By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Two proofs-of-concept (PoC) exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The vulnerability (CVE-2020-0601) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft’s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft. The two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks – allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released by Kudelski Security and the other by a security researcher under the alias “Ollypwn”. According to Microsoft’s advisory, the spoofing vulnerability exists in the way Windows CryptoAPI (Microsoft’s API that enables developers to secure Windows-based applications using cryptography) validates Elliptic Curve Cryptography (ECC) certificates. Kudelski Security in a blog post said they launched the PoC using a “curve P384” certificate, which uses ECC (specifically, the USERTrust ECC Certificate Authority). Researchers were able to craft a key used to sign the “curve P384” certificate with an arbitrary domain name. This certificate would subsequently be recognized by Windows’ CryptoAPI as trusted. Another similar PoC exploit was publicly released by Denmark-based security expert “Ollypwn.” “When Windows checks whether the certificate is trusted, it’ll see that it has been signed by our spoofed CA,” said “Ollypwn” in a write up of his PoC exploit. “It then looks at the spoofed CA’s public key to check against trusted CA’s. Then it simply verifies the signature of our spoofed CA with the spoofed CA’s generator – this is the issue.” A third PoC exploit was developed by security expert Saleem Rashid; who said on Twitter, Wednesday, that the PoC allowed him to fake TLS certificates and set up sites that look like legitimate ones. However, Rashid did not make his PoC exploit code public. To read the warnings, and more please visit OUR FORUM.

Microsoft has ended official support for Windows 7 on January 14 — 11 years after it first launched to rave reviews. Although Windows 10 eventually managed to overtake Windows 7's market share, many businesses and even home users continue to use Windows 7 despite Microsoft constantly urging them to upgrade. After January 14, Windows 7 users won't be getting any free support including any security updates. While your PC won't automagically stop working after January 14, not having timely security updates can comprise your online life. As we have seen with Windows XP, businesses reluctant to upgrade are used to paying hefty support fees to Microsoft after the official support period. A similar process is likely to be seen with Windows 7 as well. Enterprises have to enroll for Extended Security Updates (ESUs) in order to receive patches for vulnerabilities that may allow the spread of malware such as ransomware. If for some reason you wish to cling onto Windows 7, here's a neat hack developed by My Digital Life (MDL) forums veteran abbodi1406 to trick Microsoft into bypassing eligibility checks for Extended Security Updates. Then, register yourself on the MDL forums. Download the tool and install it. After installing the tool, fire-up Windows Update and see if it downloads the KB4528069 test update. If it does, your PC is now eligible to receive Microsoft's ESU that are otherwise only available to business users. The author notes that unlike conventional updates, ESUs have to be installed live via Windows Update only and cannot be installed offline or integrated into your Windows image via DISM. Eligibility for ESU is checked only once during the first ESU download. Therefore, you can remove the tool once eligibility is confirmed and you are able to download the aforementioned test update. However, do remember that the tool is still a prototype and any change in Microsoft's policies towards servicing ESUs may break the hack so, you will have to keep an eye on the thread for any updates to the tool. Follow this thread on OUR FORUM.

'The consequences of not patching the vulnerability are severe and widespread,' says National Security Agency, which found the bug. Windows 10 users have been urged to update their PCs or risk having private messages read. The huge vulnerability has been patched in an update but any computer that has not received the latest version of the operating system is at risk. The bug was discovered by the National Security Agency which alerted Microsoft, rather than using it to spy on citizens. The company then fixed the bug for all of its users through the latest free update, part of its "Patch Tuesday" program of regular fixes, which seals up the exploit and stops hackers from intercepting communications. There is no indication that the exploit has been used by hackers, Microsoft said, in a note that gave credit to the NSA for finding it. Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly. An advisory sent by the NSA on Tuesday said: "the consequences of not patching the vulnerability are severe and widespread." Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source. "The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider," the company said. If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said. Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings. Further details can be found on OUR FORUM.

Today is a really historic day for the Microsoft family. Almost 11 years after the launch of Windows 7, Microsoft has decided its time to pull the plug on support for one of their most popular Operating Systems ever. For younger people more familiar with Windows 10, it’s hard to explain just how good Windows 7 was at the time. It felt like the first really STABLE and really aesthetically pleasing Operating System that Microsoft offered. Though it’s hard to believe, for millions of people, logging in daily and seeing this image below brought a sense of real comfort to the day. Windows 7 was awesome. It was seen as a marked improvement over its predecessor Window Vista, adding new “fancy” features like the taskbar, Aero window management, file libraries, and much more. Even with all the warnings and the heads up, Windows 7 remains popular, even today. It runs on 26 percent of all PC’s which is a staggering number considering that Windows 10 has been out for 4+ years AND Microsoft offered (and still offers) Windows 10 as a FREE upgrade to customers. Microsoft has been notifying users about this day for a full year and they plan to step up the notifications. A full-screen notification will appear for Windows 7 users on Wednesday, warning users that their systems are now out of support. If you are a business or an academic institution, your users will be able to pay for extended security updates but, it’s going to be expensive. Obviously some discounts will be available with volume licensing but when you start to think about how the costs will add up, the question is naturally – why stay with Windows 7? As you can see from the prices above, a company with 100 or more employees will start to pay REAL money going forward but there are a lot of smaller companies that will stay on Windows 7 until the lights are turned off. The reason is, they have made the decision that it’s a business-critical tool for their business. It would shock you if you knew how many small hotels and businesses run proprietary Windows 7 software. For more facts and figures, please visit OUR FORUM.

The certainties that Windows 7 embodied have long gone, and that's no bad thing. In just a couple of days, Windows 7 finally goes out of support, which means no more bug fixes or updates for the millions who are still using the operating system, which first launched back in 2009. In many respects, the success of Windows 7 was the high water mark for the PC and for Windows. It has been much loved by PC users and admins in the past decade -- and not just for replacing its reviled predecessor, Windows Vista. It's had plenty of staying power, too: Windows 7 users largely (and probably rightly) ignored Windows 8 when it appeared, and only with Windows 10 maturing (and old hardware giving up) has migration from the reliable and comfortable Windows 7 finally gathered pace. But even with the clock ticking down towards the end of support, Windows 7 fans have proved stubborn. Although businesses have mostly made the move, there are still plenty of consumers hanging on to their old favorite. My colleague Ed Bott has done some smart number crunching and reckons there are about 1.2 billion Windows PCs in use around the world, with somewhere around a billion running Windows 10 and most of the rest running Windows 7. As he notes, that means somewhere near 200 million PCs could soon be running out-of-date software, and any new security holes are unlikely to get fixed (unless you are willing to pay for extended support). The Windows 7 era coincided with the high point of the PC era, and the end of Windows 7 marks the end of the PC era, too. When Windows 7 launched, the iPhone and its app store were around but were still novelties, while the iPad hadn't arrived yet. If you wanted to get work -- or pretty much anything -- done on a computer, you needed a PC. Just over a decade later, the picture is much more complicated. PC sales have been in decline for the last seven years; a slide which only ended with a small increase last year, largely because businesses needed to buy new PCs to run Windows 10, after bowing to the inevitable and upgrading. In many scenarios and use cases, the PC has been superseded by the smartphone, the tablet or digital assistants embodied in various other devices. And it's not just the PC -- Windows is no longer the defining product for Microsoft that it once was. That's not to say the PC is dead, of course: I'm typing on one now, and it will remain the primary device I use to do my job for the foreseeable future. Many office and knowledge workers will feel the same. But there are now plenty of other options: Follow the "End-of-Life" of Windows 7 on OUR FORUM.

An Android malware strain camouflaged as a system app is used by threat actors to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more. The heavily obfuscated malware dubbed Trojan-Dropper.AndroidOS.Shopper.a uses a system icon and the ConfigAPKs name which closely resembles the name of a legitimate Android service responsible for app configuration the first time a device is booted. "Trojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%) was recorded in October – November 2019," Kaspersky Lab researcher Igor Golovin said. "Second place went to Brazil (18.70%) and third to India (14.23%)." Once it infects a victim's Android device, the malware downloads and decrypts the payload, then goes straight to information harvesting, collecting device info such as country, network type, vendor, smartphone model, email address, IMEI, and IMSI. All this data is then exfiltrated to the operators' servers which will send back a series of commands to be run on the infected smartphone or tablet. The attackers will utilize the Shopper.a Trojan to boost other malicious apps' ratings on the Play Store, post fake reviews on any apps' entries, install other apps from the Play Store or third-party app stores under the cover of an "invisible" window. All this is done by abusing the Accessibility Service, a known tactic used by Android malware to perform a wide range of malicious activities without needing user interaction [1, 2, 3, 4]. If it has no permissions to access the service, the Trojan will use phishing to get them from the compromised device's owner. "The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service," Kaspersky Lab researcher Igor Golovin explained. "With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures." "Cybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of installations and registrations," Golovin added. "All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can display advertising messages on the infected device, create shortcuts to ad sites, and perform other actions."Get the full scoop by visiting OUR Forum.

 

Translate