Tag Archives: Microsoft

Microsoft Issues Patches For Severe Flaws, Including Office Zero-Day & DNS Attack

Microsof-Security-Patches

As part of its “October Patch Tuesday,” Microsoft has today released a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild.

Security updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server.

Besides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux.

October patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities.


Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)

This vulnerability, classified by Microsoft as “important,” is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks.

An attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it.

Once opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights.

The vulnerability was reported to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28.

Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)

Among other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016.

The vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request.

Nick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim’s machine, escalate privileges and take full control over the target computer or server.

“This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) – they can gain access to your system,” the researcher explains.

“This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.”

For full technical details, you can watch the video demonstration by Bishop Fox’s Dan Petro and head on to Bishop Fox’s blog post.


Windows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)

This denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux.

The vulnerability, classified by Microsoft as “important,” was previously publicly disclosed, but wasn’t found actively exploited in the wild.

The vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive.

The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). “The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,” Microsoft said in its advisory.

Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)

Another previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016.

The vulnerability, also classified by Microsoft as “important,” can be exploited by sending a maliciously crafted request to an affected SharePoint server.

Successful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user.

“The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,” Microsoft explains.

Besides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user’s permissions, via memory corruption flaws.

Just opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer.

More RCE And Other Vulnerabilities

Redmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file.

The update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections.

Other issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search.

Microsoft also published an advisory warning user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs).

Surprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October’s Patch Tuesday altogether.

Users are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Powered by WPeMatico

Microsoft Cortana Can Now Read Your Skype Messages to Make Chat Smarter

cortana-for-skype

Microsoft today announced built-in support for Cortana—an artificial intelligence-powered smart assistant—in Skype messenger on Android as well as iOS devices.

What purpose does it serve?

Microsoft wants its AI-based smart assistance to understand your conversations and help you with quick suggestions, ideas and information right inside your chat window.

“Cortana can also help you organize your day—no need to leave your conversations. Cortana can detect when you’re talking about scheduling events or things you have to do and will recommend setting up a reminder, which you will receive on all your devices that have Cortana enabled,” Skype said in a blog post.

cortana-for-skype

In other words, it typically means — Microsoft’s Cortana can now read your private Skype conversations.


Should You Worry About Your Privacy?

Yes, Cortana needs continuous monitoring of your private chats in order to come up with useful suggestions such as movie bookings, travel plans, nearby restaurants, scheduled meetings and so on.

Obviously, this feature would be a severe concern for privacy-conscious people, knowing that someone else is continuously reading their private conversations with their friends or family or secret business plans with their colleagues even if Cortana has good intentions.

So should you be worried about this? It depends.

The answer is—NO for those who are already using Skype. Since conversations over skype are not end-to-end encrypted, Microsoft already has access to all your private communications in plain text, and you have nothing to hide from the company.

The answer is—YES for those who are new to Skype and impressed with the idea of artificial intelligence-based smart assistant but care more about their privacy.

How to Activate Cortana for Intelligent Skype Chats?

Currently, Cortana support for Skype is only available for American users, and it is optional, and you need to turn the assistant on your mobile device manually.

To activate and allow Cortana to read all your chats and help you intelligently, you need to follow the below steps:

  • Upgrade to latest version of Skype for Android or iOS
  • Tap on Cortana from your chat window
  • Start chatting with her, and it will ask for one-time permissions
  • Select Agree, and that is it.

In-chat assistance is not a new concept. Google Allo and Facebook messenger app have already introduced AI-based personal assistant for chats, but naturally, these features come with privacy trade-offs.

Despite being opt-in, these intelligent in-chat assistants, including Cortana for Skype, could be easily used to spy on your interests for targeted advertisements.

Do you feel it is worth the risk to have AI-based quick replies and suggestion for calendar entries?

Let us know in the comments below.

Powered by WPeMatico

Windows 10 to Give More Control Over App-level Permissions

windows10-permission-security

Microsoft has been gradually changing its privacy settings in Windows 10 with the Fall Creators Update to give its users more controls over their data.

In April, Microsoft addressed some initial privacy concerns in the Windows 10 Creators Update with simplified data collection levels—Security, Basic, Enhanced, and Full—and eventually revealed its data collection practices.

Now, the software giant is making another privacy-related change with the upcoming Windows 10 Fall Creators Update, which is due for release in October 2017, giving you much more control over what apps can do with your device.

Just like apps on your smartphone’s app store, apps on Windows Store also require permission to access your computer’s critical functionalities like camera, microphone, calendar, contacts, and music, pictures and video libraries.

While Android and iOS allow you to limit an app’s permissions to access these sensitive things, these permissions have currently been provided to all apps implicitly in the Fall Creators Update, except for access to location data that needs an explicit user permit.

But that’s going to be changed.

For each new app installed on the Windows 10 Fall Creators Update, the operating system will prompt users for access to their device’s camera, microphone, contacts, calendar, and images and other information, requiring an explicit opt-in for each app.

“Starting with the Fall Creators Update, we’re extending this experience to other device capabilities for apps you install through the Windows Store,” Microsoft wrote in a post detailing the privacy improvements.

“You will be prompted to provide permission before an app can access key device capabilities or information such as your camera, microphone, contacts, and calendar, among others. This way you can choose which apps can access information from specific features on your device.”


However, when users install the Fall Creators Update, existing applications on their device will retain their permissions, but new apps installed from the official Windows Store will require their access to be enabled explicitly.

In order to review and manage your existing app permissions, head on to Start → Settings → Privacy. To learn more about Windows app permissions, head on to this link.

Microsoft is set to test these privacy changes with Windows Insiders shortly. The Windows 10 Fall Creators Update will be released on October 17th.

Powered by WPeMatico

Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

bashware-windows10-linux-malware

Microsoft has been expressing its love for Linux for almost three years now, and this love costs Microsoft an arm and a leg.

Last year, Microsoft surprised everyone by announcing the arrival of Windows Subsystem for Linux (WSL) in Windows 10, which brings the Linux command-line shell to Windows, allowing users to run native Linux applications on Windows system without virtualization.

However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software.

The researchers devised a new attack technique, dubbed Bashware, that takes advantage of Windows’ built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017.

Bashware Attack Undetectable by All Anti-Virus & Security Solutions

According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family, because security solutions for Windows are not designed to detect such threats.

This new attack could allow an attacker to hide any Linux malware from even the most common security solutions, including next generation anti-virus software, malware inspection tools, anti-ransomware solution and other tools.

But why so? Researchers argue that existing security software packages for Windows systems have not yet been modified to monitor processes of Linux executables running on Windows operating system.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” Check Point researchers say. 

“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”

Who is the Culprit? Microsoft or Security Vendors?

In order to run the target Linux application in an isolated environment, Microsoft introduced “Pico processes“—containers that allow running of ELF binaries on the Windows operating system.

During their tests, the Check Point researchers were able to test the Bashware attack on “most of the leading antivirus and security products on the market,” and successfully bypass all of them.

It is because no security product monitors Pico processes, even when Microsoft already provides Pico API, a special application programming interface that can be used by security companies to monitor such processes.

“Bashware does not leverage any logic or implementation flaws in WSL’s design. In fact, WSL seems to be well designed,” the researchers concluded. 

“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system.”

Bashware Attackers Requires Admin Rights—Is that Hard on Windows PC?

Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.

However, these additional attacks could also alert antivirus and security products, subverting the attack before the actual Bashware attack can be executed to hide malware.

Since WSL is not turned on by default, and users are required to manually activate “development mode” on their computer systems in order to use it and reboot the system, the risks posed by the feature are mitigated to some extent.

However, the Check Point researchers say it is a little-known fact that the developer mode can be enabled by modifying a few registry keys, which can be done silently in the background by the attackers with the right privileges.

The Bashware attack technique automates the required procedures by silently loading the WSL components, enabling developer mode, even downloading and extracting the Linux file system from Microsoft’s servers, and running malware.

No Need to Write Separate Malware Programs

What’s interesting about Bashware? Hackers using Bashware are not required to write malware programs for Linux to run them through WSL on Windows computers.

This extra effort is saved by the Bashware technique which installs a program called Wine inside the downloaded Ubuntu user-space environment, and then launches known Windows malware through it.

The malware then initiates into Windows as pico processes, which will hide it from security software.

400 Million Computers Potentially Exposed to Bashware

The newly discovered attack technique does not leverage any implementation of WSL vulnerability, but is due to the lack of interest and awareness by various security vendors towards WSL.

Since the Linux shell is now available to Windows users, researchers believe that Bashware can potentially affect any of the 400 million PCs currently running Windows 10 across the world.

Check Point researchers said their company had already upgraded its security solutions to combat such attacks and are urging other security vendors to modify and update their next-generation anti-virus and security solutions accordingly.

Powered by WPeMatico

Microsoft Issues Security Patches for 25 Critical Vulnerabilities

microsoft-security-patch-updates

Here we go again…

As part of its August Patch Tuesday, Microsoft has today released a large batch of 48 security updates for all supported versions Windows systems and other products.

The latest security update addresses a range of vulnerabilities including 25 critical, 21 important and 2 moderate in severity.

These vulnerabilities impact various versions of Microsoft’s Windows operating systems, Internet Explorer, Microsoft Edge, Microsoft SharePoint, the Windows Subsystem for Linux, Adobe Flash Player, Windows Hyper-V and Microsoft SQL Server.

CVE-2017-8620: Windows Search Remote Code Execution Vulnerability

The most interesting and critical vulnerability of this month is Windows Search Remote Code Execution Vulnerability (CVE-2017-8620), affects all versions of Windows 7 and Windows 10, which could be used as a wormable attack like the one used in WannaCry ransomware, as it utilises the SMBv1 connection.

An attacker could remotely exploit the vulnerability through an SMB connection to elevate privileges and take control of the targeted Windows computer.

“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.

“In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.”

CVE-2017-8633: Windows Error Reporting Elevation of Privilege Vulnerability

Another significant elevation of privilege vulnerability resides in Windows Error Reporting (WER) that could allow an attacker to run a specially created application to gain access to administrator privileges on the targeted system to steal sensitive information.

“This update corrects the way the WER handles and executes files,” the advisory says.

CVE-2017-8627: Windows Subsystem for Linux DoS Vulnerability


An important vulnerability has been identified in Windows Subsystem for Linux that could allow an attacker to execute code with elevated permissions.

“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles NT pipes” the advisory says.

Successful exploitation eventually could allow denial of service attack, leaving the targeted system unresponsive.

Microsoft has also released critical security updates for the Adobe Flash Player for Internet Explorer, although the company would end its support for Flash at the end of 2020.

Users and IT administrators are strongly recommended to apply security patches as soon as possible to keep away hackers and cybercriminals from taking control over your computer.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Powered by WPeMatico

Microsoft Is Paying Up To $250,000 With Its New Bug Bounty Program

microsoft-bug-bounty-program-windows

Microsoft has finally launched a new dedicated bug bounty program to encourage security researchers and bug hunters for finding and responsibly reporting vulnerabilities in its latest Windows versions of operating systems and software.

Being the favourite target of hackers and cyber criminals, every single zero-day vulnerability in Windows OS—from critical remote code execution, mitigation bypass and elevation of privilege to design flaws—could cause a crisis like recent WannaCry and Petya Ransomware attacks.

In past five years the tech giant has launched multiple time-limited bug bounty programs focused on various Windows features, and after seeing quite a bit of success, Microsoft has decided to continue.

“Security is always changing, and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”

With its latest bug bounty program, Microsoft is offering up to $250,000 in rewards to cybersecurity researchers and bug hunters who find vulnerabilities in the company’s software, which mainly focuses on:

  • Windows 10, Windows Server 2012 and Insider Previews
  • Microsoft Hyper-V
  • Mitigation Bypass Techniques
  • Windows Defender Application Guard
  • Microsoft Edge Browser

Below is the chart showing details of the targets, main focus areas and the respective payouts:

microsoft-bug-bounty-program

In the spirit of maintaining a high-security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017,” Microsoft says in a blog post. “The bounty program is sustained and will continue indefinitely at Microsoft’s discretion.

Recently, the non-profit group behind Tor Project joined hands with HackerOne and launched a bug bounty program with the payout of up to $4,000 to researchers and bug hunters for finding and reporting flaws that could compromise the anonymity network.

For more granular details about Microsoft’s Bug Bounty Program, you can check out the program on the TechNet site.

Powered by WPeMatico