TR Forums

..*email, etc. where files like this can start-into their exploit.

https://www.engadget.com/2017/06/11/mal ... use-click/



*I should note that I think of email as a portion of "browsing"..

Or a LiveDVD. You know if I did online banking, I think I would do it this way.

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

ozzuneoj wrote:

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

Sounds like you need to get out and synergize more.

So, unclear on which Office suites are actually vulnerable without disabling security features.

Worth noting I'm fairly sure Office 2010 and earlier are unsupported at this point, though I still don't know if 2010 is vulnerable either.

So sure, if your software is insecure to begin with and the users like to open **** from spam emails...you might be infected. OK.

ozzuneoj wrote:

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

I'm thinking about it more in terms of it being a Powershell script - which could be wide-ranging. And it might not be long before some b@astard codes-in some sort of "auto" download "feature"..maybe with a fast-timing pop-up/DOWN so that you barely see any sort of notice that you've "accepted" the download.

LostCat wrote:

So, unclear on which Office suites are actually vulnerable without disabling security features.

Worth noting I'm fairly sure Office 2010 and earlier are unsupported at this point, though I still don't know if 2010 is vulnerable either.

So sure, if your software is insecure to begin with and the users like to open **** from spam emails...you might be infected. OK.

2010 is under extended support, anything before that is 100% EOL'ed.

TwistedKestrel wrote:

2010 is under extended support, anything before that is 100% EOL'ed.

Ahh, misread it heh

This thread just makes me wonder how vulnerable an equally poorly secured Linux install is.

The headline on the linked article is rather misleading. Yeah, the malware launches with just a mouse hover, but only after you've already opened the attached PowerPoint file. So you still had to be dumb enough to open a PowerPoint attachment from an unknown sender. If you're in the habit of opening random attachments, your system is probably pwned already anyway.

whm1974 wrote:

Or a LiveDVD. You know if I did online banking, I think I would do it this way.

That's rather inconvenient, since you need to reboot the machine twice (once to launch the live image, and once to get back to your native OS). It's also less safe than a VM, since the live image has direct access to the real hardware (and therefore can see the files on your native OS install, unless you've used full drive encryption).

LostCat wrote:

TwistedKestrel wrote:

2010 is under extended support, anything before that is 100% EOL'ed.

Ahh, misread it heh

This thread just makes me wonder how vulnerable an equally poorly secured Linux install is.

Well, LibreOffice's support for PowerPoint files sucks so badly that even if there was a version of this exploit that used bash (instead of PowerShell), this particular exploit would probably have zero chance of working, at least.

just brew it! wrote:

whm1974 wrote:

Or a LiveDVD. You know if I did online banking, I think I would do it this way.

That's rather inconvenient, since you need to reboot the machine twice (once to launch the live image, and once to get back to your native OS). It's also less safe than a VM, since the live image has direct access to the real hardware (and therefore can see the files on your native OS install, unless you've used full drive encryption).

Second machine with only the DVD drive for storage and boot off that. Can also use it as a guest machine as well.

whm1974 wrote:

just brew it! wrote:

whm1974 wrote:

Or a LiveDVD. You know if I did online banking, I think I would do it this way.

That's rather inconvenient, since you need to reboot the machine twice (once to launch the live image, and once to get back to your native OS). It's also less safe than a VM, since the live image has direct access to the real hardware (and therefore can see the files on your native OS install, unless you've used full drive encryption).

Second machine with only the DVD drive for storage and boot off that. Can also use it as a guest machine as well.

Not a viable solution for mobile users. Carrying a 2nd laptop is a PITA!

I'd also hazard a guess that most non-mobile users aren't going to want to set aside space for a 2nd desktop system just to do their online banking.

just brew it! wrote:

whm1974 wrote:

Or a LiveDVD. You know if I did online banking, I think I would do it this way.

That's rather inconvenient, since you need to reboot the machine twice (once to launch the live image, and once to get back to your native OS). It's also less safe than a VM, since the live image has direct access to the real hardware (and therefore can see the files on your native OS install, unless you've used full drive encryption).

QubesOS is almost perfect for this - Xen on bare-metal and specialized Linux VM's, though yes: inconvenient.

just brew it! wrote:

whm1974 wrote:

just brew it! wrote:

That's rather inconvenient, since you need to reboot the machine twice (once to launch the live image, and once to get back to your native OS). It's also less safe than a VM, since the live image has direct access to the real hardware (and therefore can see the files on your native OS install, unless you've used full drive encryption).

Second machine with only the DVD drive for storage and boot off that. Can also use it as a guest machine as well.

Not a viable solution for mobile users. Carrying a 2nd laptop is a PITA!

I'd also hazard a guess that most non-mobile users aren't going to want to set aside space for a 2nd desktop system just to do their online banking.

Get a refurbished notebook with DVD drive and remove the HDD. Use that for online banking at home.

Sheesh, what happened to all the laptops you could easily slide the SSD out the side of? Though many of the lightest Live DVDs do not mount your disk anyway.

ozzuneoj wrote:

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

14 years ago Colin Powell was using Powerpoint to convince the UN Security Council there were WMDs to justify war.

That's because the more modern versions of the suite has Protected View, which will show a prompt warning you about a "potential security concern" when the script starts running. Just click Disable, and you'll be fine. However, older versions of the suite don't have that extra layer of security.
By older versions, isn't that going back to Office 2003? iirc, 2007 and newer have Protected View.

Re Linux live CD thumbdrive, use a distro that requires root/sudo to mount, and it becomes irrelevant that it has has direct access to the real hardware (unless of course the exploit even manages to do a user account escalation attack). Running software updates every time may be less than ideal if on a slow pipe, but it's not a bad route if traveling with just a work laptop or the like.

Rebooting to a Linux install for limited-scope browsing with NoScript, et al. is not inconvenient to me, since reboots are so fast in today's era (even without systemd...).

DrCR wrote:

Re Linux live CD thumbdrive, use a distro that requires root/sudo to mount, and it becomes irrelevant that it has has direct access to the real hardware (unless of course the exploit even manages to do a user account escalation attack).

Ubuntu live images (at least... haven't checked how other distros handle this lately) allow sudo elevation without a password, so the escalation "attack" is trivial. If use of live images for secure browsing ever becomes common, you know malware authors will start exploiting things like this.

DrCR wrote:

Running software updates every time may be less than ideal if on a slow pipe, but it's not a bad route if traveling with just a work laptop or the like.

Yeah, that's somewhat problematic, especially given that your pipe may not only be slow, but metered as well if you're on a mobile connection.

DrCR wrote:

Rebooting to a Linux install for limited-scope browsing with NoScript, et al. is not inconvenient to me, since reboots are so fast in today's era (even without systemd...).

For some people it's not just the OS reboot time though; there's also all the applications you may have open. I tend to have various bits of work-in-progress scattered across multiple virtual desktops. Even if the OS reboots quickly, it's still a PITA to get everything back to the way it was.

I guess I'm just not getting why a VM isn't a better solution. If you're worried about an infection persisting from one session to the next, use VM snapshots or run a live image in the VM.

just brew it! wrote:

I guess I'm just not getting why a VM isn't a better solution. If you're worried about an infection persisting from one session to the next, use VM snapshots or run a live image in the VM.

Well, there have been vulnerabilities in some VM tech allowing code to jump out the VM IIRC. So it MIGHT be safer, but that depends on the system.

In the end I just don't see the benefit of keeping an extra system maintained just for a few websites when the browser makers do a pretty damn good job of it already.

LostCat wrote:

just brew it! wrote:

I guess I'm just not getting why a VM isn't a better solution. If you're worried about an infection persisting from one session to the next, use VM snapshots or run a live image in the VM.

Well, there have been vulnerabilities in some VM tech allowing code to jump out the VM IIRC. So it MIGHT be safer, but that depends on the system.

Agreed. But as discussed above, a live image running on the bare metal has potential vulnerabilities as well since it has unfettered access to the hardware (by design).

OTOH, a VM can still be vulnerable to a keylogger installed in the host OS... so I guess that's one area where the live image is superior.

LostCat wrote:

In the end I just don't see the benefit of keeping an extra system maintained just for a few websites when the browser makers do a pretty damn good job of it already.

TBH I don't take it to that level of paranoia either. But I tend to do all of my web access from Linux systems, which (AFAIK) are still less of a target due their low market share. When I'm mobile I also use a remote SOCKS proxy, to obfuscate all of my network traffic from the viewpoint of the local WiFi AP and service provider.

just brew it! wrote:

DrCR wrote:

For some people it's not just the OS reboot time though; there's also all the applications you may have open. I tend to have various bits of work-in-progress scattered across multiple virtual desktops. Even if the OS reboots quickly, it's still a PITA to get everything back to the way it was.

Doesn't hibernate work just fine with virtual desktops? Hibernate is the default power option on laptops because the desktop default of hybrid sleep (which is S3 sleep and hibernate) would completely drain the battery before restoring more slowly from a hibernated drive anyway.

I never did understand Windows 10 fast start--it is just hibernate except it logs you off first so you lose all of your windows.

Joanna (QubesOS) goes into some of the problems of a "defensive" system in this video:

https://www.youtube.com/watch?v=CqONg8w5nkw


-got to love that thick slavic accent (..she's from Poland).

bfg-9000 wrote:

I never did understand Windows 10 fast start--it is just hibernate except it logs you off first so you lose all of your windows.

Sounds like a fast start to me.

I use Windows 8.1 exclusively for all my emails.
(windows Phone 8.1 that is)

As mentioned before, the exploit requires that:

1) You've already downloaded the powerpoint file
2) Your version of office is old enough not to have protected mode, which IIRC means 2003 or older

Gmail normally wouldn't even download the file unless you explicitly click a download button. Otherwise it will just open it up in google docs.

bfg-9000 wrote:

Doesn't hibernate work just fine with virtual desktops? Hibernate is the default power option on laptops because the desktop default of hybrid sleep (which is S3 sleep and hibernate) would completely drain the battery before restoring more slowly from a hibernated drive anyway.

Yes, it does. With 32GB of RAM hibernate/wake isn't exactly speedy though; it takes substantially longer than a full shutdown/reboot cycle! So while it does preserve your state, it's still annoying.

ozzuneoj wrote:

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

I have to use it about 5 times a year.

NoOne ButMe wrote:

I use Windows 8.1 exclusively for all my emails.
(windows Phone 8.1 that is)

Now THAT is security through obscurity!

This lists quite a few recent CVE's i had not heard of for escaping from virtual machines.

derFunkenstein wrote:

ozzuneoj wrote:

I haven't even seen anyone use PowerPoint since I was in highschool 13 years ago.

I have to use it about 5 times a year.

Same. Slides for project reviews. Yuck.

just brew it! wrote:

Same. Slides for project reviews. Yuck.

It's what I work from when teaching at FRB-Chicago. Gov't just loves it some Powerpoint.

At least I'm not high up enough on the food chain here to require use of MS Project!

I'm kind of curious to know more about this strange alternate dimension where the locals don't use PowerPoint. Corporations love it, academia loves it, governments love it, and the military *really* loves it. What am I overlooking here?

Anyway, this seems like one of those "if you get this far you're already pwned" sort of things. As JBI alluded to, all bets are off when it comes to loading binary files of dubious origin regardless of the OS in question.