Security Weekly 1: Windows Defender Launches Someone Else’s Code, The Trojan Was Sitting In HandBrake, Phishers Were Attacked By Gmail Users
Spring was generous in the eyes of the apocalyptic scale, and in the most unexpected places. This time it’s not a smartphone, and not a router, but much worse – Microsoft Malware Protection Engine. This component is used by Windows Defender and is enabled by default in Windows 8, 8.1, 10, and also in Windows Server 2016
This time, Google excelled: researchers from Google Project Zero Tevis Ormandy and Natali Silvanovich found a ‘crazy bad’ vulnerability. Ormandy hastened to tweet about this, saying that this is the worst vulnerability of remote code execution in Windows lately – and, of course, generated a lot of sensational headlines. Developers from Microsoft rushed to close the hole, like sailors to storm the Winter Palace, and three days later the patch was ready. Ormandy, bravely holding all the details to himself, relaxed with a bug drop.
What happened. Malware Protection Engine (MsMpEng) with its, in general, limitless capabilities, was accessible remotely through several different Windows services, in particular, Exchange and IIS. The bottom line is that MsMpEng has full control over all actions associated with the file system, and if any service tries to write something similar to JavaScript on the disk, the level of threat with heuristic methods determines the N Script component, which is a surprise! – runs not in a sandbox and with a high level of rights. And, of course, in this component, and found an evil bug, which allows a clever script to force N Script to execute arbitrary code.
The most cheerful, of course, is the attack scenarios. It turned out that it was enough to receive the letter (and even there is no need to open it!), Click on the link, or, for example, get the file through any messenger so that the computer runs a malicious code. It is as if the sensor, who is scraping the anti-government sedition from the newspaper on duty, having read, believed in revolutionary ideas and joined the ranks of the Carbonation. Such an unexpected heuristic.
Then you could parrot, but do not want to. And so it is clear that this is bad. Update from Microsoft, in theory, should already crawl through all connected to the Internet systems, admins, walled their networks with firewalls, should take care of themselves. Fortunately, the market lacks protective solutions.
HandBrake was infected with malware for Mac
News. If you never-never download programs from suspicious sites, always check sites for authenticity and go strictly by https, and finally you are a Mac user you are reliably protected from malware, no other precautions are needed.
And here everything is not so! Guys from the dark side are not done with a finger, and they earn a living by this trade, so they will always find a way to spoil the life of an innocent user. Yes, you just look at the incident with the HandBrake video sensor! If you downloaded its version for Mac OS X from the manufacturer’s website somewhere between May 2 and May 6, and nothing has been installed – you have infected these Macs with these same hands. But not 100%, the mirror was not compromised, not the main file hosting.
Inside the distribution, kit sat RAT, the Trojan of Proton, which tracks all activity in the victim system, including keystrokes, file downloads, and screen status. Proton, by the way, like the recent OSX / Dok, was signed by the real signature of the developer Apple.
How cunning hackers hacked the file mirror HandBrake – not reported, but in fact, it’s not a trick, there are a lot of ways, starting with a banal phishing attack on the admin. The main thing in this is that this can happen almost with any site, no matter how authoritative its owner was.
If you hit the number of those who downloaded the transcoder on the specified days, the HandBrake project participants advise checking the SHA1 and SHA256 checksums of the distribution file before launching, if you already installed it, look at the activity_agent process – if it is in the system, then it is IT. Bear, heal, change passwords.
A million users of Google Docs underwent a phishing attack
News. At the beginning of the week, a massive phishing attack swept Google users. It was organized very simply: the victims were sent letters that said that someone, and in many cases this person from the list of contacts of the victim, wants to share with the recipient documents in Google. If the curious recipient clicked on the ‘Open in Docs’ button, the Google OAuth authorization page was opened. The real one, without deception.
That’s just this service serves to give access to external services to an account in Google. The login and password, of course, are not given out – if the user allows access, an external token is sent to the external service, which is valid for performing certain actions on behalf of the user. In this case, the external service was called ‘Google Docs’, but it required rights to manage contacts, reading and sending emails, and managing e-mail.
To OAuth there are no complaints – the service in large letters wrote what they want from a person, ‘Google Docs’. But who can read such warnings? Though to reflect, what for service of Google requests access to Gmail, it would not hurt.
In any case, the attack, according to Google, was suppressed within an hour, for which malicious spam managed to get a miserable 0.1% of Gmail users. However, Google itself declares a billion active users, so it turns out that the victims of the attack could potentially be a million of them. How many clicks, without reading, we do not know – but there are many such.