back to article Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines. The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer's browser engine. Miscreants are seemingly placing a malicious …

  1. Anonymous Coward
    Anonymous Coward

    "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

    Why has Microsoft made it so easy (and sometimes necessary) to run as an administrator rather than as a user with limited permissions? This makes every exploit potentially more dangerous.

    1. Anonymous Coward
      Anonymous Coward

      Microsoft actively try to prevent users running as admin with UAC. It is the many crappy 3rd party apps that try to write places they shouldn't that lead people to run as administrator. Even then, it isn't usually required. You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required. However, the vendor will just tell you to run as admin.

      An unfortunate side effect of UAC are applications like Chrome or Slack that by default download and run from user profiles. Microsoft are guilty of this as well with things like Teams. There are machine wide installers for most of these if you take the effort to find them. We normally just block executables from running from profiles.

      1. Mobster

        I do not think Microsoft is off the hook when it comes to needing admin privileges for many everyday things in Windows. Just look at printing, especially after the latest printnightmare patch.

      2. Pascal Monett Silver badge

        "You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required "

        Well yeah, sure, everyone knows how to do that, right ? What's the problem ?

        </sarc>

        The problem is that the vast majority of PC users are people who's job is not sysadmin, and their priorities are elsewhere. To them, the PC is a tool, and they just want to be able to do what it is they want to do.

        The Registry ? They might have heard the name, but they're not interested.

        So Admin access because otherwise either they go crazy, or the poor helpdesk guy (be it family or professional) is tied up over the phone all the damn day long.

        1. Anonymous Coward
          Anonymous Coward

          "You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required "

          Well yeah, sure, everyone knows how to do that, right ? What's the problem ?

          -

          Not arguing with you. Most people don't know how to do this, so it is my job to fix it for them in a business environment. Other sysadmins should make the effort as well, but too many just grant admin access because that is what the app vendor tells them.

          Yes, for home users, this is a bigger problem.

          The main criticism is the app vendors who could easily put things in the correct place and this problem wouldn't exist.

          Windows has the toolset to be deployed securely and managed properly. If you take the effort to implement security policies, OS hardening templates and proper role based administration. All of these are available and widely documented.

          Don't blame the OS for so called admins who are too lazy to do their job properly. If you find an application that needs deploying, analyse it properly and deploy as securely as possible. Don't just chuck it at machines and click next -> next -> next.

      3. Anonymous Coward
        Anonymous Coward

        You're going very easy on MS here. They created this. UAC was their attempt to reverse the direction of their creation.

    2. hayzoos

      Incredible! It's even worst than I imagined.

      Not only did MS make it easy to to run as admin and in some instances necessary, upon installation, the first account created for the primary user was an admin account. I know this could be altered with a custom install configuration, I did so. I, like many others wanted to blame lazy developers for requiring admin rights to run their software. But, MS actions encouraged this behavior in spite of the MS narrative discouraging it. I had a job where nobody's daily use account was allowed admin rights, even developers, gasp. It took a bit of work, but I never found admin rights required. System administration did not even require admin rights all the time. Unfortunately, the default became having admin rights and the "fix" UAC. Guess what, having admin rights a piece of malware could circumvent UAC. Funny how that works. I no longer do Windows regularly so I do not know if all is as it was, but knowing MS and Windows from the beginning, I bet it is largely as it was at the core.

  2. Paul Hovnanian Silver badge

    It think it is because there is too much stuff in Windows that has to be tweaked 'on the fly' to get work done. So Windows is set up not to treat 'admin' as a separate user (where you'd have to close your work, log off and then log on as admin) but an attribute you can attach to a normal user. Just to nudge the OS along as a normal part of your work flow.

    *NIXes encourage you to think things through and get everything properly configured as a separate process.

    1. Anonymous Coward
      Anonymous Coward

      "Windows is set up not to treat 'admin' as a separate user"

      Wrong. It was designed like this from day one (NT was anyway, forget about Windows 95/98/ME).

      The problem was people didn't want to run as a non admin user because they didn't want to have to log off and back on to change settings, so just ended up running as an admin user all the time. This led MS to implement UAC.

      1. Mobster

        Microsoft could have easily alleviated this by providing an easy admin role tool, some equivalent of sudo or su. runas did not exist back then.

        1. Doctor Syntax Silver badge

          And by asking for a password su and sudo act as a slight reminder that this is serious stuff. Somewhat diluted, of course, by the Ubuntu approach of the sudo password being your own instead of root's.

        2. Sandtitz Silver badge
          Holmes

          "Microsoft could have easily alleviated this by providing an easy admin role tool, some equivalent of sudo or su. runas did not exist back then."

          Windows 2000 already came with runas.

          NT4 had a separate Resource Kit, which included SU.EXE.

      2. gerdesj Silver badge
        Windows

        "Wrong"

        NT prompted you for a password for the only account it created by default at setup - Administrator.

      3. John Brown (no body) Silver badge

        "The problem was people didn't want to run as a non admin user because they didn't want to have to log off and back on to change settings, so just ended up running as an admin user all the time. This led MS to implement UAC."

        Of course, if the settings the user needed to change only affected their own account and were stored in their own part of the registry or a settings directory off the users home directory, it would no longer be a problem and UAC would not be needed.

      4. Robert Carnegie Silver badge

        Don't forget about Windows 95/98/ME. That platform didn't have user security - but it did have the software that users wanted on a personal machine. And that software wouldn't install on Windows XP except for the Administrator, so the user had to be the Administrator.

    2. Primus Secundus Tertius Silver badge

      @Hovnanian

      "*NIXes encourage you to think things through and get everything properly configured as a separate process."

      Translation: unixes are so obstructive one is forced to resort to Windows, which is relatively easy to use.

      1. Doctor Syntax Silver badge

        Convenience beats security every time. Right up until the security fail turns out to be insurmountably inconvenient.

    3. Joe W Silver badge

      *cogh*

      sudo

      *cough*

      enough "on-the-fly"? No need to log out and log in again. Attach the right to do that to the user account. In fact, many linux distros do allow the main user account to use sudo with basically everything, so people who are just now coming to linux have no clue about what "root" is...

      And on windows I regularly use "run as", because the user I use to do certain things has no login shell (in *nix-terms, don't know how windows calls it, ) - as it should be.

      ok, the AC above covered that, and also that "runas" is a relatively new thing. Didn't know that (and how should I, have not been using windows privately for twenty or so years, and even in the last couple of jobs I could stick to Linux).

      1. Paul Hovnanian Silver badge

        'sudo'

        Not really needed if you plan ahead*. But unlike Windows UAC, I've never seen a 'sudo' popup magically appear in my daily work flow. UAC is, in my opinion, a sign that something is mis-configured or trying to gain access that it really shouldn't have. (No. I'm not installing your codec or viewer just to watch 'Hot Cheerleader Action'. Publish your porn with Flash like all the other sites do.) And that's where my claim of needing to tweak Windows on the fly so often comes from. I don't use Windows personally, but so many people I know that do spend more than insignificant amounts of time 'making the nasty popups go away'.

        *About the only thing I use sudo for is the occasional need to mount an NTFS drive to my Linux box (which requires root).

  3. steamnut

    unbelievable!

    You would have thought that, by now, the number of "holes" in Microsoft Office would be nil. Do they ever review and test their code? You get the impression that the, already bloated, code is just patch and tweaked to add features (that nobody asked for) and there is lots redundant code and API calls just left in place.

    1. A random security guy

      Re: unbelievable!

      It is a structural issue. The most important person in any Microsoft team is the program manager. Their goal is to push through features. If you used any of their API’s you would realize that it be is very easy to crash office. They measure their success based on their ability to push through their particular feature.

      They are better than before but office is its own beast.

      1. Ken Moorhouse Silver badge

        Re: The most important person in any Microsoft team is the program manager.

        He/She was given his/her P45 with XP SP2, according to Wikipedia.

        "Microsoft removed Program Manager from Windows XP Service Pack 2. In Windows Vista, PROGMAN.EXE was removed entirely. "

    2. PRR
      Facepalm

      Re: unbelievable!

      > You would have thought that, by now, the number of "holes" in Microsoft Office would be nil. Do they ever review and test their code?

      You and Everybody should read _Code_Complete_ by Steve McConnell, 1993.

      https://en.wikipedia.org/wiki/Code_Complete

      No, it's not old, because I don't see any evidence that Microsoft culture has changed one bit (so to speak). Aside from aggressive carelessness it documents utter stupidity. Re-naming all routines in a library without telling anybody.

    3. Sandtitz Silver badge
      Facepalm

      Re: unbelievable! Indeed!

      "You would have thought that, by now, the number of "holes" in Microsoft Office would be nil."

      Office is 30 years old, just like Linux. Linux kernel has had 100+ vulnerabilities this year alone.

      If Microsoft and Torvalds had frozen all features back then, perhaps both would be safe to use now.

      Which free-of-defects software products are you using?

  4. A random security guy

    ActiveX still around?

    Shouldn’t the presence of activex be the reason for search engines to red flag these sites?

    1. Doctor Syntax Silver badge

      Re: ActiveX still around?

      When you've been using Unix and Linux for so long it comes as a shock to be reminded that it ever existed, let alone to discover that it still exists.

  5. Mike 137 Silver badge

    "a Microsoft Office document that hosts the browser rendering engine"

    Why on Earth would anyone want to do this? (Not a rhetorical question).

    1. Doctor Syntax Silver badge

      Re: "a Microsoft Office document that hosts the browser rendering engine"

      Because they can.

      All too often the explanation for all manner of stupidity.

    2. vtcodger Silver badge

      Re: "a Microsoft Office document that hosts the browser rendering engine"

      Why on Earth would anyone want to do this? (Not a rhetorical question).

      I've never been entirely clear on all the reasons for ActiveX, but when it was invented in the mid-1990s, it was a way to temporarily download capability from a website to do some job or other. It's still in use because some people/businesses see no reason to change something that is integrated into their processes, works just fine, and is either paid for, or is a known cost that is budgeted for.

      We don't actually need it nowadays because we have have Javascript which is even more capable/dangerous and has the advantage from the malware author POV of being likely to run under any OS, not just Windows.

  6. Ken Moorhouse Silver badge

    In other news...

    Bears...

    ah, forget it... yawn...

  7. msobkow Silver badge

    I got one from "The Google Corpiration" (actual email display name in the message rip) that assured me it would explain all if only I opened the document, but I had been *selected* by The Google Corpiration to receive that document. *LOLOLOLOLOLOL*

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022