Feeds

back to article Trojan smuggles out nicked blueprints as Windows Update data

Security watchers have uncovered a new highly targeted email-borne attack that uses a supposed conference invitation as a lure - and disguises extracted data as Microsoft Update traffic. The spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed …

COMMENTS

This topic is closed for new posts.
Gold badge
WTF?

"...alleged security flaws in Adobe software..."

What's "alleged" about security flaws in Adobe software?

7
0
Bronze badge

"Alleged' zero day exploits

The claim is that unknown, unpatched faults have been used in this hack. (One of them is enough.)

However, it only requires that the victim hasn't installed the latest patches for the Reader.

(Since usually this obliges them to reboot the PC, they may hesitate.)

I've seen office computers still using Adobe Reader 8. That's pretty dumb. It isn't even supported any more. The latest bugs will -never- be fixed on version 8.

0
0

This post has been deleted by its author

Bronze badge

@Robert Carnegie

>>(Since usually this obliges them to reboot the PC, they may hesitate.)

What a flawed piece of software both the Adobe Crap and Microsoft Windows are!!!

Are you guys serious? You have to reboot your machine for every PDF viewer update? !!

1
1
Anonymous Coward

Security flaws in Adobe Reader...

How does a document viewer contain security flaws?

"Industry-leading security Take advantage of the security of Protected Mode in Reader, which helps safeguard your computer software and data from malicious code".

Why do you need to put 'security` in the Document Viewer?

http://www.adobe.com/products/reader.html

0
1
Anonymous Coward

Adobe 8 you say?

Hell we have users running version 7. Granted it's the Pro product, but I doubt that helps any, in fact, I expect it makes it worse. :(

0
0
Silver badge

Alleged?

"...try to use alleged security flaws in Adobe software..."

Really, is it not riddled with them?

0
0
Anonymous Coward

Steve Jobs Reaches from beyond the grave

Contacts us via Ouija board and say's "I told you so about Adobe"

1
1
Silver badge
Joke

See, this is why one should use GNU/Linux!

>Get me those files!

You do not have permission.

>sudo Get me those files!

Your are not in sudoers. This incident has been reported.

>ln -s /usr/bin/sudo ./%s

>./%s -D9

>Get me those files!

Why certainly, all my base are belong to you.

See how much more secure than Windows that was?

More info here.

3
5
Vic
Silver badge

> ./%s -D9

./%s: invalid option -- 'D'

> See how much more secure than Windows that was?

Indeed I do. Thanks.

Vic.

3
1
Silver badge

@Vic

Same here

OpenSUSE 11.4

sudo version 1.7.6p2

0
1
Silver badge

FFS

Did the "joke alert" pass you guys by and did you bother to read the link?

v1.7.6sp2 is not affected. Yeesh.

2
0
Silver badge

Sorry BigYin

It didn't read like a joke

0
1
Silver badge

@Chemist

Maybe not the best joke in the known Universe, no; but I figured some frothing-at-the-mouth fanboi would be along and I was trying to get in first and head them off.

This does a much better job (based on this).

1
0
Vic
Silver badge

> did you bother to read the link?

Yes, I did.

> v1.7.6sp2 is not affected.

I know. That's why I posted my output.

I wanted to get that in before someone who had not read the link went around telling the whole universe that G/L was forever hopelessly borked...

Vic.

1
1
Bronze badge

And your alleged exploit will not work for even the version 1.8 of sudo.

And GNU/Linux or *BSD iare much more secure than Windows in view of the commented accident:

1) no one would need a p. of crap like Adobe Reader, people use use evince, kpdf, xpdf or gv

2) file extension do not determine files permission contrary to windows.

3) security updates are more quicker to arrive than for MS, where sometimes they might fail to reach the users, the yum/aptitude/dpckg or such are non-existent on MS Windows.

1
1
Vic
Silver badge

> And your alleged exploit will not work for even the version 1.8 of sudo.

Errr - yes, it will. There are a number of versions where this exploit is real.

There shouldn't be any still in the wild, though. Many distros aren't using a 1.8 version at all, and those that are should have patched it by now (Fedora certainly has; I haven't checked the rest) because I'm not that interested.

Vic.

0
0
Bronze badge

Yes, mine is a different version too:~$ sudo -V

Sudo version 1.7.4p4

I heard that it is possible to create an exploit not that it already exists. Can you please point me to such link or tell how to get from ~$ to root#, say, with "sudo -i". Thanks

0
1
Anonymous Coward

Why one should use GNU/Linux!

$ ln -s /usr/bin/sudo ./%s

$ ./%s -D9

$ ./%s: invalid option -- 'D'

0
0
Silver badge

Disguised as Windows/Microsoft Update traffic

Extremely hard to do unless the destination is microsoft.com, Shirley?

2
0
Silver badge
Joke

@Disguised

Maybe it was MS doing the spying?

1
1
FAIL

@Dan 55: Nope !

Windows update uses cheapo servers to pull the updates from. Just perfom an update and then repeatedly do

netstat -a

in a cmd.exe window.

You will see that the update servers' name does typically NOT end in microsoft.com. Instead (I assume) they use a cheap content distribution service, so that the actual name is something like

msft08712.cheaperhosting.com.

Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic. As always, MS cares about $$ revenue, and gives the middle finger when it comes to security. Even humans will be challenged to indentifiy the windows update content distribution server names as being legitimate.

Big-fat MS security FAIL, I would say.

4
3
WTF?

OK how is this Microsoft's fault, really?

"[msft08712.cheaperhosting.com] Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic."

They use Akamai, but that's beside the point. The domain is the same (windowsupdate.microsoft.com) even if this is an alias that points to a distribution network. Or they'd have a hard time updating PCs with updated Windows Update software to point it to new servers.

"OH NO IT USES ADOBE EXPLOITS AND DISGUISES ITSELF AS WINDOWS UPDATE IT HAS TO BE MICROSOFT'S FAULT!!!!!111!!1ONEONE"

0
1
FAIL

@OK how is this Microsoft's fault, really?

If the IP of the content distribution server does not reverse-resolve to XXXX.microsoft.com, firewall administrators will have a hard time discriminating the traffic of a virus infection from that of windows update.

If Microsoft were serious about security, they would not use a plain Akamai (or any other content distribution service), but use a service which would reverse-resolve to a proper microsoft domain. Maybe that would imply that MS itself would do the content distribution, but that is the price of proper security...

As a security-conscious firewall admin, I always must assume anyone with a valid credit card number can buy webspace with Akamai or similar companies.

At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here.

3
2
Thumb Down

So you blame MS for you not doing your job?

"At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here."

Or maybe you, the supposedly security-conscious admin, could restrict WU traffic to a single WSUS server and use that to deploy updates, then block the domain from other clients at your proxy level or whatever device you have for managing web traffic. WSUS is free with Windows Server.

Take some ownership already. Or are you going to blame MS for not teaching you how to use your non-MS firewall or web filter or whatever?

But no matter, you and the rest of the crowd here will find some way to pin this on them no matter what rational solutions I could possibly come up with.

1
3
Bronze badge

never been an admin, have you.

If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero.

Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?

So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions.

0
0
WTF?

Sixteen years admining NT and variants; don't tell me I haven't earned my BS.

"If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero."

I don't seem to have such issues. I do run WSUS on a 200+ client multi-site network. Don't dare tell me I've never been an admin.

"Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?"

WSUS packages are digitally signed.

I only have the DNS root servers to rely on, along with the stability of DNS itself, just like you. DNS is soooooo flawed and subject to hacking, etc etc yet we keep using it. It's certainly not a MS product. Then again, digital signatures are also soooooo flawed and easily forged. We're doomed, I tell you, doomed!!!!!11!one

"So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions."

You saying LA-LA-LA-LA-I-CAN'T-HEAR-YOU doesn't mean the solution doesn't work. Or is the inline web proxy that does filtering by category, by application, by name, and so on not good enough, working in concert with a firewall router blocking un-proxied HTTP? Not mentioning brands but it's non-MS.

If there are no rational solutions then we're all doomed, pack it in, disconnect from the internet, dismantle the internet as an abject failure. And it's all Microsoft's fault that all of these non-MS services, systems, and so on are a failure.

Take. Some. Ownership. Blaming the biggest target is a coward's way out and doesn't solve the real problem. The internet itself is the real problem.

http://vmyths.com/column/1/2001/4/4/

But that's digressing. Take some ownership.

0
0
Gold badge
FAIL

"malware also cunningly attempts to escape detection".. "Windows Update utility. "

Windows Genuine Advantage?

I wonder how many people switched off auto update as a result of that PoS.

3
1
Anonymous Coward

Ahh

Windows - ever so secure!

2
1
FAIL

Windows is so floored that any PC that has information on it that is likely to be of use to the enemy should not use windows.

0
1
WTF?

Eh? What does that mean in english?

0
0
Anonymous Coward

Re: English

I think he wants to say "do not use Windows for confidential data processing".

2
0
Anonymous Coward

Methinks he confuses "floored" with "flawed". A problem I've noticed affects many English folks; as they don't pronounce their "R"s, they are often unaware that there are any, in certain words. Hence all the people who seem to think they have a chest of "draws" beside their bed.

0
0
Silver badge

Huh. Over he we have people who put extra 'R's into words:

"Get me a glass of warter.'"

"Have you done the warsh?"

Maybe we need to get the two groups together.

0
0
This topic is closed for new posts.