#Stuxnet precursor still in the wild. Are you a carrier?

Middle East Cyber War
Standard

Did Iran figure out the exploit, has the magic turned on the magician, forcing Microsoft to issue an alert, or is this just (MS) window-dressing for the nuke talks?

Given the close date of the next Patch Tuesday for November, we […] will probably have to wait until December –  Wolfgang Kandek, CTO, Qualys, Inc

Since we knew about this attack vector for a couple of years (at least) why did they wait so long? Whatever, if you didn’t already think about how this might affect you, or those you are directly or indirectly connected to, best to take some precautions.

What to do if, like the embargoed Iranians, you OR your contacts use older versions of MS Office, MS Word, and Windows:

  1. Set your email reader to NOT display images by default, since apparently this code tries to run even when only previewing email messages
  2. Do NOT send MS Word files as email attachments. Convert to plain text, RTF, WordPad, etc (NOT PDF) or share using an online application. Better yet, paste the plain text into your email.
  3. Do NOT preview, open, or forward MS Word file attachments.
  4. Microsoft is encouraging customers concerned with the risk associated with this vulnerability to deploy two fixes

More details:

Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010 – in other words, the older versions of software organizations in Iran are  likely to be stuck with because of the sanctions against supplying technology to the regime – and all supported versions of Microsoft Lync. Microsoft is aware of targeted attacks, largely in the Middle East and South Asia, that attempt to exploit this vulnerability in Microsoft Office products that affects customers using them.

The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

About these ads

4 thoughts on “#Stuxnet precursor still in the wild. Are you a carrier?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s