Microsoft confirms PDF attacks, urges caution
Summary: In the wake of this week's malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw -- in the Windows operating system -- is still not fixed.
In the wake of this week's malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw -- in the Windows operating system -- is still not fixed.
The advisory, first issued on October 10, points to an unpatched code execution hole in Windows XP and Windows Server 2003 (with Windows Internet Explorer 7 installed). While applications like Adobe Reader/Acrobat are currently being used as the vector for attack, Microsoft is making it clear that patches from third-party vendors aren't a cure-all for this bug.
"[B]ecause the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability - they just close an attack vector," says Bill Sisk, a member of Redmond's security response communications team.
[ SEE: MS Outlook flaw adds new twist to URI handling saga ]
Following the PDF-borne attacks, which use a combination of Trojan downloaders and rootkits to steal data from infected computer, Sisk said Microsoft triggered its Software Security Incident Response Plan (SSIRP), a process that handles all aspects of response to an computer/Internet attack.
As part of our SSIRP process we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution. Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues.
To help protect yourself during the interim we continue to recommend that you should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources and/or visiting untrusted websites. This is absolutely one of the most effective ways to help protect yourself from a variety of threats on the Internet today.
Sisk described the PDF exploit as "active" but "fairly limited" and said Microsoft is working around the clock to monitor the situation and get a patch out the door.
Microsoft's next scheduled patch release date is Tuesday November 13, 2007 -- a full 18 days away. An out-of-cycle patch could be forthcoming but this is unlikely unless the attacks intensify.
[ UPDATE: October 26, 2007 @ 12:30 PM ] Anti-virus vendor F-Secure is warning that malicious PDFs are currently being "massively spammed."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Oh no, say it isn't so
No news here. Everyone knows the Windows OS has more holes then a chunk of Swiss cheese. Redmonds need to dump all the old code, give the middle finger to all legacy users and start from scratch. Until then, Windows will be nothing but crap.
Once again...
Once again... but so true
Once again... but so true - PS
PS
My old XP machine? I still have it, running Ubuntu 7.04, and doing very well, thank you. I haven't yet upgraded it to 7.10, but will have that happy task soon. I would also happily consider OSX, if only I didn't have run it on Apple's over priced and limited hardware. I prefer to build my own systems, something that you Mac fans would not understand.
I ask a favor
I'll take a look
you are so right!
More Zealots skipping the true topic .
So true.
I do sympathize with you, having paid so much for that old Mac that it will be another 3 years before you can afford to upgrade. On the PC side, since our computers can be bought (or built, my personal choice) for a reasonable price, we can afford to upgrade our hardware more often. Hardware also improves with time, and my new system, with modern processor, video card, RAM, and storage, runs like a sports car with Vista, and will blow the doors off of your old clunker. And, yes, it is very easy to use, very fast, very stable, and WORKS with far more hardware and software than your Mac ever will.
By the way, since you have been "a Windows boy" most of your working life, did you try to run Win98 on that old 386 with 16 MB of RAM? How about XP when it came out on your old 98 machine with 128 MB? Perhaps you haven't quite figured this out yet, but new OSs are designed for new hardware. I suppose that I could have installed Vista on my old XP machine, but I was ready to move up, and I have not been disappointed. I expect that Mac users, and Linux users, also can benefit from advances in hardware as well.
Holes?
Do you really believe there's a large amount of security holes in a current patched Windows operating system that "everyone" knows about? I'm genuinely curious.
Yes, and so do the hackers
ecomonies of scale
3% what?
3% is 3 years ago...
3% is today...
Interestingly, even with the recent surge in Mac sales, Macs have not managed to increase market share, and have even lost some ground, according to the New York Times. Perhaps those recent sales have really been nothing more than users of older Macs upgrading, rather than any trend of "switching".
You are right that there have been some offers of Macs and cash for any hacker who could break OSX. One recent test resulted in both Macs and cash being "owned" in only a few hours. The only thing protecting Macs now is their miniscule market share. Vista, on the other hand, has been under constant attack, and has been quite secure so far. Even XP, with over half a billion users, has had a decent track record since SP2 (wich was free, by the way, unlike your OSX upgrades).
Have to Agree
For anyone to argue about the *strength of Mac defenses* in the face of prolonged cracking attempts would be smug to say the least.
MS OSs have been the consistent target of countless attacks for a number of years - and it seems clear that Vista will now take the mantle as *most targeted* for new concerted attack vectors against an OS kernel.
The simple fact is Windows OSs will always be disproportionately represented in the numbers of *holes* in the OS/OS kernel argument - and it's simply for the fact the majority of crackers in the business of OS cracking are targetting MS OSs. This is so patently obvious and yet is almost strangely omitted in most Mac fan posts boasting about the (so callled) *rock-solid* security of Mac systems.
I imagine if Apple had the majority slice of the OS market and became the new focus of major kernel hacking - somehow i get the feeling Mac OSs wouldn't fear any better (if not a hell of alot worse) than their MS counterparts. I also firmly believe the volume of attacks would grow 'somewhat' proportionately with Apple's market share.
I say be careful what you wish for Mac people ... because you might get exactly what you want.
Do they have oxygen on your planet?
and learn basic reading comprehension. Apple's market share "other than US" is
about 3%. That's not all users, but all non-US users. Big difference. HUGE
difference. Truth in point, Mac sales outside the US are growing faster than in the
US. The only source I can find that says Apple's "installed base' is 6% is Net
Applications, Inc, which is an unscientific survey, based on visitors to sites that used
their software. More than two years ago an "agnostic" survey estimated Apple's
installed base at 16%. Five years ago it was at 11%. Your 6% is, uh, "specious?"
And you're just smokin' dope when you say "Macs have not managed to increase
market share, and have even lost some ground, according to the New York Times."
Okay. maybe you don't smoke dope. Maybe you're just lying. From the NYT,
October 22, 2007: "Driven in part by what analysts call a halo effect from the iPod
and the iPhone, the market share of the company?s personal computers is surging."
Not just sales, but "MARKET SHARE." Further, the article shows that not only are
more and more buyers choosing Macs, they're paying nearly twice as much for the
privilege.
As for market indicators, as foes the US, so goes the world. Apple's market share is
over 8%. Apple is the third best-selling computer maker. Apple's sales grew twice as
fast as the next closest competitor. Apple's sales grew more than six times faster
than the market as a whole. More than half of incoming freshman at Princeton
University use Apples. More than 40% of all Princeton Students and Faculty use
Apples. Growth of Apple users at other Ivy schools is similar.
And please don't keep bogarting that joint. Your cited "hack" of OS X was "achieved"
after three reductions in basic (default) security, after connecting directly through
the local server, and didn't actually hack OS X, but a separate piece of software. No
one, that's NO ONE, has yet to hack into and control/change the OS X operating
system. No one got the cash, and there's never been any confirmation that anybody
even got the promised notebooks - from c|net, no less!
Don't look now, but your beloved Microsoft has admitted to two (2!) MAJOR security
flaws in Vista in the past week, but won't issue a patch for at least another 14 days!
According to Microsoft's own security response team "the vulnerability mentioned in
this advisory is in the Microsoft Windows ShellExecute function." Windows security
is, has been, and seems forever will be riddled with security flaws. And MS knows it
but doesn't make changes faster than their regular (hah!) monthly schedule.
Perhaps you're too young to remember, but you sound a lot like those who denied
the reality of the Japanese car manufacturers in the late 70's. Toyota, Honda, et al,
knew they had a better product, and all they needed to do was continue to make a
better product and the market would come to them. GM, Ford, Chrysler, and AMC
(remember AMC?) believed that all they had to do was keep cranking out the same
old marginal product and sheer inertia would protect them. Everyone was shocked
when Toyota passed Chrysler for #3 a few years ago. Few were surprised that they
passed Ford for #2 this year. Most are saying it's inevitable that Toyota will be #1.
I'll bet you're shocked Apple just passed Gateway for #3.
Dear Joe Bob
As for the hacked Macs, they were standard machines, with the latest patches of OSX installed. The "separate piece of software" you refer to was Quicktime, which is a bundled part of OSX, not separate. Quicktime has also been a security risk for Windows (one of the two that you mentioned), and has been ordered removed from enterprise systems around the world. Quicktime and Safari are two good examples of Apple's complete lack of understanding about designing secure software. While it is true that there is a lack of exploits for OSX in the wild, you can thank that miniscule market share for that, not the software design.
Apple did have a surge in sales over the summer, but then saw a huge drop last month. I expect that Leopard will cause another surge, followed by another drop. This has been Apple's trend for years. Most of those new sales are users of older Macs upgrading, a trend that will continue for a while, as non-Intel Macs still outnumber the newer machines. You rave about Apple's growth, yet HP has outpaced them in both the US and World markets. HP and Dell still dwarf Apple, and with Acer's acquisition of Gateway, Apple has dropped back to a distant fourth place again.
I not only remember when the Japanese cars began to take over in the 70s, but owned one, a Datsun, at the time. The American car companies got caught with their pants down with the oil embargo, and had nothing to offer except large gas guzzlers. The Japanese companies offered not only fuel efficiency, but very reasonable prices to entice drivers to look at their vehicles. Compare this to today's computer market, where Apple continues to offer only "premium" computers (translation: expensive). While these systems appeal to some, for most they are simply out of their price range. As long as OSX remains tied to Apple's over priced hardware, it will remain a niche player. Why do you think that Linux is gaining so rapidly in the world market? Many people, even in the US, have a hard enough time affording a $500 computer, not to mention a $1500 iMac. Your examples of Ivy League students implies that you are out of touch with the mainstream. I have attended college classes recently, and saw no Macs, either among students or in the schools computer labs. Primary and secondary education is the same, virtually all Windows PCs.
Is Vista totally secure? Of course not, no software is, including OSX and Linux. Windows, due to its 90% market share, has seen extreme levels of attack, and Microsoft has done a decent job of offering patches in a timely fashion. Most are released on a monthly cycle, but critical fixes are pushed out sooner, if needed. Since XP SP2, viruses have become uncommon on properly updated systems. I am responsible for a large number of users, and I haven't seen a virus at home or on our network in years. My experience is not unusual. The only ones ranting about Windows viruses are generally Mac and Linux fans, not those of us supporting systems. Keeping Windows machines secure is rather simple these days, thanks in no small part to Microsoft's efforts.
Now, then, perhaps you will notice that I was able to reply to your post without insults and degrading comments. Your frequent drug references might explain your failure to notice that the "ShellExecute function" mentioned in the security advisory was for XP, not Vista, which is unaffected, even for those foolish enough to install Quicktime on their systems.
@itpro_z
have a surge in sales over the summer, but then saw a huge drop last month?" Just
curious, because I've never seen monthly sales broken out.
Also, I'm wondering how you read "the market share of the company?s personal
computers is surging" in the Times, and understood that to mean Apple was losing
market share. Just so you know, 'surging' means gaining, not losing.
Also, since you don't seem to know the facts, the Mac that was "'owned' in a few
hours" was actually untouchable for the first 24 hours. Three hours after the
security was lowered, and [i]physical access to the machine was allowed,[/i]
someone managed to get user, not root access.