For those of you worried about this, I tested it at work and it was blocked by our Software Restriction Policy that I put in place just a few weeks ago.
The execution of %TEMP%\PAYLOAD.EXE was blocked.
I highly urge everyone to deploy a strong Software Restriction Policy in whitelist mode. It catches everything we've thrown at it so far.
The SalesOrder.rtf file is safe to try at work. All it does is lock your workstation. It should work behind Software Restriction Policy and Microsoft AppLocker (and Citrix Application thingy).
> The DLL file hasn't been kept up to date. For example, you can use .PS1
(PowerShell) embeds without any security warning. There's a lot of file
types now you can execute code with without warning, basically.
That's a poor example. Powershell scripts won't execute by default at all, and a lot of enterprise customers will only execute scripts signed by the internal CA.
Off the top of my head I cannot think of too many new ways of running executable code. Microsoft has only been removing them, not adding news ones. Powershell is one of the few new ones and is designed from the ground up expressly not to allow this type of thing.
It depends on the system. I've had installs where I had to enable execution, remote execution, and unsigned execution. Other systems run network-based scripts without any complaint.
I've love to know a scenario where OLE is actually used today. It might have made sense in the early 90's pre-Internet & HTML computer world but really has no use today and is just a massive security hole. Seems like it should have just been completely removed (see also Vista's desktop gadgets, which were actually removed and disabled after realizing they were a huge security issue too).
The basic idea was great - copy some cells out of Excel and paste them into Word. You can put your sales statistics into your end-of-quarter report.
Then they added linking, so when the spreadsheet was updated, your report would update too. So you could make the report early, let Accounting update the spreadsheet, then just let the report auto-update.
I'm pretty sure Outlook uses the Word rendering engine. And dragging documents into Outlook is one of the ways to attach/embed a file into the email. So I'm pretty sure this still leverages that code.
I'm actually guessing this is almost everywhere. Maybe it didn't get put into Vista (where a number of security enhancements like the 2-level model aka UAC elevation got made) but it's still all over Office. I wonder if IE is impacted.
In the past I've used OLE regularly for Excel spreadsheets in AutoCAD drawings. Nothing else came close in terms of ease and reliability or standardization. OLE is a powerful technology and the complaint tastes a bit like "no one should use JavaScript because of XSS" on the palette. I mean just think what malicious input can do If passed to python in the shell.
Unrelated to Microsoft Office, I wrote a Perl utility that would run QXDM (telecom call testing software) via OLE in order to automate the initiation and answering of cellphone calls (think drive-testing or load-testing a cellular network). It was quite useful. Qualcomm, who licenses QXDM, had a fairly good reference document for the OLE interface to the program.
I don't know how much it shares w/ OLE compound documents, but OLE for Process Control (OPC, now retroactively renamed to "Open Platform Communications") is very common in multi-vendor SCADA environments.
Might be misremembering, but I think there's a variant of it used heavily in industrial automation (eg factories). It was a standard that you had to buy for a significant sum of money. The friend in embedded design that told me didn't like it but many groups used it. Can't remember what it's called...
Past that, it's probably just there to make legacy software work like so many other problem-causing, Windows features. :)
I've love to know a scenario where OLE is actually used today.
Does it play no part in all of the [Clojure/Python/other langauge]-in-Excel posts that tend to get a decent number of upvotes here?
Maybe I'm mistaken about that - but it could have powered the kind of uber-notebook-in-Emacs packages that seem to be gaining popularity lately - twenty years ago.
OLE the technology is rather fundamental to custom controls and a whole load of other things. You could probably remove all OLE embedding from Word documents and not break too many use cases, but in other applications it may be more important.
I didn't see anything in that post to give me the feeling that code is being executed automatically. While I would concede that requiring the user to click on something inside the "payload" document isn't a high bar to achieve it is different than automatic code execution upon opening the document.
Someone still needs to click the thing to execute it.
Clicking any executable in windows will launch it.
I really can't see the difference that makes this so bad.
User clicks executable in office it launches....
vs
User clicks executable in explorer(or other software) it launches....
Does the same exploit work on Wine? It has its own implementation of packager.dll, which doesn't seem to have any blacklist. What happens if for instance Wine is being used to run Microsoft Office?
Apple stopped patching Leopard (released in 2007) by 2011 and stopped supporting IOS 5 (released in 2011) just this year. Google is just starting to ditch support for Ice Cream Sandwich (released in 2011).
Why should Microsoft continue to support office below 2007?
Ha, I didn't know this still existed. I 'hacked' our school PCs running Windows 3.11 using this technique.
The sysadmin locked down every possible way to run executables apart from those he exposed in Program Manager. Of course, everyone had Word. Simply embedding an OLE object let me run any exe.
Wow, this takes me back. I remember getting in trouble at school as a kid for using this to attach executable code to e-mails and bypass all the warnings and filters. That must've been, ooh, about a decade and a half ago now. I'm shocked it still works in our modern security-aware age.
[+] [-] RKearney|10 years ago|reply
The execution of %TEMP%\PAYLOAD.EXE was blocked.
I highly urge everyone to deploy a strong Software Restriction Policy in whitelist mode. It catches everything we've thrown at it so far.
[+] [-] huhtenberg|10 years ago|reply
https://msdn.microsoft.com/en-us/library/dd548340%28v=ws.10%...
and I would guess it's very closely related to SRP -
https://technet.microsoft.com/en-us/library/ee424371%28v=ws....
[+] [-] gossitd|10 years ago|reply
The SalesOrder.rtf file is safe to try at work. All it does is lock your workstation. It should work behind Software Restriction Policy and Microsoft AppLocker (and Citrix Application thingy).
[+] [-] stephengillie|10 years ago|reply
[+] [-] reiichiroh|10 years ago|reply
[+] [-] UnoriginalGuy|10 years ago|reply
That's a poor example. Powershell scripts won't execute by default at all, and a lot of enterprise customers will only execute scripts signed by the internal CA.
Off the top of my head I cannot think of too many new ways of running executable code. Microsoft has only been removing them, not adding news ones. Powershell is one of the few new ones and is designed from the ground up expressly not to allow this type of thing.
[+] [-] scott_karana|10 years ago|reply
Which is why he specifically said "powershell embeds without any security warning", I suspect. :|
https://blog.netspi.com/15-ways-to-bypass-the-powershell-exe...
[+] [-] stephengillie|10 years ago|reply
[+] [-] tdicola|10 years ago|reply
[+] [-] stephengillie|10 years ago|reply
Then they added linking, so when the spreadsheet was updated, your report would update too. So you could make the report early, let Accounting update the spreadsheet, then just let the report auto-update.
I'm pretty sure Outlook uses the Word rendering engine. And dragging documents into Outlook is one of the ways to attach/embed a file into the email. So I'm pretty sure this still leverages that code.
I'm actually guessing this is almost everywhere. Maybe it didn't get put into Vista (where a number of security enhancements like the 2-level model aka UAC elevation got made) but it's still all over Office. I wonder if IE is impacted.
[+] [-] brudgers|10 years ago|reply
[+] [-] clebio|10 years ago|reply
I spent some time trying to automation Powerpoint and Excel creation via Python, which is based vaguely on the capability: http://clebio.github.io/pythonOfficePresentation.html
Unrelated to Microsoft Office, I wrote a Perl utility that would run QXDM (telecom call testing software) via OLE in order to automate the initiation and answering of cellphone calls (think drive-testing or load-testing a cellular network). It was quite useful. Qualcomm, who licenses QXDM, had a fairly good reference document for the OLE interface to the program.
[+] [-] EvanAnderson|10 years ago|reply
[+] [-] mxmauro|10 years ago|reply
COM/DCOM, where OLE rests, can be very secure if they are properly used.
By the way, OLE is used widely mainly in Microsoft products.
[+] [-] nickpsecurity|10 years ago|reply
Past that, it's probably just there to make legacy software work like so many other problem-causing, Windows features. :)
[+] [-] WalterGR|10 years ago|reply
Maybe I'm mistaken about that - but it could have powered the kind of uber-notebook-in-Emacs packages that seem to be gaining popularity lately - twenty years ago.
[+] [-] pjc50|10 years ago|reply
[+] [-] orf|10 years ago|reply
- They used a static list of file extensions to blacklist
- This hasn't been kept up to date, powershell scripts are automatically executed
- There is no way to disable it
- Embedded files are executed within a trusted directory
I'm guessing Microsoft has to tread very lightly when messing with OLE, I bet a lot of legacy software from large Microsoft customers uses it.
[+] [-] EvanAnderson|10 years ago|reply
[+] [-] UnoriginalGuy|10 years ago|reply
Powershell won't execute AT ALL by default. You have to enable execution. And it certainly won't execute automatically, the user has to click to run.
[+] [-] r00fus|10 years ago|reply
[+] [-] callesgg|10 years ago|reply
User clicks executable in office it launches....
vs
User clicks executable in explorer(or other software) it launches....
[+] [-] nikbackm|10 years ago|reply
[+] [-] cesarb|10 years ago|reply
[+] [-] orionblastar|10 years ago|reply
All the more reason to use OpenOffice.Org or LibreOffice.
[+] [-] therobot24|10 years ago|reply
Why should Microsoft continue to support office below 2007?
[+] [-] cwyers|10 years ago|reply
[+] [-] andzt|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] drsim|10 years ago|reply
The sysadmin locked down every possible way to run executables apart from those he exposed in Program Manager. Of course, everyone had Word. Simply embedding an OLE object let me run any exe.
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] makomk|10 years ago|reply
[+] [-] girvo|10 years ago|reply