In 1992: "You know what would be great? If we could embed executable code in a Word document."
'Fully undetectable' Windows backdoor gets detected
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming. More significantly, the malware may backdoor your Windows system by masquerading as part of the update process. Tomer Bar, director of security research at SafeBreach, explains in …
COMMENTS
-
-
Tuesday 18th October 2022 20:44 GMT J. Cook
And the wheel of reincarnation strikes again...
And mainly because using the OLE Automation hooks are hard and require additional time and effort to build to.
And as we can all see, no one at Adobe looked at Microsoft's problem with it and said "hey, let's embed a scripting engine into our PDF viewer which will let miscreats do the same exact thing!!!"
-
Tuesday 18th October 2022 21:01 GMT DS999
To be fair
Windows didn't support networking back then, so the only attack vector was sneakernet.
The real crime wasn't adding that functionality 30 years ago, it was maintaining their support for it once it became known what a big problem it was. They could have and should have deprecated it long ago.
-
-
Wednesday 19th October 2022 09:16 GMT Blazde
Re: To be fair
Almost the first time I used Windows was to print a WordBasic laden Word doc over the Netware network to a shared printer.
Typically you'd also want to surreptitiously delete a few big print-jobs belonging to others ahead of you in the queue, so it is fair to say security wasn't THE top priority back then.
-
-
Tuesday 18th October 2022 22:35 GMT jake
Re: To be fair
"Windows didn't support networking back then"
DOS had internal networking ability starting with PC-DOS 3.1, released in March of '85. The DOS shell called "Windows 1.0" was released to manufacturing in November of '95. DOS networking worked just fine while Windows was running from the year dot (not that anybody cared in the early days).
"They could have and should have deprecated it (executables embedded in documents) long ago."
I'd say it should never have been done in the first place. The obvious security headache is obvious.
-
-
Tuesday 18th October 2022 21:10 GMT Jou (Mxyzptlk)
Actually, as those scripts are written, the actual powershell code could be hidden in any file. .PNG, .JPEG, .ODF and so on. And since many file formats are actually renamed zip files (hello ODF DOCX JAR etc etc) you can include whatever in such a zip file.
The word document is just the easiest way since you cannot fix dumb. Including dumb implementation from M$, making the "activate script" button huge, but the save "don't" button small. But what to expect from the UI designers of Windows 8.0 and Windows 11...
-
Thursday 20th October 2022 13:07 GMT John Brown (no body)
"The word document is just the easiest way since you cannot fix dumb. Including dumb implementation from M$, making the "activate script" button huge, but the save "don't" button small. But what to expect from the UI designers of Windows 8.0 and Windows 11..."
Yep, and the easiest way to get a "mark" to activate the script is to make the script do something "useful", eg to make the relevant text actually display. A bit like those websites that show a blank screen if you have scripting blocked and may show some plain text stating "please enable scripting to view this site"
-
Wednesday 19th October 2022 07:22 GMT amanfromMars 1
Totally Deluded'R'Us are in AI a Busted Flush*
In 1992: "You know what would be great? If we could embed executable code in a Word document." ..... Steve Graham
Eric Arthur Blair, aka George Orwell of 1984 and Animal Farm fame, had that well sussed in 1948, Steve, and provides to even this day the premium primary ace tablet/platform/methodology to mimic and champion if an illuminating Order out of CHAOS and/or Thirty-third Degree Ordo ab Chao Aficionado or Acolyte, Disciple or Fanatic, Follower or Leader which easily identifies all of those terrifying and terrorising third parties and their financing leaderships in direct opposition to and active competition against changes which don't leave current running present traditional and past supporting historical conventional Status Quo administrations in their advantageous positions rendering them believing themselves immune from the consequences of their actions claiming impunity.
It is why Status Quo Systems' Media Controlling Machines do not permit and provide for free viewer and captive listener input/output suggesting an alternative view with novel solutions for ancient problems/future radical changes to entrenched ignorant difficult positions/troubling persistent activities.
Heaven forbid that the world and his dog have a common leading voice to be heard and realised which doesn’t agree with that of just a catastrophically psychotic few appears to be their mantra and Casus Belli.
And if that is not changed as quick as a flash, as it can be nowadays with that which is available to that and those so enabled by machines controlled by loving fingertips, there be Immaculately Resourced Assets and Universal Virtual Force type Troubles ahead for such Status Quo Systems’ Machine Commanders and Controllers, for more of the same is no longer acceptable when enough is enough is not heeded and turns toxic and destructive.
If you find anything there ambiguous, please share your anxiety here so that any misunderstandings you might have can be addressed and qualitatively eased and shared further afield for greater enlightenment and education elsewhere too.
* ... A potential flush which ultimately was not filled. Anything which ends up worthless despite great potential.
-
-
Wednesday 19th October 2022 08:28 GMT Anonymous Coward
Spotted in the wild!
I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning. They have zero-trust and Ringfencing (I won't mention the name of it for fear of shill accusations) so although the Macro ran, it didn't make it outside of Excel.
A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this folks!
-
Wednesday 19th October 2022 09:54 GMT Anonymous Coward
Programs add value by allowing users/business to customize. The issue is with the user/business and protection offered by the environment.
Else: Let's kill all functionality for everyone.
The whole point of IT is to enable productivity. Just need to secure the environment
Idea: Stop letting users access the general internet, restrict to trusted business partners.
Just use some control!!!!!!!
I ride a motorcycle. If I don't wear the gear and maintain the bike, I can expect to get hurt.
-
Wednesday 19th October 2022 12:30 GMT amanfromMars 1
And what an absolutely ridiculous idea for IT too.
Idea: Stop letting users access the general internet, restrict to trusted business partners.
Just use some control!!!!!!! ...... Anonymous Coward
The only business partners one can trust are those one can control absolutely ..... therefore there can be no trusted business partners to restrict, AC.
-
-
-
Thursday 20th October 2022 20:03 GMT Jou (Mxyzptlk)
Re: would the inrusion work if you ran libre office instead?
> Just curious if using Libre Office generically protects you
Only if you install the latest update. They just fixed a security hole which allowed an very Very VERY easy exploit. A simple <iframe src='macro:Shell("whatever")'></iframe> was enough. Including Linux and Mac.
-
-
-
Saturday 22nd October 2022 10:54 GMT IGotOut
Re: Not windows use here
Normally you have to get past the prompts aling the lines of "this is from an untusted source and could bw dangerous" and THEN you have to allow macros.
But these are the same people that enter credit card details to aamazzonn.com and wonder what those strange transactions are.
-