El Reg reports
The Sandworm vulnerability is being actively abused to attack Swiss banking customers, Danish security consultancy CSIS has warned. CSIS reports that the attacks are pushing the latest version of the Dyre banking trojan.
Attacks arrive as spam emails under the guise of information about unpaid invoices. In reality, the PowerPoint attachment to these messages is booby-trapped to exploit the Sandworm vulnerability and infect [unpatched] Windows PCs.
[...] Microsoft patched this (CVE-2014-4114) vulnerability as part of its regular Patch Tuesday update on 14 October.
Robert Pogson notes
Secunia estimates 12.6 per cent of UK users are running unpatched operating systems, up from 9.7 per cent the previous quarter. In addition, one in 10 third-party programs on the average PC are exposed due to failures in installing the latest security updates."
Of course, this damage could have been mitigated by promptly patching when M$ releases their "Patch Tuesday" updates or sooner in an emergency. That's the point. Consumers are not IT-people. They don't know about this stuff. They just know about the speed and convenience of PCs on the web. That other OS is supposed to be "easy to use" but that's just PR in the ads. It's also easy to lose all security, have the system slow to a halt or crash. Sometimes, M$ gets it wrong and the patches don't work.
So Soylentils, have you found MICROS~1's "fixes" to be less aggravating than the exploits?
Are your Windoze-using clients applying patches religiously?
(Score: 1, Offtopic) by aristarchus on Monday November 03 2014, @06:26AM
OK, editors, how dare you throw something like this out, when you know what foaming at the mouth and clashing of incisors (and canines!) it will cause?
So Soylentils, have you found MICROS~1's "fixes" to be less aggravating than the exploits?
Any Soylentil worth their silicon cannot be respond to that in the negative, which makes me suspect that this is not an actual question at all? Shall we take a poll? No, there is no need, since the outcome if predetermined. Powerpoint. I should have known. First, death by powerpoint, then infiltration by powerpoint. And finally, more death by powerpoint. Those whom the gods would destroy, they first force to use powerpoint. Now it looks like you do not even have to use it, to be driven mad.
(Score: 0) by Anonymous Coward on Monday November 03 2014, @06:28AM
.PPT is ok and hitler wasn't wrong
(Score: 0) by Anonymous Coward on Monday November 03 2014, @07:37AM
The title, as submitted, was
The Ultimate Cruelty: Sandworm Exploit Uses PowerPoint Attachment Against Swiss Bank Customers [soylentnews.org]
I added "Exploit" and "Attachment", but the rest is all the El Reg folks' effort.
Those whom the gods would destroy, they first force to use powerpoint
I'm liking that as a title as well.
My suggested dept. was
from the people-who-don't-trust-Redmond's-patches-get-bitten dept.
Raw meat? Yeah. The day MICROS~1's techniques impress me, I'll be sure to holler Bingo.
Don't hold your breath waiting for that.
-- gewg_
(Score: 1, Offtopic) by zocalo on Monday November 03 2014, @08:57AM
UNIX? They're not even circumcised! Savages!
(Score: 1, Insightful) by Anonymous Coward on Monday November 03 2014, @09:26AM
neither of which are likely to help foster a balanced discussion
Why are you concern trolling for MS?
As for the story, MS Office security failures are responsible for millions of infected PCs. I remember PR statements from MS dating back to the 90s blaming end users - even for zero day attacks with no fix from MS. MS Office, especially the automation features (scripting and VBA) have been security disasters unsuitable for use on Internet connected PCs. MS pays for PR folks to publicly blame their victims, and pays 'reputation' firms to astroturf in forums. Negative press and negative buzz in online discussion leading to decreased sales is the only thing that's ever motivated them to give a damn about security. Negative press when it's deserved *is* the balance.
So...
Why. isn't. Office. Sandboxed?
Clearly MS isn't going to fix it. We've got far more track record than we need to determine that.
(Score: 2) by zocalo on Monday November 03 2014, @10:51AM
It's a Microsoft story so I used the MS examples given, but I think the same principle should apply across the board, regardless of who/what is the topic. It makes things look more professional and improves the chances of someone reading further, instead of simply dismissing it as yet another FUD/propaganda piece and moving on. I've got no objection to being critical when mistakes are made, quite the opposite in fact as that's the best time to be posting articles since there is clearly something to discuss, but do we really need/want what is, in effect, childish name calling in Soylent stories? It doesn't add anything to the facts, but it will likely set the tone of the story and discussion so we end up with more noise than signal, which (other than Beta) was a big reason that a lot of us came here from the other site in the first place.
IMO Soylent's editors should post stories and aim to prompt a healthy discussion, but not try and push that discussion down the path of their personal viewpoint in the story itself unless it's specifically a Soylent editorial piece; that should be expressed and discussed in the comments, along with everyone else's.
UNIX? They're not even circumcised! Savages!
(Score: 1) by ibennetch on Monday November 03 2014, @12:22PM
I wish I had mod points to give you a well-deserved up vote. The comments are churlish and unprofessional — it has nothing to do with the subject being Microsoft; I'd feel the same way if the article was about Canonical or Mozilla or Linus himself. I like some humor from time to time, and I'm all about calling out a company that made a serious security mistake, but there is no need to use childish nicknames for no reason.
(Score: 2) by urza9814 on Tuesday November 04 2014, @06:54PM
"Some people say words like 'scum' and 'rotten' are wrong for objective journalism -- which is true, but they miss the point."
- Hunter S. Thompson
(Score: 2) by Hairyfeet on Monday November 03 2014, @12:50PM
Well you should know that when you quote Robert Pogson, who has been getting ragged for years for having Voldemort Syndrome [tmrepository.com] and also have the classic batshit FOSSie basement dweller scream of M$! [penny-arcade.com] (for full effect use The Shat "Khhhhaaaannn!" voice) there is nothing you can do, no other choice but to throw a Linux Party! [ytmnd.com]
The moral of the story? If you are gonna embody every negative stereotype of a group? Then expect to be the butt of jokes.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2, Interesting) by canopic jug on Monday November 03 2014, @03:20PM
You know very well that part of the custom of writing M$ also comes from how M$ paid (pays) astroturfers to show up in forums any time the string "microsoft" shows up. They had a search engine of their own for that, and probably still do, and would show up in just a few minutes of the first occurrence of the string. When the head of that programme moved on, he opened up a little about it. Anyway, the short of it is that by avoiding the string "microsoft" in comments, it was possible to have an actual discussion about the topic at hand. That safeguard worked remarkably well for more than a few years.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Hairyfeet on Monday November 03 2014, @11:52PM
Oh bullshit, you are obviouly not old enough to remember that back in the days of DOS 3 MSFT programs would have the M$ string to seperate them from user written applications, which just shows how fucking OLD AND BACKWARDS ASS the FOSSie faction like old Poggie are, they still think in terms of Win9x and XP. Of course this is understandable as this was the last time their OS was actually comparible in quality to either MSFT or Apple products, and now the list of show stopping bugs grows ever wider [narod.ru] and goes back in many cases half a decade [narod.ru]. hell even the guys that champion Linux admit they can't do their show on Linux because Linux doesn't have functional audio/video editing tools [youtube.com] the likes of which Windows has had since XP, 15 bloody years ago!
If you wanna guzzle the koolaid go right ahead, but even the guys I know getting paid to admin Linux ended up going OSX because they got tired of the bulshit. Every defense of Linux? I can just copy and paste memes from TMRepo because THAT IS ALL YOU GET, excuses sooo fucking old and tired they are fucking MEMES, from "works for me" to "Linux friednly hardware" to "version +1 will fix it" its ALL MEMES all the way down. As a wise admin told me right before he switched to OSX "Linux isn't getting better, it just gets different" and that is a fact. Every time things start reaching any kind of stability some asshat rips out a major subsystem and sends it back half a decade, be it KDE 4 or GnomeShell or Pulse or SystemD, nobody in the inner circle will allow Linux to be anything but alpha quality at best...if I didn't know better I'd swear that somebody was pulling an Elop on Linux!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @12:35AM
Links to the M$ circle-jerk site tmrepository and to the FUD site narod and pretends that those are useful.
Goes ad hominem on Pogson.
-- gewg_
(Score: 2) by cafebabe on Monday November 03 2014, @06:04PM
I belive that the gewg_ collective has previously explained that "M$" is used to refer to the company and "MICROS~1" is used to refer to the product. Some people may find this immature but it is applied consistently. Anyhow, when a company with a nine character name releases software which can only cope with eight character filenames and maintains a software patent on the discovery and utility of an escape format, the gewg_ collective is merely using the format which Microsoft devised and uses internally.
1702845791×2
(Score: 0) by Anonymous Coward on Monday November 03 2014, @07:40AM
It's the lesser of two evils. Yeah things might break but generally you're a metric butt-tonne better off. Whether the debate is about MS, Apple, Android, Linux, BSD - It's irrelevant. These things are all made by fallible meat bags so unless that description doesn't apply to you I suggest you learn yourself some restraint.
(Score: 2) by choose another one on Monday November 03 2014, @10:35AM
Amen [mod parent up]
Not only that but these things are all _used_ by fallible meat bags, some apply patches religiously, some need handholding, some need beating with a cluebat and some should never be let near a computer of any sort.
The OS is irrelevant - I've needed to help clueless Windows users, Linux users, Mac users, iOS users, Android users [actually, thinking about it, I've never had to help a clueless OpenBSD user... infer from that what you will].
Personally in the last few weeks I've spent more time on ShellShock than on Windows updates - some of which time was spent trying to impart a clue to alarmingly numerous people who seemed to believe that they weren't vulnerable because they didn't write CGI using bash or didn't run CGI at all. Had to keep reminding myself that "[Linux] Consumers are not IT people. They don't know about this stuff." and "Sometimes M$ gets it wrong and the patches don't work" - except that time it wasn't M$ was it, it was GNU/FOSS that screwed up and got it wrong.
Fallible meat bags, damned right. Pogson should get out of his glass house while he still has some windows left in it, and come back when FOSS is written by perfect AIs.
(Score: 1, Insightful) by Anonymous Coward on Monday November 03 2014, @10:47AM
MS, Apple, Android, Linux, BSD - It's irrelevant
Only if you've gouged out your eyes because you don't want to see.
Of those you listed, only the first does -not- have UNIX roots.
Only the first is an outlier--not *starting* with security when doing things.
I've watched anti-virus apps at work on Windoze systems.
I've watched the exploitable holes scroll past by the thousands.
The 2 camps are NOT equal and the difference is NOT "irrelevant".
One giant reason people don't "update" their Windoze system is because they've learned that MSFT will sneak in stuff that has NOTHING to do with security and everything to do with MSFT maintaining its power over users.
...and that's assuming MICROS~1 doesn't SCREW IT UP and make you wait until the 2nd Tuesday of next month for another "fix".
...and the reason Shellshock and Heartbleed were such a big deal in the media was that outside of Redmond's stuff those sorts of things are **rare**.
In the same timespan, Windoze Update acknowledged DOZENS of vulnerabilities in their ecosystem.
None of those made headlines; people EXPECT that from MICROS~1.
.
...and damn is a verb; the adjective is damned.
-- gewg_
(Score: 3, Interesting) by choose another one on Monday November 03 2014, @01:13PM
> Only the first is an outlier--not *starting* with security when doing things.
Maybe it depends on your personal history and perspective, but I don't think _anything_ of that vintage _started_ with security.
In fact, my first impressions of Unix security were "wow that's primitive (is this bitfield all there is, where are the acls)" - but then my first non-toy OS was VMS. Guess what Windows (NT and XP onwards) is based on / copied from [you know DEC sued MS and won / settled out of court, right] ?
Windows at kernel and filesystem level betrays its VMS origins and in fact had more security baked in from the start than Unix. It's the pile of stuff on top of the kernel that almost always causes the problem. My second impression of Unix was "wow this is insecure", but in fairness, it wasn't Unix as such but rather (mostly) X - the windowing system that let you connect to a display as any user from anywhere else (keyloggers, check, fake login window password stealers, check, popping up dodgy pictures on other users' screens, check - way way more fun than VMS). Similarly in Windows it's the crap on top of the kernel that typically causes the problems - and often it's stuff that is still in there from 20+ yrs ago when the threat world was different (like ShellShock, Poodle), MS have a habit / policy of leaving old stuff in for backwards compatibility, which is great in one sense, but causes no end of security issues.
But a few more years down the line I've learned that it really isn't the OS, and Unix really isn't intrinsically inferior to VMS security model, it's just different. What really matters is how it is managed. The VMS systems I used were managed by commercial pros, with security in mind (handled classified info), while the Unix systems I first used were managed by enthusiastic amateurs, for students - and mainly they just trusted us not to f*** things up too badly. Many Windows systems are admin-ed by clueless end users - some Linux systems are too, but probably a smaller proportion and definitely a target several orders of magnitude smaller.
(Score: 0) by Anonymous Coward on Monday November 03 2014, @08:59PM
When a file hits my Linux box, it is simply an inert bunch of bits.
If there -is- executable content in that bunch of bits, it's up to ME whether that becomes executable.
As soon as a file hits a Windoze box[1], any executable content in that file is ready to be executed--whether that was the user's intent or not.
The 2 camps are NOT anything alike; UNIX and UNIX-like systems *start* with security.
.
it really isn't the OS
Robert Pogson, referenced in the summary, has a story he tells about replacing EULAware with Free Software.
He was a teacher who inherited an ecosystem meant to serve hundreds of users, where all the boxes were running Windoze--or at least trying to.
The downtime for his kids due to bugs that MSFT shipped and never patched as well as drive-by infections was unacceptable.
After replacing that software with Linux, the downtime was asymptotically zero.
There 2 camps are NOT equal and it is noticeable to the vast majority of folks who have tried both.
It absolutely *IS* the OS.
[1] I understand that if you are willing to give M$ yet more money for a -server- OS, those have a security mechanism that is similar to what ALL UNIX and UNIX-like OSes have out of the box.
Not interested. What I get with Linux for $0 is superior monetarily and technically from the start.
-- gewg_
(Score: 2) by choose another one on Tuesday November 04 2014, @10:08AM
Files are executed when something/someone decides to execute them. Period. On either OS. The execute bit/permission (which Windows has too, in the ACLs, in case you didn't know) is trivial to defeat if you can copy the file to a location where you can change the permission, then you can execute it - and therefore so can any user space application running as you, should it choose to do so as a "feature", or if a script or similar loaded is into its interpreter / host, as we saw with shellshock. At one point, .desktop files were effectively executed in Linux desktops _without_ +x required. and that was "well-known and expected behavior” (see http://www.geekzone.co.nz/foobar/6229) [geekzone.co.nz] - user space GUI crap subverts the OS security, film at 11 WinOrLin.
Oh, and by the way, as soon as a tarball hits a Unix box, what do you expect is done with it and what happens to executable content in that file ? What happens in contrast when you extract a .zip file from an untrusted origin on Windows ? [all contents inherit the execution block in the hidden file stream, and will not execute until unblocked explicitly by the user - but you knew that didn't you?].
I know who Pogson is and have read what he did. It's not dissimilar to something I did several years previous to him, re-purposing a lab full of PCs as XTerminals (using Linux). I didn't shout about it on the web because (a) I didn't think it was a particularly worthy or interesting thing to shout about and (b) there wasn't a web to shout about it on back then.
Of _course_ Pogson's client downtime went to zero - he moved to thin-client and moved all the complex variable software onto the server and out of user control. Simply another 180 in the endless IT cycle of devolving compute power and control out to the user to give them freedom and so they can manage it for you, and then centralising it again because actually most users can't.
Pogson's problem is that he has got so fixated with the software that he did this _with_ that he has lost sight of which gains came from _what_ he did (thin client and centralization) and which came from the software he _used_ to do it. I also tried DOS/Windows (3.1) X Servers (commercial) when I did it, technically there were advantages to that (no need to dual boot - which I required with Linux as some users unaccountably wanted to keep the DOS/Win3.1 option), financially there was an advantage to Linux. We used Linux for financial reasons only (and because trying to fit the boot image on 5.25 floppy was masochistic fun), technically we could have achieved the same result with other software on MS, and so could Pogson.
I've used (I think) every Windows workstation/server pair since NT 3.51 and I have _never_ seen a requirement to pay for server to get the security model - in fact in the early (NT 3/4) days changing from one to the other was actually just a registry key, the kernel and it's security model were identical. So, which windows server/workstation versions are you referring to - or do you not know of which you speak ?
(Score: 2) by choose another one on Monday November 03 2014, @02:59PM
Oh, and:
> One giant reason people don't "update" their Windoze system is because they've learned that MSFT will sneak in stuff that has NOTHING to do with security
From experience, MS is far far from the worst at this. Oracle are particularly evil - the only malware I've had in years came via a Java security update, that's right - a _security_ update installed malware (browser toolbar shite). Java is now blocked from auto-updating on every machine I run, because I can't trust it - which means I am open to Java security holes for longer than I should be. MS have never pulled a stunt like that on me. In fact, I am kind of hoping MS re-write Minecraft in .Net - purely because it will mean I can get rid of Java entirely from the kids' gaming machines.
Or there is stuff like this: http://www.theregister.co.uk/2014/07/24/oracle_in_memory_database_feature/?_ga=1.113561543.1340584157.1409696269 [theregister.co.uk] - Oracle again, what a surprise...
(Score: 2) by WizardFusion on Monday November 03 2014, @09:25AM
Can we stop with the "M$" and "MICROS~1" shortcuts. It's not professional, it's biased.
I am not a fanboy of any particular OS or company, but when you do this, it just shows how petty and small minded you are.
(Score: 2, Informative) by Anonymous Coward on Monday November 03 2014, @10:05AM
MICROS~1 is Redmond's own invention.
If you had followed the link, you would have seen that M$ was in the article, as indicated by the blockquote tag.
-- gewg_
(Score: 2) by choose another one on Monday November 03 2014, @10:42AM
You are aware that it is a patented invention, you have paid the licence fees to use it, right ? ;)
(Score: 0) by Anonymous Coward on Monday November 03 2014, @11:16AM
LOL.
-- gewg_
(Score: 0) by Anonymous Coward on Monday November 03 2014, @10:59AM
Seconded. Mocking a company for their filesystem conventions circa 1995 was cool for five minutes when I was 13 or so, but both 1995 and those five minutes were a very long time ago. It's time to grow up. We can criticize Microsoft for its current mistakes and practices without sounding like teenaged neckbeards.
(Score: 0) by Anonymous Coward on Monday November 03 2014, @01:37PM
"Can we stop with the "M$" and "MICROS~1" shortcuts."
nope.
(Score: 2) by bradley13 on Monday November 03 2014, @11:28AM
I only use Windows for gaming and certain Adobe products, but that does mean I keep it patched.
For me, the Microsoft patch process works transparently and reliably. The only problem I have with it, is the fact that Windows sometimes needs to reboot during the process. Since my default OS is Linux, this means that I actually have to sit here and watch the reboot process, or else I come back later and have to reboot manually.
That said, I agree with the objections to this article. Very unprofessionally formulated. If the poster has a problem with the MS update process, he should spell it out objectively and present it for discussion.
Everyone is somebody else's weirdo.
(Score: 1) by sjwt on Monday November 03 2014, @11:33AM
Who approved this dribble being posted..
My goodness, if i wanted to read stuff like this, Id go to 4chan.
(Score: 2) by VLM on Monday November 03 2014, @12:52PM
Am I the only one who glanced at the headline and hoped someone (ISIS?) found a dune style sandworm?
There's a critical MS security bug every day for decades, its not even news that stuff is junk and not fit for the enterprise or the home. But a giant sandworm would be cool. I'd even tolerate a story about a giant robotic sandworm.
If I ever get a billion bucks, and a lot of sand (although the former would help with the latter) then I'm building a giant hydraulic sandworm. I looked into the engineering some time ago and it's perfectly feasible although it would be expensive. It would be more of a stunt than a serious transportation system. I was looking at making each ring mechanically autonomous. Which would also be kind of cool, here's maybe 200-300 diesel engines roaring as the thing moves around. Keeping the diesels running and the hydraulic oil in the cylinders not leaking out in the dusty sand is a serious problem and the labor cost of hydraulic seals alone would make riding sandworms a bit expensive per hour. None the less, the FIRST guy to build one might run a net profit off tourism. Maybe.
But no, its booooooring M$ vulnerability number 123456789. MS security is like those old roadrunner cartoons on TV, you know they're always going to fail, the only interesting part is seeing how they repeatedly fail at everything they do. F that go build a giant sandworm instead.
(Score: 0) by Anonymous Coward on Monday November 03 2014, @02:24PM
You guys should go circle jerk to the other site.