"This campaign, 'Detach from Attachments,' urges users to avoid sending or opening email attachments, and to use cloud-based storage to send files like Google Drive as an alternative."
-- Seems an entirely wrong-headed approach - easily defeated as this exploit showed (even a conventional virus could spread download links or even upload more files). Shouldn't the campaign involve avoid insecure files in insecure format from unknown or unverified sources?
> Shouldn't the campaign involve avoid insecure files in insecure format from unknown or unverified sources?
That's an interesting question. I think answering in the affirmative is infeasible.
Slightly smarter user behavior is part of the solution, sure, but users should not bear much if any of the burden of determining whether a file is secure (in this case, by remembering what file formats can include an OLE object and whether those are secure to open yet) and whether the many links of authentication all hold.
Oh, I got this message via <channel> from <person>, how do I know <person> actually sent it, or not? Well, <several entities> were involved in <system that delivered it>, do I trust all of them? Oh, I don't need to, because <other systems> authenticated the message. But what's the probability that <person> is either trying to infect me, or has an infected machine that's infecting any <format> files they send me? What other attack vectors are there? The rabbit hole runs deep.
Computers should just work. When a user thinks he got a message from <person> but it's not actually from <person>, that's not the user's fault, but the system's. When a message that the user expects to show him a bunch of pictures (slides from a presentation) actually contains executable code that takes control of his machine, that's not the user's fault for not knowing the latest CVEs are.
Yes, certainly, computers should be safe. But they aren't. So another less idealistic defense is to teach fear to users. Just as I have to induce fear of cars to my kids (annoyingly necessary), I will tell them to not trust anything coming from computers.
I'm old now and I'm in computers since I was maybe 14, and, believe me or not, I've never told my name to my computer.
Google Drive could be a safer alternative if you actually opened all untrusted files with Google Drive, instead of downloading them and opening them with a local copy of Microsoft Office.
Unfortunately, Google Drive is pretty bad at handling PowerPoint files.
I'm sorry for posting this; I didn't realize I was detracting from the conversation. And since it's too late to delete, I must suffer additional downvotes.
Apparently it was discovered and raised as an exploit, never patched, and never used until today? It makes me wonder how many other known unpatched exploits like this are out in the tall grass.
If this post is being upvoted because of "Tibet" please remember that the US, UK and every other EU member state officially recognizes Tibet as part of the sovereign territory of China.
When you're dealing with a state that has the economic clout that China has, and the kinds of hyper-reactive sensitivities that China has about Tibet [1], you tend to defer for sake of a smoothly functioning global economy, whether you agree with their position or not.
[1] For example, barring people from getting a Chinese visa for life for publicly making pro-Tibet statements.
Another: you need an "internal" visa, issued from within China, to get into Tibet [2]. If you mention on your visa application to get into China in the first place, however, that you want to visit Tibet, your Chinese visa is automatically denied. Essentially, you have to lie to the state about the purpose of your trip, if you want to visit Tibet. No, they don't have any issues there at all...
[2] Unless you're flying into Lhasa from Kathmandu, where you can get a direct-entry visa.
-- Seems an entirely wrong-headed approach - easily defeated as this exploit showed (even a conventional virus could spread download links or even upload more files). Shouldn't the campaign involve avoid insecure files in insecure format from unknown or unverified sources?