In a major move for Windows security, Microsoft has built Windows Defender to run in a sandboxed environment. Microsoft began the process of moving Windows Defender to a sandbox after much input from the security community.
Windows Defender runs with high privileges to scan systems for malicious content; because of this, it’s already a prime target for cyberattacks. If someone successfully exploits a bug in Windows Defender, an entire system can be taken over. With Windows Defender running in a restrictive process execution environment, attackers who break in are stuck inside the isolated environment and can’t affect the rest of the system.
Read more about the new version of Windows Defender on DarkReading.
Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn’t telling users when apps requested permission to access all a user’s files. The bug in the Windows ‘broadFileSystemAccess’ API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user’s documents, photos, downloads, and files stored in OneDrive.
A security researcher from Colombia has found a way of gaining admin rights and boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique.
What’s more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns. The technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
Read more about the “RID Hijacking” technique on ZDNet.
Researchers have uncovered a new attack chain which exploits little-known Microsoft Windows utilities and innocuous software to fly under the radar in the quest to steal data. According to Symantec, the new malware campaign is a prime example of what the company calls “living off the land.”
In other words, attackers are turning to the resources already available on target machines as well as running simple scripts and shellcode in memory and performing fileless attacks. By focusing more on homegrown software and less on introducing foreign malware into target systems, threat actors can remain undetected for longer and minimize the risk of being exposed.
Read more about how attackers are turning to innocuous system processes to compromise Windows machines, on ZDNet.
A zero-day flaw recently disclosed in Microsoft’s Windows task scheduler could enable a bad actor to gain elevated privileges. The flaw, which was disclosed on Twitter, does not yet have a patch. The issue exists in the Advanced Local Procedure Call (ALPC) interface of Microsoft Windows task scheduler. Essentially, the API function of ALPC does not check permissions, so that any potential local bad actor can alter them.
“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”
Read more about the recently disclosed zero-day flaw on Threatpost.
Security researchers have discovered a new exploitation technique that they say can bypass the kernel protection measures present in the Windows operating systems. Discovered by security researchers Omri Misgav and Udi Yavo from enSilo, the technique is named Turning Tables, and exploits Windows’ page tables.
Page tables are a data structure common to all operating systems, not just Windows, that are used to store mappings between virtual memory and physical memory.
Read how the Turning Tables technique can allow attackers to elevate the privileges of their code to higher levels, like SYSTEM, on BleepingComputer.
Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.
According to Microsoft, the vulnerability exists in Secure Channel (Schannel), a security package that implements the SSL/TLS authentication protocols. An an attacker can exploit the flaw to downgrade an encrypted SSL/TLS session and force client systems to use a weaker, export-grade RSA cipher. Through a man-in-the-middle (MitM) attack, a malicious actor could intercept and decrypt encrypted traffic.
Microsoft admits that FREAK vulnerability affects all Windows version, read more on Security Week.
The disclosure was made on Monday upon the expiration of 90-day waiting period imposed by Google researchers. Microsoft has yet to patch the Windows 8.1 vulnerability that would allow a hacker to elevate their privileges on an affected computer to gain administrator access. Microsoft’s next set of Patch Tuesday security bulletins are scheduled to be released Jan. 13.
“We are working to release a security update to address an elevation of privilege issue,” a Microsoft spokesman told Threatpost.
Read more about the Windows 8.1 privilege elevation flaw on Threat Post.
Another Patch Tuesday, another mess for Microsoft, which has pulled update 3004394, aka “December 2014 update for Windows Root Certificate Program in Windows”.
Redmond says the patch “is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. “
Read more about the Microsoft’s patch flip-flop and the phantom patch that even Google couldnt find on The Register.
The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims.
The NTFS junction attack is a “race condition” in the handling of the MoveFileEx call hook Forshaw said. While unpatched, subsequent September updates made the flaw very difficult to exploit.
“While this bug technically isn’t fixed, a defence in depth change in 11.0.9 effectively made this difficult if not impossible to exploit,” Forshaw said in an advisory for version 11.0.8.
It was a flaw similar to a previous bug in NtSetInformationFile but different because it exploited a time of check to time of use race, a feat possible only because the broker opened the file rather than the sandboxed process, he said.
Read about the vulnerability in Acrobat Reader for Windows on The Register.