Comments
Vesselin Bontchev • June 1, 2022 2:08 PM
This is a nasty one. Besides the obvious way to exploit it via a booby-trapped DOCX file, you can use it in an RTF file. If you do, and if the victim has the preview pane of Outlook enabled, they’ll get pwned just by looking at the e-mail message that contains this RTF file as an attachment. Turn off that preview pane!
Also, the wget command of PowerShell (not to be confused with the wget program for Linux or Windows) will run the payload if you just try to fetch a booby-trapped remote web page. Yiikes!
And we’re probably just opening the can of worms. Who knows how many other protocol handlers are installed on the average Windows machine and what other LOLBins (Live Off-the-Land BINaries – non-malicious programs commonly installed that can be abused to run malicious code) they run that can be abused for RCEs…
Yet-another-0-day • June 1, 2022 2:46 PM
Microsoft, the NSA’s best friend.
Ted • June 1, 2022 4:33 PM
Of course, just disable the Microsoft Support Diagnostic Tool (MSDT) URL protocol by backing up the registry key and then running the command: “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Nice simple little zero-day splint.
Mike D. • June 1, 2022 4:47 PM
“No one ever got fired for buying Microsoft,” as the saying has gone for decades (and it was IBM before Microsoft).
Maybe we ought to start.
Clive Robinson • June 2, 2022 3:12 AM
@ ALL,
My first question,
“What is the business case for this computer to be connected to a public network?”
As I said just a short while ago about cyber weapons[1],
“All we currently know is that to be effective current information weapons require as a minimum,
1, Access.
2, Fragility or nonresilience.If neither exists then current information weapons fail.”
You “give access” in this case Microsoft “gives fragility and nonresilience”
The lesson is whilst you can control “access” at any time from now onwards, you can not control Microsoft and others “past failings” that are getting exploited today, and will continue to do so tommorow, and the day after, and with many other failings untill hell gets colder than cold.
The only viable solution you have is,
1, To disconnect your systems from public networks.
2, Work out what is realy needed “business case” wise.
3, What “data” from a public network is needed.
4, How to “sanitize” that data.
5, How to get only that data and not any other to your computer.
It sounds easy, but it’s not, as how do you sanitize against attacks you have no knowledge of?
Back some years ago, when “Rootkits” were the up and comming thing, looking for attempted ingress of executable code was possible as it needed byte values that fell outside of the 7bit ASCII printable values. So attackers developed “shellcode” that due to the redundancy in the 8086 instruction set, made it possible to use only op-codes that would get past such simple countermeasure filters. But software builders decided complexity was required, and more and more “redundancy” was added in one way or another, thus more hiding places than any single person can grasp…
So we have built our own “Red Queen Race” or as others call it “The hamster-wheel of pain” where you have to run as hard as you possibly can to just try and stay where you are, and can never hope to survive let alone win. Back in the early 1980’s a film[2] got cult status and a line from the end of it tells you your best stratagem,
“Strange game. The only way to win is not to play.”
For most of us the way “not to play” is “pull the plug” on direct and even most indirect connectivity to public networks.
For the few, it’s building systems based around the idea of “Diversity Vigor”, where you build a system that reduces the “data redundancy” and “filters the data” using systems built from different software eco-systems where commonality is very very small. One such would be to use a different OS, a further step would be to use a different CPU architecture, right down to a custom ground up build.
But the one part many many software developers do not appear to sufficiently grasp is that there is a difference between “filtering data” and “processing data” and it’s the thorny issue of “interpreting data” / “acting on data”.
At it’s simplest it is the notion of applying modifications to the data, but the data can not influence the process. The generalized advice to do this is “use state machine design principles” with “all states qualified” or similar.
The real issue though is the “kitchen sink” design of data formats. Eventually you get to the point where to handle the data it needs to be “interpreted” by a “Turing Compleate” engine, at which point it’s “game over” and you are most certainly not the “winner”…
[2] The film was “War Games” released in 1983.
me • June 2, 2022 9:32 PM
Ironically that website blocks Tor.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Fuck One Microsoft Way • June 1, 2022 1:37 PM
People should stop reporting on Windows/Microsoft and just give them the finger and eventually they will fade away into history.
But no, people just keep talking about them!