Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw. Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an …
LINUX should not laugh
Usually I like to point out yet another reason to deride MS' security history, and this is quite a good example.
However, the LINUX case is almost as dumb! While UNIX has the 'execute' permission that limits a lot of simple attacks, why do LINUX distributions insist on mounting non-UNIX file systems (e.g. USB drive with FAT format) with '777' permission (i.e. everything is executable by default)?
There is no excuse for this in most cases, even a CD with software should be in a .deb file or similar. If someone dose not know how to copy to the appropriate place and chmod, they have no business installing/running stuff from an external drive!
For internal drives (such as my Windows partition) it is easy to add options to /etc/fstab so directories are 775 and files 664 so why can't they do it for automounted systems?
Re : LINUX should not laugh
At least with Linux/Unix an executable will NOT automatically run merely on browsing a directory containing links
LINUX should not laugh - too much
@Chemist: While it is true that fully automatic running is not the LINUX norm, Ubuntu has an option which is on by default to offer to run software when you double click on it. For example a text file with 777 permissions gives you this sort of prompt:
'Do you want to run "rxlist.txt", or display its contents?'
At least the default action is 'Cancel' in this case, but I do worry about a dumbing-down of LINUX to meet the Windows users' low expectations. Hopefully we will not go any further down that path...
LINUX doesn't need to be shouted, folks
It's not an acronym, so it's just Linux.
Same goes for Unix.
And actually, I'm laughing pretty hard. Note the dialog we're discussing doesn't have a 'run as root' button.
Re : LINUX should not laugh - too much
Sorry I don't understand - surely the point is that if a user choses to run a suspect executable, however they launch it - that's their problem and they deserve all they get. But the system will NOT automatically run an executable by merely browsing the directory.
Where'd that come from?
Did you even read the article or were you just try to get a jab in on Linux and derail the usual comments about Windows' crap security?
LINUX users can laugh..
Ubuntu at least (and probably others) mount them all noexec so even though it _looks_ executable it isn't.
This is the Linux distro at fault, not the kernel.
Every Unix or Linux geek has his own preference on how to set up a system. Hence so many distros.
While I see your point, as FAT does not support proper file permissions, it's not unreasonable to assume all files have 777 permissions. If it was anything else then you wouldn't be able to execute from the filesystem at all, and that would be unacceptable; it's not acceptable to have to copy an executable to some other file system to execute it. It's just not.
If you WANT the filesystem to be non-executable then you can mount it as such (at least you can with BSD - it's sometimes done for /tmp and /var etc for security reasons - I'm not sure about linux).
As for the Windows problem, only MS could manage to introduce a code-injection flaw into a file shortcut [shakes head ....yet again].
Also, "For systems that have AutoPlay disabled..." - What - you can do this now???
power plant control systems??
power plant control systems on windows?
Doesn't the packet specifically tell you not to use it for this sort of thing?
We need another icon!
Power plant control software written in Windows!!! Yikes!!!! But, it reveals that there is no Homer Simpson icon, which should be corrected posthaste.
This one seems quite adequate:
Tooltip text says it quite eloquently, I'd say. Say NO to Icon Creep!
not supposed to be used for life support either
Of course, most T&C's have these, as well as life-support restrictions. It's all about product liability...
Isn't there a law
against using Windwoes for anything more important the FaceSpace?
If not, there should be.
Keep it simple
This is why applications should not be deeply tethered to the operating system. Bundling IE/Explorer so deep into the OS was mistake #1 since now every standard windows deployment is vulnerable due to bugs in non-optional components.
Are You Serious?
"For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited."
Seriously? Seriously? When someone has just inserted a DVD or USB into a computer it is pretty much guaranteed they are going to browse to the root directory of the drive they just inserted. Pretty much the only way they won't is if they are a full-on console mode geek and there aren't many of us left.
I really do find it coincidental that this was revealed days after Win2K was end-of-lifed. I know a lot of people intend to keep running Win2K in non Internet facing systems and this reeks of MS spreading FUD to force upgrades. I suggest people replace Explorer with something properly designed instead.
If I may add a "yeah, but"
The systems that run SCADA control software are not the sort of systems that allow the insertion of any sort of external media, they are typically highly secured and not connected to public networks, even via a firewall.
We don't use SCADA at my workplace, but we have similarly sensitive systems, they run in their own firewalled off areas within physically secure datacentres/comms rooms and access is via remote desktop/Citrix.
This problem, while serious, shouldn't be affecting SCADA users who have set their systems up properly. Setting systems up properly being another issue, mind. Noone should ever be able to insert media into a secure system, beit Linux, UNIX or Windows.
Yes, it IS a big deal.
It must be nice to work in an environment that takes security so seriously. Unfortunately, things are a lot messier in the real world. We design SCADA products, and many of our customers -- multinational energy firms included -- route SCADA over the public Internet. Worse, Windows-based SCADA control systems are ubiquitous in these unsophisticated IT communities. So, yeah, it IS a big deal.
"targets industrial and power plant control systems"?
"executes automatically if an infected USB stick is accessed in Windows Explorer."??
Why the HELL would anyone be putting USB sticks into machines that run these sort of system in the first place???
more to the point
what kind of admin would allow users the facility to even be able to use the usb ports of such a machine. allowing removable storage on a critical system is just asking for trouble.
if its not needed for it to work, why the heck is it enabled?
Why the hell....
They don't. SCADA systems are very high level control of overall plant, the big knob that you crank from 0 to 11 depending on how many widgets you want your factory to produce today. This is passed on to a DCS system which will be completely proprietary, interprets the human controllers input and controls the detail of motor speeds, pipe presssures etc. Then for the big plants there will be another system watching the plant to make sure everything the DCS does is safe and to take over and make the plant safe if anything approaches safe boundary limits.
The SCADA will report all of the actions of the DCS and safety systems back to the operator, it'll show him where the motors are running hot and how full the vessels are. But thats all, just show in detail and control loosely.
The detailed daily run data is what someone it trying to mine I would suspect. If they are looking for something that can control to make it go bang then they are pissing in the wind.
Poor choice of quotes
"malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut"
Well that wouldn't be much of an exploit, would it?
The user does not have to CLICK the icon, merely view the folder containing the shortcut (or have the icon loaded in many other ways Windows loads icons). Apparently if the shortcut gets its icon from a resource within a DLL, it is possible to have Windows automatically run initialization code of that DLL.
The FAILs here are incredible...
"an information stealing threat that targets industrial and power plant control systems"
1. Using Windows, an operating system that is fairly heavy weight and not known for ultimate reliability, controlling some aspect of a power plant. [for an example of reliable, look at your VCR, mine has been 'up' since the last power cut and hasn't crashed, once, in nearly ten years of use]
2. Failing to read the Microsoft supplied licence that specifically states that the product should not be used in a critical or life-dependant capacity. If the original vendor is not willing to make the claim, how can any reseller?
3. An environment like that... anybody caught inserting USB flash drives into the work computers is just asking for a dismissal with extreme prejudice.
At my place of work, the office girls use Windows (and do web/yahoo mail on their work machines - ooooh, the changes there'd be if I was head of IT) and some of the diagnostic tools run under Windows with a serial port. But the actual equipment itself is controlled by PLCs, dedicated embedded systems, and ridiculously over-complicated rack-mounted things that looks like a fuseboard stuffed with RCBs gone mad. There isn't the slightest whiff of "traditional PC" in the production area. But, then, nobody would want to hear that it's all ground to a half because blah.dll is corrupt, or confiker is tickling the insides, or any of the excuses we're so used to with our desktop machines...
SCADA = Supervisory Control And Data Aquisition. Supervisory Control.... SUPERVISORY Control.
SCADAs are a pretty graphical front end to your production area PLC. The SCADA tells the PLC what to do in terms of 'Run recipie A today please' for a chem plant or print 10,000 copies today please for a press. The PLC (or DCS, same thing effectively) runs the motors & pumps NOT the SCADA.
A SCADA cannot attempt to make a pump push too much fuel into a furnace. The PLC will control fuel pump speed based on fuel line pressure, boiler temp, flue gas quality and many other factors. In fact a BMS (Burner Management System) will not a PLC but a BMS is just a high speed DCS dedicated to, yep burners.
A SCADA cannot lie to a PLC, it can't feed false data to try to make the PLC do something wrong because the instrumentation is connected to the PLC not to the SCADA.
All the SCADA does is listen to the PLC and display all those temperatures, pressures, pump bearing temp and speed and vessel levels on pretty graphics for the humans to go oooh and ahhh over.
On the plant I am at right now there are 16 operator stations which each have 10 TFT screens to look at that can call up thousands of pages of graphics. Is this outside line connected to the SCADA? Er, no. What would happen if the SCADA failed? A whole load of humans would flap while the clever ones tut and get on with putting the breaker back. Meanwhile the plant got on with its job absolutely under safe control of the DCS which in turn is monitored by the ESD (IPS in modern meeja friendly parlance).
What if a pump overheated while the humans can't see the warnings on their now dead SCADA? The DCS switches to the standby. But what if that overheats? The DCS shuts down that section of plant and the product is buffered in vessels or the whole train stops. But what if the DCS malfunctions? The ESD shuts down the plant. But horror maybe the ESD malfunctions too? (it won't in 99.99999 of cases, we laugh at your 5 9's in your oh so reliable data centres). If the ESD command to shut down in a graceful fashion is not executed within the plant safety time then all power is automatically dropped from the entire plant in a most ungraceful fashion. The plant in engineered to withstand many thousands of tonnes of moving fluid stopping all at once without anything escaping but you try not to do it too often or you maintenance rates go up.
This attack is probably espionage, the SCADA can SEE everything. The chinese might quite like to know the new catalyst in a proprietary petrochem cracker or similar. Or maybe its a l33t h@ck0rz who jump to the same conclusion so many commentards have when they read that 'Windows controls power plants'.
@ Gotno iShit Wantno iShit
Nice user name. :-)
Thanks for the description.
However... I have seen elevators operating with switches, relays, and discrete logic boards. And I have seen elevators offering the same functionality operating running a version of Windows. Who is to say that somewhere there isn't a power station (or other industrial plant) running on systems less designed for it.
But, the question is - if the plant has all this fancy fail-safe hardware, is it a big deal if a Windows box gets pwned? I've seen "virus found" popups on the administration computers, and I know Confiker is in the LAN somewhere. It might stress payroll and it might throw a spanner in the works of planning, R&D, traceability, or stock control (all of which use LAN'd Windows machines). However it won't do a single tiny thing to the production area, the pick'n'pack, or the unreliable clunker that folds boxes, stuffs things in them, then glues the ends together. If management has enough brains to be able to work up the production planning manually, and stock control learns how to use a clipboard and a phone, life could carry on without any IT support whatsoever (the machine that prints barcoded labels runs independently). That's how it should be. Generic computer support for the soft-seat people, and custom equipment for production, where reliability is essential.
Chances are, the CD you have does not maintain separate permission information on its files, and Linux can't read the mind of whoever burnt the CD to determine what their intent was. On such disks, you have to decide if you want all the files to have execute permission, or none of them. If you want to execute any file on the CD, you'll have to mount it with exec permissions, and you get the 777 permission on all files as you have observed.
The alternative is to not have execute permission on ANY of the files on the CD (since all files will be treated the same if the CD filesystem on the disk does not support file-by-file permissions)-- and guess what, that's what happens if you don't specify execute permission when its mounted. If the mount is specified in /etc/fstab, remove the "exec", or set the option -o noexec when doing the mount command...
This is different than Windows, which keeps a crude method of file permission based on the filename itself-- if it ends in ".exe" or ".bat" or various other things, than it has "exec" permission, etc. Linux doesn't normally treat filenames as being special in this regard-- I suppose it could map permissions based on such logic, but it wouldn't want to to that by default because what if a typical shell script that either ends in .sh or perhaps has no extent at all, is stored on such a CD-- you won't be able to execute it from Linux. And if it does have an .exe extension, it's probably not a Linux executable, but a Windows executable, which you probably don't want to execute on Linux anyway, so that kind of logic wouldn't really apply in Linux...
Apologies to all for hijacking the comments on the design flaw in Windows, but I was just wanting to make the point that some of Unix/Linux's built-in protection is also being compromised, so not to laugh too loud.
I understand that CD and FAT/NTFS file systems just don't support the *nix security model, but I object to the "default unsafe" approach of allowing execution. This is the slippery slope to the problems of Windows being easy to run things unexpectedly.
With CDs you can edit the fstab entry to add 'noexec', but that still leaves them executable if copied. Also not so easy for USB sticks. But how often do you really need to execute from a CD, as opposed to installing a .deb file using the package manager?
And while it is true that you can't run a surprise as root so easily, but remember if the operational account is compromised on what is essentially a single-user system, it is not that far from being rooted.
So to return to the article, yes its piss-poor that loading an icon for a short-cut screws the system over, but as other have pointed out, that is one of the delights of having explorer built-in low down, and it seems not properly audited for holes. Again.
Not sure why people are harping on about execute permissions. The glaring problem to me is why Windows Explorer is using a library to parse links and render icons that should be able to run just fine with user level permissions? Even if it is due to some system-wide resource optimisation, I can't see how the performance of a user-wide one would be hugely different. Especially given most Windows machines only have one user logged in at a time.
And it's not even 2012 yet
If they don't get a patch out very quickly, this is going to be a disaster...
So how did they target scada systems? How did they get this into the hands of the people who operate this stuff?
The only thing I can think of is: They handed out usb sticks and CDs at some scada trade show, that had usefull utilities on it.
Between the targeting and the use of a legit cert to sign the drivers, it's not your average botnet.
Plant USB sticks on the parking lot, one at a time, until one phones home. I saw a report once on an experiment with that. 20 sticks were dropped, one at a time, outside a large company. 19 of the 20 phoned home when the users inserted them into their machines to see what was on them, the last one was turned in at the reception. For added value, have the company logo printed on the sticks.
@heyrick: where do you work, are you recruiting?
I could do with an employer with a clue.
There are a *lot* of SCADA (and other embdedded-class) systems out there running on Windows. A *lot* of them are in places where people aren't (allowed to be) as fussy as they should be about the OS of choice, or about removable media, or about what gets connected to the network, or whatever.
It's all very well to say "who's letting these things connect" but even for the folks who understand the difference, when the choice is between doing the right thing or getting paid next month, a lot of people suddenly and understandably choose to get paid next month, and so Windows gets rolled out and the USB sticks etc get plugged in, because the PHBs think it's cheaper that way. And cheaper is always better, right, if you're a PHB?
Meanwhile, ... in a Sunny Embankmented Legoland.
Self Employed Rules OK ....... and Self Employed Rules UK too, although quite exactly what they would be doing, and much more importantly, how it is done successfully, is way beyond Top Secret and National Security Interest classifications ........ and any pay grade levels of employment and servitude, no matter how grand and elevated.
"But, then, nobody would want to hear that it's all ground to a half because blah.dll is corrupt, or confiker is tickling the insides, or any of the excuses we're so used to with our desktop machines..." ..... heyrick Posted Monday 19th July 2010 14:42 GMT
By all accounts, heyrick, would one never feel a conficker tickle, which must make it quite a sublime touch.
Although all of the above may be just convenient myths to disguise the True State of Matters and be Masks for the Nature of Matter.
A Lot of People ...
... simply do their various jobs with the resources given to them in the manner prescribed. In almost all corporate/industrial/governmental/etc. settings, people are told to simply do the tasks they're assigned and get "x" project completed in "y" time. The truth is, the general worker is beaten into submission, one way or another, to be the perfect little soldier and do as they're told. Initiative is most often NOT rewarded because it upsets the applecart and causes changes and, for the most part, people resist change. That's why companies have vatious departments: work segregation. I had many opportunities over nearly 45 years of worklife to offer beneficial change. But after a while you come to realize you're not in the "Change" derpartment, you're in the "Producrion" department and if you want to change, get another job.
It's for that very reason (do your job with what you have) that worms and such have such great success in the corporate world. You simply can't be a top level IT guy, a top secretary, a top accountant, a top mechanic, and etc. all at the same time. You have to specialize, i.e. have a job description and job title. When those are the circumstances, "IT Shit" happens among the non IT workers. The vast majority of computer users outside the IT world just don't give a damn which OS, or which kernel, or which office suite or which anything they use so long as they can get their job done, go home at the normal quitting time and have their real life.
My last ten work years I came to realize my job enabled my real life and that was the only reason to continue. When I retired I kept my life because my life had no been my job for many years. And having been e good little corporate soldier, I retired well. More and more people are coming to the same conclusion I did. There are even books that attempt to tell what I discovered. But, one side effect is the general worker is no longer committed to their job and no longer as loyal as they once were. Why should they be when their bosses have proven they'll terminate anybody for the slightest cause? If companies want the workers to "look out for them", then the companies better be caught doing a better job of "looking out" for the workers and that just ain't happening today.
@ Doug Glass
Why the hell should a company look after its workers? Why should it pay extra or do anything beyond the bare legal minimum? You want loyalty? Bend over and kiss ass for you *have* a job. Don't like it? Sod off, for every ONE of you, there are twenty crying out to do this work.
Before you all hit the downvote, I think this situation sucks to hell and back, but sadly for a lot of people it is reality. Do I like my job? Not really. Do I feel a loyal employee? Not really. Once I clock out, do I give a damn? Not really. It has, as Doug has said, been made perfectly clear that my job has narrow confines. It irks me no end when, practically, to plug something in you have to call a guy in a blue outfit to come and do what any primary school child could do correctly. Such things are NOT my job, unless management decrees otherwise by osmosis. The day to day activities of the company, not my job, and none of my business. Future plans, projections, ditto previous. I am here to do a specific task (within the caprices of management) and basically STFU otherwise. It's a shame, I like the products but I never really feel a "part" of the company, more like "just another crappy employee".
I believe that a company should do things to make their employees feel wanted and special. You cannot just "demand" loyalty, especially when everything we are asked comes with the automatic expectation that the answer will be yes, while most of the things we ask are asked on the understanding that the answer will be no (or, better, "we'll look into it" which means no). But management obviously have different ideas as to what to do with their profit.
My job pays the bills. That is how I see it. I work X hours for the cat food. I work Y hours for broadband. I work Z hours to spend online. And so on. It is necessity, not loyalty. It works for me, it works for them. But it is wrong in practically every way imaginable.
...AC as while it is obvious who I am from the writing style, if them-in-charge come across this and give enough of a damn, there's plausible deniability built in. :-)
"At least with Linux/Unix an executable will NOT automatically run merely on browsing a directory containing links"
This particular vulnerability is a drive-by attack, it works when you open the folder (and possibly you have to click on the icon - reports vary). A more apt analogy would be a bug in the Nautilus file manager that executed code when merely viewing a folder.
"I suggest people replace Explorer with something properly designed instead."
If the replacement uses the Windows APIs to view embedded icon data then it will probably have the same issues.
"why Windows Explorer is using a library to parse links and render icons that should be able to run just fine with user level permissions?"
It does run with user-level permissions; exploiting this bug doesn't automatically allow privilege escalation. Running as a non-Admin user will mitigate this threat. However, there are exploits in the wild using this, plus a stolen(?) private key to sign device drivers that install rootkits.
Even without the ability to run with administrator permissions, the fact that this allows the execution of arbitrary machine code just by opening a folder means that this is an extremely serious vulnerability.
Re : Drive-by attack
SANS have upgraded Infocon to yellow due to this flaw
The most serious aspect is that it seems to work browsing shares
I don't understand how your paragraph "This particular vulnerability........" is a more apt analogy than my ( rather briefer) comment. Admittedly a bug in one of the Linux file managers might possibly launch an executable but the mechanism in the case of Windows seems to be extracting the icon from a dll AND initializing the dll as far as I can tell all without user action
SCADA, DCS, PLC (@6:28 stuff)
Well it's nice to hear that some places still understand the importance of levels of hierarchy in the control picture. Unfortunately my experience working with suppliers to this market tells me that you are in a tiny tiny tiny minority, and that most architectural decisions have for a long time been dictated by PHBs whose primary consideration in choosing an implementation is "Is it Windows?" (because they think Windows is cheap and they think Windows implies interoperability of a sort). Reality is that Windows is not cheap at all, but in apps like this it is very definitely nasty, whatever National Instruments and the other MS-boosters may claim to the contrary (yes I do realise they're not classical SCADA but they're one of the biggest offenders).
[Sorry if you're reading this, Lorenzo, but hopefully by now you've moved on]
Target: Siemens WinCC SCADA/HMI software
There's another article in this series . It seems Siemens' WinCC SCADA/HMI systems are among those "specifically targeted". Afaik that software is quite popular as a standalone, without the PLC/DCS hierarchy written about earlier today, at least according to Siemens:
This bit of Siemens bought the Factorylink company a few years ago. Factorylink was one of the last OS/2 SCADA systems on the market. They had good reason for sticking with OS/2, but the rug was pulled from underneath them somewhat.
Re AC@09:37 and AC@10:52
I too have seen erosions of what an old fart like me would call good engineering principle. Where once you could see 6 feet of clear daylight between DCS and ESD now there are manufacturers pushing converged systems. It is a worry.
As to the current alert it does look rather worse than I earlier understood. Siemens could be in a spot of bother here. As stated above by others Microsoft don't rate their stuff for life safety. Siemens do and if the password out in the wild has write access to the hardware then it could get messy if other layers of protection have not been used. The Microsoft attack vector is irrelevant.
The one with a copy of IEC61508 in the pocket please, I'm off to control.com for a while...
"6 feet of clear daylight "
Even with 6 feet of clear daylight air gap between networks, sooner or later someone will want some data transferred across the air gap. USB sticks are ubiqui... everywhere, and that's the entry vector for the malware.
The Microsoft-only attack vector is *entirely* relevant, this kind of thing didn't happen (and largely couldn't happen) with OS/2 or Unix or VMS or practically anyone else's OS except Saint Bill's.
The title is required, and must contain letters and/or digits.
Don't know OS/2 ... :-\
But VMS would be my OS of choice, however, just like in Sex Pistol's song ..... noooooo future, nooooooo future .... shows HP's level of intellect!
Let's imagine, the program copies itself onto the Desktop folder of every workstation. Imagine it is on a network share ... network admin checks something (like permissions) on the share, instantly every twat in the company has a new "iexplore" (eg ie) icon on his desktop ... instantly, every single logged-on PC on the LAN is infected ... what a mess! Excellent!
Windows is really for those who deserve it! Solaris, the only real, true, enterprise OS that really is reliable ....