PowerShell 1.0 was released, but for as long as it has been called PowerShell, execution policy has been part of it.
On top of that, the .ps1 file extension is associated with notepad - not the PowerShell interpreter. When you "invoke" a ps1 file (like double-clicking it or have some program like outlook take default action), Windows will open notepad unless you explicitly associates .ps1 with another program.
Yeah, this is my mistake when writing the advisory. For info, I did test it (with right extension) and it DOES work at some corps, who turn off signing (I know, I know). Additionally, you can use .js or .vbs to spawn Powershell command line with switch to turn off checking.
PowerShell execution policy is not a security layer/boundary. It's just a simple mechanism to stop people unintentionally shooting themselves in the foot; it won't stop other people intentionally shooting you in the foot.
It depends on the system. I've had installs where I had to enable execution, remote execution, and unsigned execution. Other systems run network-based scripts without any complaint.
I've love to know a scenario where OLE is actually used today. It might have made sense in the early 90's pre-Internet & HTML computer world but really has no use today and is just a massive security hole. Seems like it should have just been completely removed (see also Vista's desktop gadgets, which were actually removed and disabled after realizing they were a huge security issue too).
The basic idea was great - copy some cells out of Excel and paste them into Word. You can put your sales statistics into your end-of-quarter report.
Then they added linking, so when the spreadsheet was updated, your report would update too. So you could make the report early, let Accounting update the spreadsheet, then just let the report auto-update.
I'm pretty sure Outlook uses the Word rendering engine. And dragging documents into Outlook is one of the ways to attach/embed a file into the email. So I'm pretty sure this still leverages that code.
I'm actually guessing this is almost everywhere. Maybe it didn't get put into Vista (where a number of security enhancements like the 2-level model aka UAC elevation got made) but it's still all over Office. I wonder if IE is impacted.
And that's great, until someone inserts a couple of rows into the range you've linked. Or moves the file. Or any one of another hundred things could happen to upset the OLE Gods.
Do not go anywhere near OLE linking... that way lies madness.
In the past I've used OLE regularly for Excel spreadsheets in AutoCAD drawings. Nothing else came close in terms of ease and reliability or standardization. OLE is a powerful technology and the complaint tastes a bit like "no one should use JavaScript because of XSS" on the palette. I mean just think what malicious input can do If passed to python in the shell.
Unrelated to Microsoft Office, I wrote a Perl utility that would run QXDM (telecom call testing software) via OLE in order to automate the initiation and answering of cellphone calls (think drive-testing or load-testing a cellular network). It was quite useful. Qualcomm, who licenses QXDM, had a fairly good reference document for the OLE interface to the program.
I don't know how much it shares w/ OLE compound documents, but OLE for Process Control (OPC, now retroactively renamed to "Open Platform Communications") is very common in multi-vendor SCADA environments.
It has a common ancestry, but OPC moved on. They are now using OPC-UA. And the usage is totally different. In OPC you do not imbed one app in another, it is a standardised protocol to get data from DCS/SCADA. But they did use DCOM up until OPC V 3.
I'm asking about the security issues. Although they usually implies bugs the only one I mentioned is the OLE packager one that generated a big security problem.
Might be misremembering, but I think there's a variant of it used heavily in industrial automation (eg factories). It was a standard that you had to buy for a significant sum of money. The friend in embedded design that told me didn't like it but many groups used it. Can't remember what it's called...
Past that, it's probably just there to make legacy software work like so many other problem-causing, Windows features. :)
I've love to know a scenario where OLE is actually used today.
Does it play no part in all of the [Clojure/Python/other langauge]-in-Excel posts that tend to get a decent number of upvotes here?
Maybe I'm mistaken about that - but it could have powered the kind of uber-notebook-in-Emacs packages that seem to be gaining popularity lately - twenty years ago.
OLE the technology is rather fundamental to custom controls and a whole load of other things. You could probably remove all OLE embedding from Word documents and not break too many use cases, but in other applications it may be more important.
I didn't see anything in that post to give me the feeling that code is being executed automatically. While I would concede that requiring the user to click on something inside the "payload" document isn't a high bar to achieve it is different than automatic code execution upon opening the document.
Someone still needs to click the thing to execute it.
Clicking any executable in windows will launch it.
I really can't see the difference that makes this so bad.
User clicks executable in office it launches....
vs
User clicks executable in explorer(or other software) it launches....
Does the same exploit work on Wine? It has its own implementation of packager.dll, which doesn't seem to have any blacklist. What happens if for instance Wine is being used to run Microsoft Office?
Apple stopped patching Leopard (released in 2007) by 2011 and stopped supporting IOS 5 (released in 2011) just this year. Google is just starting to ditch support for Ice Cream Sandwich (released in 2011).
Why should Microsoft continue to support office below 2007?
Some companies cannot afford to upgrade their hardware to run the latest versions.
They are stuck on older Windows versions that cannot run the latest Office versions.
I noticed a lot of companies still stick with XP. I watched the Terminator Genisys movie and had a display in the hallway with a pop-up that said XP support has ended. A lot of Movie Theaters use XP still. The US Navy still uses XP and an old version of Office.
"We can't afford it" is the mating call of the business owner/MBA. I've worked for ten companies over the course of my life (small business to mid size), none of them could ever afford anything (unless it was a vacation or a luxury vehicle). The fact is they don't want to spend any money and expect Microsoft to honor their $120 office purchase with free updates for the next few centuries. Fuck em, they can pay or get there data stolen by Chinese teenagers.
Some are small businesses that cannot afford to upgrade their PCs and are barely getting by.
I've done tech support for people still on XP, 2000, and Vista. I think if they run Vista they got a good chance to buy Windows 10 Pro for $164 but it will break compatibility with their Office Software and force them to do a fresh install.
A lot of business software is written for older versions of Office.
I tried to make a Virtual Machine creating service if a company has the licenses I can make a Virtual Box or QEMU virtual machine with the old version of Windows and Office in it if they give me their license keys and pay me for their labor. But nobody wants to do that yet.
I plan on running Linux on my main box at home and run Windows in virtual machines if Windows 10 ends up being buggy as all heck.
They will go out of business in a few years because they failed to adapt, and we won't really miss them. If they 'can't afford' $164 once a decade what are they paying their employees? Certainly not a living wage. So they have high churn and nobody working there really cares about the business, its just another low paying job and unemployment is falling. These companies are mismanaged, they didn't budget when times were good for when things go south. I feel no pity when someone has to adjust their standard of living to a level that the majority of the planet would die for. Don't fall for the sob stories, its there so they take home more of the profits that you generated. Instead build a start up and blow their antiquated business model out of the water.
Related Protip: If you go to a bank/doctors office or anywhere else that wants a large amount of personal data from you, don't give it to them if they are still running XP. (If enough people did this all of the sudden it would become affordable)
I always had a plan of staying behind one current version on everything and buying it used. A Windows 7 Pro PC used would cost $150 and an Office 2010 Pro license disk would cost $100 used. If they went with that plan, they'd get the free Windows 10 upgrade.
A used Windows 8 PC costs $300 and there are cheap Windows 8 tablets for $100 but limited to 32 bits.
I'm trying to convince people on XP to switch to Linux and use WINE to run their old legacy Windows apps on it. But nobody wants to do that for some reason.
They find WINE inconvenient/difficult to use, so basically they want the convenience of being a paid in full customer of Microsoft without paying for it. Again, no pity from me.
Most people want something for nothing. Will write bad checks and do chargebacks on their credit card to get free PCs and free repairs. Then we get forced to cash only, and then they go to the Big Box stores that are open Sundays and take in store credit cards.
I got a lot of friends and family members running an old Pentium 4 with XP and some upgraded to Windows 7 somehow. From time to time I fix their systems for free or a low cost.
PC Repair Shop had a deal, we'd install Linux for free but tech support was extra. A few took us up on the offer and had a good time using FOSS alternatives. We even set up Linux with SAMBA on Windows PC networks to share files and printers. But there was no money in it because 99% of the people and businesses wanted Windows.
Geeksquad refuses to support old Windows versions, so I get people with Windows 98 etc from time to time. You'd be amazed at the number of people out there still running old Windows and Office versions. Some even use old versions of Wordperfect. My wife volunteers and sometimes someone emails her a Wordperfect file and I use Libreoffice to open them.
I found in doing charity work, that a lot of charities still use old hardware and software that is no longer supported. Some of the old stuff is donated to third world nations where they still use it instead of recycling the materials for scrap.
If they can't keep up with the Microsoft treadmill, they couldn't afford Microsoft software in the first place - and yet they did it, and it's biting them now.
Working in the Microsoft or Apple ecosystems mean that you are committing to keep spending money in their direction for as long as you are in that ecosystem. It might be worth your while, or it might not - as these business you talk about are finding out.
And if you say "oh, but these businesses must run Office because of their customers/providers/governments/contracts" - well then, those businesses are not making enough money, and are thus unsustainable -- not any different that doing anything else at loss.
If a business cannot afford 2000$ every 3 years pr machine they have running, they either have too many useless machines running, or they should not not exist. It's akin to rely on a car, but complain that it require maintenance.
2000? Try sub 300. (you won't be running autocad on this but for someone answering email and writing up reports in excel this is decent enough) Microsoft products are really affordable if you break it down to a per day usage.
Inspiron 3646 - $259.00
Microsoft Office 365 small business (5 machines/1 year) - $97.98 / 5 = $19.60 (5 cents a day)
Total: $278.6 per machine
Or they could migrate to Linux, or if that's a massive stretch just get LibreOffice. Sure, it has downsides, but they are already running on the smell of an oily rag, at least this way they save costs in totality, not just because they have hopped off the software upgrade treadmill.
You have to spend far more time keeping a Linux machine running, especially when something breaks - I have yet to experience otherwise. A Business that seriously run linux usually run one of the paid version anyway.
Ease of use is a main factor in any business trying to buy software for their employees. Most employees are not computer savvy and could not figure out Linux. Even if they learned the GUI, if it had a problem and dropped down to the shell, they would be lost.
Most System Administrators and Technicians know only Windows and don't know how to support Linux.
Some companies use Linux as a server to save money, but not as a desktop.
If a business cannot afford 2000$ every 3 years pr machine they have running, they either have too many useless machines running, or they should not not exist. It's akin to rely on a car, but complain that it require maintenance.
That's the original post I was responding to. In the context of the discussion, I was referring to a business that made so little money they couldn't afford to buy software licenses. The original poster said one option was that they shouldn't exist as a business. I merely said that one possible option for a business in this situation is to use Linux on the desktop. Apparently the alternative is that, much like a dead parrot, they cease to exist.
Obviously, I wasn't referring to an ordinary business, nor am I advocating this approach normally.
I do understand your logic, but my statement was akin to a mechanic buying the cheapest tools, slightly out of tolerance, and and a diagnosticstool that don't quite give them all the correct error codes.
In the long run that descision will cost them more, than buying the correct tools in the first place - so if they cannot afford it, it's hard to justify the existince of that business. Perhaps it's a telling sign of a manager that doesn't understand the implication of that decision, or a dying business.
The new Raspberry Pi 2 which is $35 can run Windows 10 IoT. It has 1 GB of RAM, a quad-core 900 MHz CPU, and typically consumes around 0.3 watts (0.9W on a heavy load). And Microsoft's giving away Windows IoT for free.
Considering that most desktop boxes consume 200 to 400 watts typically, the cost of Pi could be recovered fairly quickly in the saved electric costs.
You can get a reasonable windows 8 desktop for 300 dollars. If it increased productivity even by a small margin (less then a dollars worth a day) it's paid for itself before the end of the year.
your home country doesn't have free software? what a magical place. I assume your country's DNS servers are running on Windows Server, and the main webservers are running Microsoft IIS?
Sad thing is, with Windows Licensing v.7, you barely get what you paid for, and only if you use Free Software as leverage to get a low enough price.
I say this as an unapologetic user of all software closed source, Windows, Office, et al. I send files in .docx without asking if my peers even have Windows. I use Google Maps and closed source everything everywhere always.
But, even I cannot deny: if this were open source, many of the points leading up to this bug could be addressed without any help from the vendor.
I'm not sure thats fair. Yes you can, but I'm guessing you aren't the type of person to be caught running software 7 years after its EOL.
Or put it this way, Office 2003 was discontinued in 2007. Thats like running Debian 3.1 today (Sarge, 5 stable releases ago), and complaining about continued support. RHEL2.1 was EOL'd in 2008 (RHEL6 is the "old guard" now).
If you wouldn't expect continued support for Debian 3.1 or RHEL2.1 in 2015 there's, I don't see why its a problem for Microsoft or how it makes open source any better. Sure, yes you could patch Debian 3.1 yourself, but ultimately how fruitful is this effort, and how many people can be expected to to write kernel patches? Even if Microsoft said tomorrow Office 2003 was open source, how many individuals could you expect to have the know to patch their installations?
If it's Windows or Linux, then probably (hardware reqs haven't changed since 2010). Mac you're probably out of luck unless you use Wine.
Or pay a vendor to maintain it for you - I know Collabora will maintain versions of any age if you pay them to do so. May be cheaper to run a newer version for free and upgrade hardware/OS as needed, if you're insisting on the Mac version anyway.
You're not doing well on the rhetorical questions here ...
Ha, I didn't know this still existed. I 'hacked' our school PCs running Windows 3.11 using this technique.
The sysadmin locked down every possible way to run executables apart from those he exposed in Program Manager. Of course, everyone had Word. Simply embedding an OLE object let me run any exe.
Wow, this takes me back. I remember getting in trouble at school as a kid for using this to attach executable code to e-mails and bypass all the warnings and filters. That must've been, ooh, about a decade and a half ago now. I'm shocked it still works in our modern security-aware age.
The execution of %TEMP%\PAYLOAD.EXE was blocked.
I highly urge everyone to deploy a strong Software Restriction Policy in whitelist mode. It catches everything we've thrown at it so far.