Security Week 25: Vulnerabilities in Windows, libarchive and wordpress, new old cryptographic stunts

Let's talk about training. Together with cryptococci, seemingly forgotten tricks came to our cozy threat landscape: from the “Albanian virus” (a set for self-encrypting data) to macros in office documents. By the standards of those threats, about which it is really interesting to read, this is the last century and kindergarten, but the problem is - they are working. In the case of macros, users are required to make a couple of extra clicks, warnings are displayed in the process (dangerous!), But no, everything clicks, loads and leads to real losses and data loss, well, if only on one computer. According to our data, the number of crypto-attacks on users has increased fivefold over the past two years - and this is the case when quantity sooner or later turns into quality.

The vast majority of cryptographs, and especially such entry-level Trojans, are still blocked by standard security software without any problems. Alas, this does not preclude infection completely - and the point is not that there is no absolute protection. Recently, I referred to an example when an external freelancer is connected to a well-protected infrastructure with a laptop without antivirus and arranges a local Armageddon.

Recently, another one has been added to the arsenal of ancient tricks. Instead of macros, office documents embed links to external objects using OLE technology ( news , Microsoft research ). In the document, this tricky maneuver looks something like in the picture. In one of the cases, rather clumsy social engineering was used: "Click to unlock this content and prove that you are not a robot." In the Word, this design looks extremely suspicious, but it works. And what to do with it?
')
All editions of the digest are available by tag .




In the case of ordinary users, it is clear what to do - antivirus must be installed. In the case of companies, everything is more complicated; I have already given an example above, why it is not always possible to block everything and everywhere. Employees need to be trained. It is desirable that the training on what we call security awareness, differed from the mural in the magazine for briefing in case of fire. Training should be regular, its goals should be clear to everyone - that is why my colleagues, who are responsible for training, say that it is necessary to include in the program not only ordinary employees, but also the authorities, right up to top managers. From the point of view of the techie, this solution may look a little strange, but where to go? One of the qualitative changes in the IS industry is precisely the extension of the concept of security beyond the struggle of a good code with a bad one. Security is people, they cannot be programmed, and an angry circular cannot solve the problem. But it is necessary to try: without being an algorithmized solution, the trainings provide quite measurable efficiency.

Week of patches: Windows, Wordpress, libarchive

Detection of vulnerabilities in software and release of patches is such a regular element of the news background on the topic of security. So familiar that the list of the most visited such news get out infrequently: in my weekly series, this happens about once a quarter. Here comes a moment: three important patches are on the agenda at once.



Microsoft patched a vulnerability in the Web Proxy Auto Discovery protocol ( news , MS bulletin ). Both Microsoft and the discoverer, a researcher from the Chinese company Tencent, do not disclose much of the details. The protocol's operation scheme revealed the possibility of rollback to the vulnerable “proxy server discovery process”, the “predictability of transaction identifiers when working with Netbios” is being exploited. In the list of susceptible - all versions of Windows, starting with 7, but in fact there is a hole even in Windows 95, and, of course, in unsupported more than XP.

Perhaps the reason for the small number of parts is the universality of the attack. According to the researcher, the exploit can fly in as a URL in the browser, as a malicious office document, and even on a flash drive (for example, using a malicious shortcut). Further development of the attack can not be called a simple matter, but in the end there is the possibility of intercepting traffic or replacing trusted network devices.

Researchers from Cisco found three vulnerabilities in the open source libarchive library ( news , research ). In the case of open source software, it’s more important not even the nature of the vulnerability, but the understanding - who is affected. The list of dependent software on the library website can help. All three vulnerabilities can be exploited using a prepared archive of a specific format, specifically exposed to 7-Zip and RAR. In addition, it is theoretically possible to exploit a vulnerability when the library is working with data from mtree , a regular utility on FreeBSD. All three vulnerabilities allow arbitrary code execution.

Finally, the next Wordpress update to version 4.5.3 closes 24 vulnerabilities ( news , Wordpress announcement ). Most of the vulnerabilities allow you to take control of the website. Additionally, 17 bugs were fixed - all relatively fresh, they were “added” in the last three releases of the open CMS.

What else happened:
Let's Encrypt project announces the release of a five million free HTTPS certificate. At the same time, it turned out that Comodo, which sells SSL for money, for some reason is trying to register the trademark Let's Encrypt in the United States. It's bad to be like this.

The Indian advertising company inMobi, which earns, including on banners in mobile applications, was fined nearly a million dollars in the USA for tracking users without their knowledge. The ad network of this company allegedly "covers" more than a billion devices.

Antiquities:
"Tired-1740"

Resident dangerous virus, is standardly recorded in COM, EXE and OVL files when they are loaded into memory for execution. Periodically decrypts and displays the phrase: “I think you’re too tired to the bone. You'd better go home, ”and then restart the computer. Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 85.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.