Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines. The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer's browser engine. Miscreants are seemingly placing a malicious …
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Why has Microsoft made it so easy (and sometimes necessary) to run as an administrator rather than as a user with limited permissions? This makes every exploit potentially more dangerous.
Microsoft actively try to prevent users running as admin with UAC. It is the many crappy 3rd party apps that try to write places they shouldn't that lead people to run as administrator. Even then, it isn't usually required. You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required. However, the vendor will just tell you to run as admin.
An unfortunate side effect of UAC are applications like Chrome or Slack that by default download and run from user profiles. Microsoft are guilty of this as well with things like Teams. There are machine wide installers for most of these if you take the effort to find them. We normally just block executables from running from profiles.
"You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required "
Well yeah, sure, everyone knows how to do that, right ? What's the problem ?
</sarc>
The problem is that the vast majority of PC users are people who's job is not sysadmin, and their priorities are elsewhere. To them, the PC is a tool, and they just want to be able to do what it is they want to do.
The Registry ? They might have heard the name, but they're not interested.
So Admin access because otherwise either they go crazy, or the poor helpdesk guy (be it family or professional) is tied up over the phone all the damn day long.
"You just need to identify which bits of the filesystem and registry they are trying to write to and adjust permissions as required "
Well yeah, sure, everyone knows how to do that, right ? What's the problem ?
-
Not arguing with you. Most people don't know how to do this, so it is my job to fix it for them in a business environment. Other sysadmins should make the effort as well, but too many just grant admin access because that is what the app vendor tells them.
Yes, for home users, this is a bigger problem.
The main criticism is the app vendors who could easily put things in the correct place and this problem wouldn't exist.
Windows has the toolset to be deployed securely and managed properly. If you take the effort to implement security policies, OS hardening templates and proper role based administration. All of these are available and widely documented.
Don't blame the OS for so called admins who are too lazy to do their job properly. If you find an application that needs deploying, analyse it properly and deploy as securely as possible. Don't just chuck it at machines and click next -> next -> next.
Not only did MS make it easy to to run as admin and in some instances necessary, upon installation, the first account created for the primary user was an admin account. I know this could be altered with a custom install configuration, I did so. I, like many others wanted to blame lazy developers for requiring admin rights to run their software. But, MS actions encouraged this behavior in spite of the MS narrative discouraging it. I had a job where nobody's daily use account was allowed admin rights, even developers, gasp. It took a bit of work, but I never found admin rights required. System administration did not even require admin rights all the time. Unfortunately, the default became having admin rights and the "fix" UAC. Guess what, having admin rights a piece of malware could circumvent UAC. Funny how that works. I no longer do Windows regularly so I do not know if all is as it was, but knowing MS and Windows from the beginning, I bet it is largely as it was at the core.
It think it is because there is too much stuff in Windows that has to be tweaked 'on the fly' to get work done. So Windows is set up not to treat 'admin' as a separate user (where you'd have to close your work, log off and then log on as admin) but an attribute you can attach to a normal user. Just to nudge the OS along as a normal part of your work flow.
*NIXes encourage you to think things through and get everything properly configured as a separate process.
"Windows is set up not to treat 'admin' as a separate user"
Wrong. It was designed like this from day one (NT was anyway, forget about Windows 95/98/ME).
The problem was people didn't want to run as a non admin user because they didn't want to have to log off and back on to change settings, so just ended up running as an admin user all the time. This led MS to implement UAC.
"The problem was people didn't want to run as a non admin user because they didn't want to have to log off and back on to change settings, so just ended up running as an admin user all the time. This led MS to implement UAC."
Of course, if the settings the user needed to change only affected their own account and were stored in their own part of the registry or a settings directory off the users home directory, it would no longer be a problem and UAC would not be needed.
*cogh*
sudo
*cough*
enough "on-the-fly"? No need to log out and log in again. Attach the right to do that to the user account. In fact, many linux distros do allow the main user account to use sudo with basically everything, so people who are just now coming to linux have no clue about what "root" is...
And on windows I regularly use "run as", because the user I use to do certain things has no login shell (in *nix-terms, don't know how windows calls it, ) - as it should be.
ok, the AC above covered that, and also that "runas" is a relatively new thing. Didn't know that (and how should I, have not been using windows privately for twenty or so years, and even in the last couple of jobs I could stick to Linux).
'sudo'
Not really needed if you plan ahead*. But unlike Windows UAC, I've never seen a 'sudo' popup magically appear in my daily work flow. UAC is, in my opinion, a sign that something is mis-configured or trying to gain access that it really shouldn't have. (No. I'm not installing your codec or viewer just to watch 'Hot Cheerleader Action'. Publish your porn with Flash like all the other sites do.) And that's where my claim of needing to tweak Windows on the fly so often comes from. I don't use Windows personally, but so many people I know that do spend more than insignificant amounts of time 'making the nasty popups go away'.
*About the only thing I use sudo for is the occasional need to mount an NTFS drive to my Linux box (which requires root).
You would have thought that, by now, the number of "holes" in Microsoft Office would be nil. Do they ever review and test their code? You get the impression that the, already bloated, code is just patch and tweaked to add features (that nobody asked for) and there is lots redundant code and API calls just left in place.
It is a structural issue. The most important person in any Microsoft team is the program manager. Their goal is to push through features. If you used any of their API’s you would realize that it be is very easy to crash office. They measure their success based on their ability to push through their particular feature.
They are better than before but office is its own beast.
> You would have thought that, by now, the number of "holes" in Microsoft Office would be nil. Do they ever review and test their code?
You and Everybody should read _Code_Complete_ by Steve McConnell, 1993.
https://en.wikipedia.org/wiki/Code_Complete
No, it's not old, because I don't see any evidence that Microsoft culture has changed one bit (so to speak). Aside from aggressive carelessness it documents utter stupidity. Re-naming all routines in a library without telling anybody.
"You would have thought that, by now, the number of "holes" in Microsoft Office would be nil."
Office is 30 years old, just like Linux. Linux kernel has had 100+ vulnerabilities this year alone.
If Microsoft and Torvalds had frozen all features back then, perhaps both would be safe to use now.
Which free-of-defects software products are you using?
Why on Earth would anyone want to do this? (Not a rhetorical question).
I've never been entirely clear on all the reasons for ActiveX, but when it was invented in the mid-1990s, it was a way to temporarily download capability from a website to do some job or other. It's still in use because some people/businesses see no reason to change something that is integrated into their processes, works just fine, and is either paid for, or is a known cost that is budgeted for.
We don't actually need it nowadays because we have have Javascript which is even more capable/dangerous and has the advantage from the malware author POV of being likely to run under any OS, not just Windows.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
