Posted on April 17th, 2017 at 13:41 Comment on the AskWoody Lounge
It’s been a crazy week. Last Monday we learned about the Word zero-day that uses a booby-trapped Word DOC attached to an email message to infect machines. Then, on Friday, came the deluge of exploits collectively identified with their leaker, Shadow Brokers, which appear to originate with the US National Security Agency.
In both cases, many of us thought the sky was falling on Windows users — the exploits touch all versions of Windows, all versions of Office. Now we have more insight and the situation isn’t as bad as was first thought. Here’s what you need to know.
As I explained last Monday, the Word zero-day takes over your PC when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program you’re using, or even which version of Windows.
In a twist I’ve never seen before, subsequent research into the exploit revealed that it was first used by suspected nation-state attackers, but was then incorporated into garden-variety malware. Zach Whittaker on ZDNet and Dan Goodin on Ars Technica report that the exploit was originally used in January to hack Russian targets — but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spooky set rarely get unleashed on the world at large, but this one is a big exception.
In theory, in order to block the exploit’s path, you have to apply both the appropriate April Office security patch and either the Windows 7 or 8.1 April Monthly Rollup or the April Security-only patch, or the Windows 10 April cumulative update. That’s a big problem for a lot of folks because the April patches — 210 security patches, 644 in all — are causing all sorts of mayhem.
Be of good cheer. I’m seeing verification from all over the web — including our own AskWoody Lounge — that you can avoid infection by sticking with Word’s Protected View Mode (in Word, click File > Options > Trust Center > Trust Center Settings and check Protected View). Protected View Mode is enabled by default in Word 2010 and later, but Word 2007 and earlier don’t have Protected View. (Thanks to anonymous tipster.) See screenshot.
If you click “Enable Editing,” the malware fires automatically — you don’t need to do anything more. If you open an attached DOC from Gmail, it’s harmless, unless you download the file, then open the DOC in Word and then click Enable Editing.
Moral of the story: Use Gmail. Failing that, don’t click Enable Editing. If you have to edit the file, and don’t want to use Google Docs, move it over to OneDrive and use Word Online. Details in this How-To Geek article by Chris Hoffman.
Shadow Brokers last gasp
The Shadow Brokers hacks originally appeared to harbor all sorts of zero-days across all versions of Windows, but as last weekend wore on, we found that wasn’t even close to the truth. Security researcher Efrain Torres kindly provided the information in the screenshot to show that the currently supported versions of Windows are (nearly) immune.
To paraphrase, the MS17-010 patch released last month fixes all of the exploits in Windows Vista and later. NT and XP users can kiss their bits goodbye.
Late Friday night, Microsoft offered the following analysis:
Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.
Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
(It appears as if “Eskimo Roll” is mis-spelled.)
There’s a lot of speculation online that the NSA, in fact, fed Microsoft a list of security holes well in advance of last Friday’s Shadow Brokers disclosure — early enough for Microsoft to fix the SMB-related problems last month, in the March Patch Tuesday batch. The known timing certainly supports that theory, or a variation on it: As Dan Goodin reported in January, Shadow Brokers started dropping hacking tools after they failed to sell their cache for 10,000 bitcoins (currently worth US$12 million).
The follow-up offer for the remaining exploits at 750 BTC fell on deaf ears. Did the NSA figure out what was still in the unreported cache and slip the info to Microsoft? Did Microsoft buy the remaining cache? Did Shadow Brokers turn gray hat and beam advance warning to Microsoft? Was an early peek at all the troubles the main reason we didn’t see patches in February? There are lots of possible explanations, but I doubt that we’ll ever know for sure.
- 4012598 MS17-010: Description of the security update for Windows SMB Server: March 14, 2017
- 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
- 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
- 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
- 4012214 March 2017 Security Only Quality Update for Windows Server 2012
- 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4013429 March 13, 2017—KB4013429 (OS Build 933)
- 4012606 March 14, 2017—KB4012606 (OS Build 17312)
- 4013198 March 14, 2017—KB4013198 (OS Build 830)
It appears to me that the above info has a mistake — the KB 4013429 patch for Win10 Anniversary Update runs the build number up to 14393.953. I don’t see any reference to 14393.933.
What you need to do, to stay safe
If you have to use Outlook and Windows, and you receive an email with a DOC file attached, don’t click the Enable Editing box in Protected View. (Different versions of Outlook, Outlook.com, and the Windows UWP Mail app all behave a bit differently.) As an alternative, use Gmail, because DOC attachments in Gmail open in a viewer-only mode. If you have to edit the DOC, go through Word Online where a bad DOC will detonate in the cloud.
If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version. For Win10, you may be able to roust out a copy of KB 4013429 for the Anniversary Update, which moves to build 14393.953. (See comments.) You don’t — repeat, don’t — need to install the April patch mess.
Oh boy. Now it looks like it’s possible to bypass Office Protected View. Thx to MrBrian. It’s not clear to me if that bypass can occur with Outlook.com or Outlook 2016 preview panes – but I bet Protected View can be bypassed in Windows 10 Mail.
Hang on. The story continues. In the interim, it’s by far simpler and safer to open attached DOCs using Gmail. That kicks the DOC into a Google Docs viewer which can’t execute anything.
Posted on April 17th, 2017 at 09:02 Comment on the AskWoody Lounge
See my InfoWorld slideshow for the Top 30. It was hard narrowing down the choices!
Do you have a favorite I missed? Post it in the Tools forum.
Posted on April 17th, 2017 at 05:11 Comment on the AskWoody Lounge
Creators Update has all the problems you’ve come to expect from Windows 10 version upgrades — freezes, rollbacks, wonky user interface elements and the like. There are good general lists on WindowsReport and DigitalTrends and plenty of ancillary material here in the Lounge comments (link above). Also check my Windows 10 install problems — and how to solve them.
I’m particularly looking for bugs that are a bit meatier.
As you hit bugs, please post them on the AskWoody Lounge (link above). I’ll give them a quick once-over and promote the best ones to the main blog.
Creators Update breaks Logitech BRIO camera (the one that’s supposed to support Windows Hello). Fix on Logitech web site.
Intel Clover Trail processors (Atom Z2760, 2520, 2560, 2580) are not supported. Post from MS on the Microsoft Answers Forum.
From Softpedia (I haven’t been able to confirm independently): Windows 10 Creators Update Installation Blocked by Toshiba Display Utility . But may not be a problem (@rpodric).
Moved Special Folders again appearing to cause W10 upgrade problems, this time it’s only dupes/ghosts appearing (@satrow)
Anonymous complaint that System Restore is disabled.
Stuck “Low Battery” notification window
Various Night Light problems.
Green screen when upgrading a fresh Win10 Anniversary Update machine to Creators Update. @teroalhonen.
DISM doesn’t work, throws error 0x800f081f.
Persistent yellow warning triangle on Defender.
Edge crashes (many and various).
Odd one-off report of 8 GB Verbatim Store ‘N’ Go USB drive failure.
When installing the Windows ADK on 1703, if SecureBoot is enabled, you get a bogus warning that a “digitally signed driver is required.”
Gibberish in many applications.
Nahimic audio software doesn’t work.
Driver incompatibilities: older NVIDIA, new NVIDIA driver 381.65 is buggy, so use 378.92. DTS encoding on Realtek. Wi-Fi drivers on Dell Inspiron 640m, Lenovo t500. Note that Creators Update does not work on many older systems — even systems that worked with Anniversary Update. (Thx, EP) Broadcom Bluetooth LE driver problem. Broadcom 440x 100/Integrated Ethernet/LAN Controller Network Adapter, Microsoft’s Bluetooth Arc Touch mouse.
Posted on April 17th, 2017 at 03:26 Comment on the AskWoody Lounge
The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file which looks like an RTF file. Apparently, all of that happens automatically.
The downloaded file loads a decoy that looks like a document, so the user thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link.
Very clever. It works on all versions of Windows, including Win10. It works on all versions of Office, including Office 2016.
Good overview by Dan Goodin at Ars Technica.
Technical analysis by Genwei Jiang at FireEye
FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.
Likely cause of the rush to disclose from Haifei Li at McAfee.
- Do not open any Office files obtained from untrusted locations.
- According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
More details in my InfoWorld Woody on Windows post.