Ειδοποιήσεις

Microsoft Word documents can potentially smuggle in malicious code using embedded web videos, it is claimed. Opening a booby-trapped file, and clicking on the vid, will trigger execution of the code.

In summary, miscreants can leverage this weakness to potentially trick marks into installing malware on their PCs. It’s useful for hackers preying on non-savvy phishing targets, and the like.

Seeing as there is no official patch for the alleged vulnerability, a workaround is to block files with embedded videos, or use other defenses to prevent dodgy documents from compromising systems and networks.

The alleged flaw was flagged up this week by infosec bods at Cymulate, who claimed a lack of safeguards in the way Redmond’s Office 2016 and earlier handle video material opens a door for remote code execution attacks.

“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios,” Cymulate CTO Avihai Ben-Yossef claimed on Thursday.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.”

Delivery

So, it works like this: the attacker creates an otherwise normal Word file and, within the text, embeds an online video from YouTube or any other streaming site – the video itself doesn’t matter, here. From there, the attacker unpacks the resulting Docx file, and edits the document.xml file within.

That XML file, the researchers explained, is where the real danger lies. A miscreant can modify the embeddedHTML parameter to redirect the iframe code of the video to any HTML or JavaScript of their choosing.

The .docx is packed up with the twiddled XML code, and sent to a victim, say, via email. When the file is opened in Word, and the mark tricked into clicking on the video iframe, the malicious XML is parsed, sans security warnings, and its malicious code is executed. This could be used to fool people into installing fake Adobe Flash updates that contain spyware.

Microsoft has yet to comment on the claims, nor had a chance to issue a patch or fix, we understand.

In the meantime, to mitigate against this, according to Cymulate, admins can block embedded video or block Word docs that contain an “embeddedHTML” tag. Also, don’t open or trust Word documents from strangers, and don’t run installers that pop up unexpectedly from Office files. ®

Updated to add

Seems Microsoft won’t be addressing this because, as far as it is concerned, the software is working as expected. “The product is properly interpreting HTML as designed – working in the same manner as similar products,” said Jeff Jones, a senior director at Microsoft.

So, as we suggested, don’t open files or links from suspicious or unknown sources, and don’t click to allow stuff to install if anything weird pops up. Meanwhile, apply defense-in-depth mechanisms, and stop compromises from spreading from a single user to the whole network.

 

The information contained in this website is for general information purposes only. The information is gathered from The Register while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Bitcoin Core development team has released an important update to patch a major DDoS vulnerability in its underlying software that could have been fatal to the Bitcoin Network, which is usually known as the most hack-proof and secure blockchain.

The DDoS vulnerability, identified as CVE-2018-17144, has been found in the Bitcoin Core wallet software, which could potentially be exploited by anyone capable of mining BTC to crash Bitcoin Core nodes running software versions 0.14.0 to 0.16.2.

In other words, Bitcoin miners could have brought down the entire blockchain either by overflooding the block with duplicate transactions, resulting in blockage of transaction confirmation from other people or by flooding the nodes of the Bitcoin P2P network and over-utilizing the bandwidth.

The vulnerability had been around since March last year, but the team says nobody noticed the bug or nobody was willing to incur the expense of exploiting it.

According to the bitcoin core developers, all recent versions of the BTC system are possibly vulnerable to the Distributed Denial of Service (DDoS) attacks, though there’s a catch—attacking Bitcoin is not cheap.

The DDoS attack on the BTC network would cost miners 12.5 bitcoins, which is equal to almost $80,000 (68,000 Euro), in order to perform successfully.

The Bitcoin Core team has patched the vulnerability and are urging miners to update with the latest Bitcoin Core 0.16.3 version as soon as possible.

“A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible,” the vulnerability note reads.

Although the team says that the miners running Bitcoin Core only occasionally are not in danger of such attacks, it would obviously be recommended to upgrade to the latest software version as soon as possible just to be on the safe side.

In addition to the DDoS vulnerability, the latest version also includes patches for a non-insignificant number of minor bugs, related to consensus, RPC and other APIs, invalid error flags, and documentation.

After upgrading to the latest version—the process that will take five minutes to half an hour depending upon the processing power of your computer—users should note that the new wallet will have to redownload the entire blockchain.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.  This vulnerability was recently patched by Microsoft in the September 2018 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates.

The Task Scheduler ALPC vulnerability is a 0day exploit that was revealed by a security researcher on Twitter. When used, the vulnerability will allow executables to be executed using System privileges, which allows commands to be executed with full administrative privileges.

GandCrab’s use of this vulnerability was first discovered by a malware analyst named Valthek, who posted about it on Twitter. Valthek has told BleepingComputer that this vulnerability appears to be the same one that security researcher Kevin Beaumont posted in his Github repository.

Valthek further told BleepingComputer that this exploit was most likely being used to perform system level commands such as the clearing of Shadow Volume copies and to dynamically create the ransomware’s wallpaper.

Valthek has also seen some weird behavior in some variants. For example, in one variant the ransomware would not run on Windows XP and Windows Vista, but this has since been resolved in newer variants  Also newer variants have switched from a HTML note to a text ransom note.

 

Vaccine for GandCrab updated to support v5

Valthek has also released a vaccine that when run on a computer, prevents it from being infected by GandCrab. While this may protect some users, it should be cautioned that the GandCrab developers could just as easily change their program to bypass this vaccine.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.