• What every Windows customer should know about last week’s deluge of malware

    It’s been a crazy week. Last Monday we learned about the Word zero-day that uses a booby-trapped Word DOC attached to an email message to infect machines. Then, on Friday, came the deluge of exploits collectively identified with their leaker, Shadow Brokers, which appear to originate with the US National Security Agency.

    In both cases, many of us thought the sky was falling on Windows users — the exploits touch all versions of Windows, all versions of Office. Now we have more insight and the situation isn’t as bad as was first thought. Here’s what you need to know.

    Word zero-day

    As I explained last Monday, the Word zero-day takes over your PC when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program you’re using, or even which version of Windows.

    In a twist I’ve never seen before, subsequent research into the exploit revealed that it was first used by suspected nation-state attackers, but was then incorporated into garden-variety malware. Zach Whittaker on ZDNet and Dan Goodin on Ars Technica report that the exploit was originally used in January to hack Russian targets — but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spooky set rarely get unleashed on the world at large, but this one is a big exception.

    In theory, in order to block the exploit’s path, you have to apply both the appropriate April Office security patch and either the Windows 7 or 8.1 April Monthly Rollup or the April Security-only patch, or the Windows 10 April cumulative update. That’s a big problem for a lot of folks because the April patches — 210 security patches, 644 in all — are causing all sorts of mayhem.

    Be of good cheer. I’m seeing verification from all over the web — including our own AskWoody Lounge — that you can avoid infection by sticking with Word’s Protected View Mode (in Word, click File > Options > Trust Center > Trust Center Settings and check Protected View). Protected View Mode is enabled by default in Word 2010 and later, but Word 2007 and earlier don’t have Protected View. (Thanks to anonymous tipster.) See screenshot.

    If you click “Enable Editing,” the malware fires automatically — you don’t need to do anything more. If you open an attached DOC from Gmail, it’s harmless, unless you download the file, then open the DOC in Word and then click Enable Editing.

    Moral of the story: Use Gmail. Failing that, don’t click Enable Editing. If you have to edit the file, and don’t want to use Google Docs, move it over to OneDrive and use Word Online. Details in this How-To Geek article by Chris Hoffman.

    Shadow Brokers last gasp

    The Shadow Brokers hacks originally appeared to harbor all sorts of zero-days across all versions of Windows, but as last weekend wore on, we found that wasn’t even close to the truth. Security researcher Efrain Torres kindly provided the information in the screenshot to show that the currently supported versions of Windows are (nearly) immune.

    (click to enlarge)

    To paraphrase, the MS17-010 patch released last month fixes all of the exploits in Windows Vista and later. NT and XP users can kiss their bits goodbye.

    Late Friday night, Microsoft offered the following analysis:

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    (It appears as if “Eskimo Roll” is mis-spelled.)

    There’s a lot of speculation online that the NSA, in fact, fed Microsoft a list of security holes well in advance of last Friday’s Shadow Brokers disclosure — early enough for Microsoft to fix the SMB-related problems last month, in the March Patch Tuesday batch. The known timing certainly supports that theory, or a variation on it: As Dan Goodin reported in January, Shadow Brokers started dropping hacking tools after they failed to sell their cache for 10,000 bitcoins (currently worth US$12 million).

    The follow-up offer for the remaining exploits at 750 BTC fell on deaf ears. Did the NSA figure out what was still in the unreported cache and slip the info to Microsoft? Did Microsoft buy the remaining cache? Did Shadow Brokers turn gray hat and beam advance warning to Microsoft? Was an early peek at all the troubles the main reason we didn’t see patches in February? There are lots of possible explanations, but I doubt that we’ll ever know for sure.

    Bottom line: If you have last month’s MS17-010 installed, you’re fine. According to the KB 4013389 article, that includes any of these KB numbers:

    • 4012598 MS17-010: Description of the security update for Windows SMB Server: March 14, 2017
    • 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
    • 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
    • 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
    • 4012214 March 2017 Security Only Quality Update for Windows Server 2012
    • 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
    • 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
    • 4013429 March 13, 2017—KB4013429 (OS Build 933)
    • 4012606 March 14, 2017—KB4012606 (OS Build 17312)
    • 4013198 March 14, 2017—KB4013198 (OS Build 830)

    It appears to me that the above info has a mistake — the KB 4013429 patch for Win10 Anniversary Update runs the build number up to 14393.953. I don’t see any reference to 14393.933.

    What you need to do, to stay safe

    If you have to use Outlook and Windows, and you receive an email with a DOC file attached, don’t click the Enable Editing box in Protected View. (Different versions of Outlook, Outlook.com, and the Windows UWP Mail app all behave a bit differently.) As an alternative, use Gmail, because DOC attachments in Gmail open in a viewer-only mode. If you have to edit the DOC, go through Word Online where a bad DOC will detonate in the cloud.

    If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version. For Win10, you may be able to roust out a copy of KB 4013429 for the Anniversary Update, which moves to build 14393.953. (See comments.) You don’t — repeat, don’t — need to install the April patch mess.


    Oh boy. Now it looks like it’s possible to bypass Office Protected View. Thx to MrBrian. It’s not clear to me if that bypass can occur with Outlook.com or Outlook 2016 preview panes – but I bet Protected View can be bypassed in Windows 10 Mail.

    Hang on. The story continues. In the interim, it’s by far simpler and safer to open attached DOCs using Gmail. That kicks the DOC into a Google Docs viewer which can’t execute anything.