Network News

X My Profile
View More Activity

Microsoft: Hackers Exploiting Unpatched Office Flaw

Microsoft today issued stopgap instructions for plugging a previously unknown security hole that hackers are currently using to break into Windows computers via the Internet Explorer (IE) Web browser.

The problem, once again, is with a faulty ActiveX control. ActiveX is a Windows technology that works through IE and allows Web sites to add software to the user's computer or interact with components in the Windows operating system. In this case, the insecure component is an ActiveX control called "Snapshot Viewer," which ships with all versions of Microsoft Office 2000, Office 2002, and Office 2003. The flawed ActiveX control also is also shipped with the standalone Snapshot Viewer.

Microsoft warns that merely browsing with IE to a malicious (or hacked) Web site that exploits this vulnerability could be enough to compromise your system. So far, Redmond says it is seeing only "limited, targeted attacks" leveraging the vulnerability.

But, of course, that situation could change at any time. One way to avoid worrying about these attacks is to use an alternative browser, such as Firefox or Opera. For those who wish to continue browsing with IE, Microsoft suggests a couple of workarounds.

One approach involves changing the default security level of IE's Internet Zone to "high," and/or disabling active scripting in the browser. This approach will likely disable Javascript on many Web sites, some of which may load strangely or simply fail to work altogether after this change.

Microsoft also offers a less painful solution that doesn't fix the underlying vulnerability but prevents it from being exploited via IE. While logged in under an administrator account, open up Notepad (Start, Programs, Accessories, Notepad), and then cut and paste the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400

It doesn't matter what name you give the file when you save it, as long as the file ends in ".reg" (so for example, you might name it "fix.reg" without the double quotes, of course). Once you've saved the file, double click on it, and click "yes" when asked if you want to add the information to the Windows registry.

By Brian Krebs  |  July 7, 2008; 5:23 PM ET
Categories:  Fraud , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Lithuania Weathers Cyber Attack, Braces for Round 2
Next: Patch (The Entire Internet) Tuesday

Comments

Do you really need "Windows Registry Editor Version 5.00" at the top?

Posted by: Larry | July 8, 2008 5:16 AM | Report abuse

It´s obsolete anyway. The best fix is to erase MSware from your system. This will protect you from the next MSware bug before it is even announced. And remember, the RNC consistently uses these exploits for 6-12 months before they are "discovered". Microsoft has a back door between Windows and the RNC so all Windows users around the world can be manipulated by the Bushies.

Try OpenOffice.org. Yes, you can still read and write files compatible with MS with it. For example if you want to send a Word document to Karl Rove´s email at the RNC because they don´t know how to use OpenOffice at the RNC, you can still do it with OpenOffice, so there is no reason to keep Word on your system anymore.

Or try a compact editor like emacs.

http://www.odfalliance.org

Posted by: Singing Senator | July 8, 2008 8:45 AM | Report abuse

Personally I don't think 'using other software' is really a solution for the most part. At least not in large environments where it is very difficult to manage from a system administrators aspect.

All the software mentioned also has problems at times. Serious ones. Of course for the short term you have to do what you gotta do to protect yourself.

What Microsoft needs to do is take a step back and look at their ActiveX technology and at the very least make it easier for people to implement a workaround. Tell users they need to:

Click on this
Click on that
uncheck this
hit next and then close

ActiveX controls should be easier to disable than to have to make users change their registry. So how does the user undo the registry changes recommended by Microsoft after this is fixed? You get my point I hope. Brian, this isn't to your article. This is a message to Microsoftie. :)

Posted by: David Taylor | July 8, 2008 9:18 AM | Report abuse

ROTFLMBO!!!

Anyone who still uses IE as their browser is a moron who deserves to get hacked! Only the US Government is still dumb enough to trust Micro-Sith software.

Posted by: Nofluer | July 8, 2008 9:18 AM | Report abuse

What's funny about this is that now every average Joe is going to be editing his registry and thinking that they are doing something "good" for the IT department. And every person in the IT department is cringing at this posting while every IT manager is now slapping his head and quickly sitting down to type out an email to the users saying "STOP! DON'T TAKE IT UPON YOURSELF TO EDIT YOUR REGISTRY!!"

Posted by: Eric | July 8, 2008 9:26 AM | Report abuse

You're saying that those of us who have delayed upgrading from Office 97 (my wife)or took the plunge to the latest Office 2007 (myself) don't have to worry?

Did MS patch this problem in Office 2007 and creating it with Office 2000?

LOL

PS: since your column is read by many with limited computer skills, advise your readers to be cautious about messing around with the registry or calling tech support.

Posted by: Stan Brager | July 8, 2008 11:31 AM | Report abuse

The points in every post above are well taken - even though there is a conflict between not using MS applications and the impracticality of the same for many.

Posted by: Arlington | July 8, 2008 11:38 AM | Report abuse

I use Windows Vista - Ultimate and Office 2007.

I have received pop up messages over about the last 5 months that says "An attack on your computer have been blocked".

The pop up messages also displays an IP address and the type of computer that made the attack.

I do not think that I visited questionable sites that could have caused the attacks on my computer?

Is snapshot viewer also included with Office 2007 that could be causing the attacks.

Posted by: Dave | July 8, 2008 11:54 AM | Report abuse

@Stan- actually, your copy of Office 97 may be vulnerable as well. Microsoft didn't say in its advisory: only that all *supported* versions of Office (except office 2007) were affected. no idea if this vulnerable viewer component is included in 97, but it probably is.

Posted by: Bk | July 8, 2008 12:02 PM | Report abuse

Instead of Microsoft devising new operating systems, they should be putting all their effort into debugging all the existing systems, I'm quite happy with Windows XP and don't want or need to invest in Vista just to line Gates's and others pockets. Why not develop the existing programs and support them for ever? I know that commercially that is not the way Microsoft wants to go, but Bill has shown them the way by opting out and becoming a philanthropist, good for him, he should have done it a decade ago and taken all his fellow directors with him.
Richard

Posted by: Richard Myers | July 8, 2008 5:04 PM | Report abuse

Instead of hacking the registry:

WinPatrol?
http://www.winpatrolflash.com/

AXHelper?
http://www.nirsoft.net/utils/axhelper.html

Eric wrote:
>>And every person in the IT department is cringing at this posting while every IT manager is now slapping his head and quickly sitting down to type out an email to the users saying "STOP! DON'T TAKE IT UPON YOURSELF TO EDIT YOUR REGISTRY!!"

One might reasonably ask why these IT departments and IT managers didn't remove such tools as regedit and regedt32 from Windows instances in the first place.

Posted by: Mark Odell | July 8, 2008 6:45 PM | Report abuse

"One might reasonably ask why these IT departments and IT managers didn't remove such tools as regedit and regedt32 from Windows instances in the first place."

Well, now that would make it a bit hard to work on the local machine now, wouldn't it?

More to the point would be why an admin wouldn't restrict access to it via the users account.

Posted by: Charles Decker | July 8, 2008 6:52 PM | Report abuse

You may also want to read the below which was written just before this story broke. There are a host of known and un-patched bugs in Internet Explorer. From a Defensive Computing standpoint, Firefox is the better way to go.

Still more reasons to avoid Internet Explorer
http://news.cnet.com/8301-13554_3-9984277-33.html

Posted by: Michael Horowitz | July 9, 2008 10:54 AM | Report abuse

I recently installed the latest security update for XP from MS. Upon restarting, my system forced a start in "safe mode" and would not allow any other restart choice. After the third time of restoring to a prior point, I have ignored the "urgent need to update my system". Any reason that this has happened and has this affected others?

Posted by: pakrat8 | July 9, 2008 12:10 PM | Report abuse

Dear "Dave"

Just connecting your computer to the Internet makes it vulnerable. You don't have to do anything. You don't have to have any software. Luckily, keeping your firewall on and updates will help block attacks (as you've seen). Disconnecting your computer from the Internet will also limit the opportunities for attack. (FYI, just because your browser's not open doesn't mean your not connected to the Internet!)

Comments like yours scare me because it reminds me that many users buy and use computers without understanding the threats, much less how to protect themselves. I take comfort, at least, that you read this column. Hopefully it will help you not be a victim (or a zombie sending me spam).

Posted by: infosec grrrl | July 9, 2008 4:22 PM | Report abuse

Dear "Dave"

Just connecting your computer to the Internet makes it vulnerable. You don't have to do anything. You don't have to have any software. Luckily, keeping your firewall on and updates will help block attacks (as you've seen). Disconnecting your computer from the Internet will also limit the opportunities for attack. (FYI, just because your browser's not open doesn't mean your not connected to the Internet!)

Comments like yours scare me because it reminds me that many users buy and use computers without understanding the threats, much less how to protect themselves. I take comfort, at least, that you read this column. Hopefully it will help you not be a victim (or a zombie sending me spam).

Posted by: infosec grrrl | July 9, 2008 4:23 PM | Report abuse

REFpakrat8_above

I. Yes: (2) XP secur-updtes Tues070908 ==>
(a) at required restart --
lost mouse & USRobotics adaptor for land-line phone-->Skype.
(b) after second reboot, no server connection msg for internet connection via IE, Firefox, & VMware Player running Linux appliance. Mouse/USR adaptor then ok. Keyboard twice sent machine into flaky-ozone at "s" entry.
II. MS put a checkpoint BEFORE applying these updates. SystemRestore to that chkpoint worked.

III. Possibility: I use Zone Alarm Pro:
Security-Fix: "Patch (The Entire Internet) Tuesday," "It appears that the Microsoft patch for this DNS vulnerability (KB951748/MS08-037) is already creating problems for some Zone Alarm Firewall users. ZoneAlarm advises users who are experiencing problems after installing the update to uninstall the Microsoft patch for the time being."

Posted by: MPNC | July 10, 2008 1:52 AM | Report abuse

Dear MPNC or anyone who can help,
Regarding MPNC's 7/10/08 1:52AM posting above, how do I "uninstall the Microsoft patch." I am a Zone Alarm Firewall user. Ever since I did the "Updates are available for your computer" thing a few days ago, I haven't been able to access the internet. Am I correct in assuming the "update" I installed is what people are referring to as the "Microsoft patch?"

Posted by: Bob in Crystal Lake | July 10, 2008 7:51 PM | Report abuse

All ZoneAlarm users are affected - ZA has put out its own update to deal with the conflict.

http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html

Posted by: RobinD | July 11, 2008 1:34 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company