Security Week 25: vulnerabilities in Windows, libarchive and Wordpress, new old cryptoclocker tricks

    Talk about training. Along with crypto- lockers, seemingly long-forgotten tricks came into our cozy landscape of threats: from the “Albanian virus” (a set for self-encrypting data) to macros in office documents. By the standards of those threats that are really interesting to read about, this is the last century and kindergarten, but the problem is that they work. In the case of macros, users are required to make a couple of extra clicks, warnings are displayed in the process (dangerous!), But no, everything clicks, loads and leads to real losses and data loss, it is good if only on one computer. According to our data, the number of crypto attacks on users over the past two years has grown five-fold - and this is the case when the quantity sooner or later turns into quality.

    The vast majority of crypto-lockers, and especially such entry-level trojans, are still blocked without problems by standard protective software. Alas, this does not completely exclude infection - and the point is not that there is no absolute protection. Recently, I referred to an example when an external freelancer with a laptop without an antivirus is connected to a well-protected infrastructure and arranges a local armageddon.

    Recently, another arsenal of ancient tricks has been added. Instead of macros, office documents embed links to external objects using OLE technology ( news , researchMicrosoft). In the document, this tricky maneuver looks something like in the picture. In one case, rather clumsy social engineering was used: “Click to unlock this content and prove that you are not a robot.” In Word, such a design looks extremely suspicious, but it works. And what to do with it?

    All digest editions are available by tag .




    In the case of ordinary users, it is clear what to do - the antivirus must be installed. In the case of companies, everything is more complicated, I have already given an example above why it is not always possible to block everything and everywhere. Employees need to be trained. It is advisable that the training on what we call security awareness be different from the mural in the magazine for a briefing in case of fire. Training should be regular, its goals should be clear to everyone - that is why my colleagues in charge of the trainings say that it is imperative to include not only ordinary employees, but also superiors, including top managers. From the techie’s point of view, this decision may seem a little strange, but where to go? One of the qualitative changes in the information security industry is precisely the extension of the concept of security beyond the struggle of good code with bad code. Security is people they cannot be programmed, and the problem cannot be solved with an angry circular. But you have to try: not being an algorithmized solution, trainings give quite measurable effectiveness.

    Patch Week: Windows, Wordpress, libarchive

    Detecting software vulnerabilities and releasing patches is such a regular element of the security news background. So familiar that such news is often infrequently added to the list of the most visited: in my weekly series, this happens about once a quarter. So such a moment has come: on the agenda there are three important patches at once.



    Microsoft has patched a vulnerability in the Web Proxy Auto Discovery protocol ( news , MS Bulletin ). Both Microsoft and the discoverer, a researcher from the Chinese company Tencent, did not reveal many details. In the protocol’s working scheme, they found the possibility of rollback to the vulnerable “proxy server discovery process”, specifically, “predictability of transaction identifiers when working with Netbios” is exploited. The list of susceptibles contains all versions of Windows starting from 7, but in fact the hole is present even in Windows 95, and, naturally, in an unsupported XP.

    Perhaps the reason for the small amount of detail is the versatility of the attack. According to the researcher, the exploit can arrive both as a URL in a browser, as a malicious office document, and even on a USB flash drive (for example, using a malicious shortcut). Further development of the attack cannot be called a simple thing, but in the end there is the possibility of intercepting traffic or replacing trusted network devices.

    Researchers from Cisco found three vulnerabilities in the open source library libarchive ( news , research ). In the case of open software, it’s not even the nature of the vulnerability that matters, but the understanding of who is affected. The list of dependent software can help with this.on the library website. All three vulnerabilities can be exploited using a prepared archive of a certain format, specifically 7-Zip and RAR. In addition, it is theoretically possible to exploit the vulnerability when the library works with data from mtree , a standard utility in FreeBSD. All three vulnerabilities allow arbitrary code to be executed.

    Finally, the next update of Wordpress to version 4.5.3 closes 24 vulnerabilities ( news , announcement of Wordpress). Most vulnerabilities allow you to gain control over a website. In addition, 17 bugs were fixed - and all are relatively fresh, they were "added" in the last three releases of the open CMS.

    What else happened:
    Let's Encrypt project reportson the release of the five millionth free HTTPS certificate. At the same time, it turned out that the company Comodo, which sells SSL for money, for some reason is trying to register the Let's Encrypt trademark in the USA. It's bad to be like this.

    The Indian advertising company inMobi, which also makes money on banners in mobile applications, was fined in the United States nearly a million dollars for tracking users without their knowledge. The ad network of this company allegedly "covers" more than a billion devices.

    Antiquities:
    “Tired-1740”

    Resident dangerous virus, standardly written in COM-, EXE- and OVL-files when they are loaded into memory for execution. Periodically decrypts and displays the phrase: “I think you're too tired to the bone. You'd better go home, ”and then restarts the computer. It hooks int 21h.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 85.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: