Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.

Discovered by researchers at Cymulate, the bug abuses the ‘Online Video‘ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.

When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.

Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability.

How Does the New MS Word Attack Works?

Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited.

microsoft office online video hack

According to the researchers, the configuration file called ‘document.xml,’ which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or javascript code that would run in the background.

In simple words, an attacker can exploit the bug by replacing the actual YouTube video with a malicious one that would get executed by the Internet Explorer Download Manager.

“Inside the .xml file, look for the embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code,” the researchers said.

“Save the changes in the document.xml file, update the docx package with the modified XML and open the document. No security warning is presented while opening this document with Microsoft Word.”

 

Video Demonstration: MS Word Online Video Flaw

To prove the extent of the vulnerability, Cymulate researchers created a proof-of-concept attack, demonstrating how a maliciously crafted document with an embed video, which if clicked, would prompt user to run an embedded executable (as a blob of a base64)–without downloading anything from the internet or displaying any security warning when the victim clicks on the video thumbnail.

cybersecurity html code

The hack requires an attacker to convince victims into opening a document and then clicking on an embedded video link.

Cymulate researchers responsibly reported this bug, which impacts all users with MS Office 2016 and older versions of the productivity suite, three months ago to Microsoft, but the company refused to acknowledge it as a security vulnerability.

Apparently, Microsoft has no plans to fix the issue and says its software is “properly interpreting HTML as designed.”

Meanwhile, researchers recommended enterprise administrators to block Word documents containing the embedded video tag: “embeddedHtml” in the Document.xml file, and end users are advised not to open uninvited email attachments from unknown or suspicious sources.

Go to Source

Hacker Discloses New Windows Zero-Day Exploit On Twitter

A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability.

SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll).

The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.

The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code (deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges.

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them,” the researcher wrote.

Since the Microsoft Data Sharing service was introduced in Windows 10 and recent versions of Windows server editions, the vulnerability does not affect older versions of Windows operating systems including 7 or 8.1.

The PoC exploit has successfully been tested against “fully-patched Windows 10 system” with the latest October 2018 security updates, Server 2016 and Server 2019, but we do not recommend you to run the PoC, as it could crash your operating system.

This is the second time in less than two months SandboxEscaper has leaked a Windows zero-day vulnerability.

In late August, the researcher exposed details and PoC exploit for a local privilege escalation vulnerability in Microsoft Windows Task Scheduler occurred due to errors in the handling of the Advanced Local Procedure Call (ALPC) service.

Shortly after the PoC released for the previous Windows zero-day flaw, the exploit was found actively being exploited in the wild, before Microsoft addressed the issue in the September 2018 Security Patch Tuesday Updates.

SandboxEscaper’s irresponsible disclosure once again has left all Windows users vulnerable to the hackers until the next month’s security Patch Tuesday, which is scheduled for November 13, 2018.

Go to Source

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

Looking for a hack to bypass the passcode or screen lock on iPhones?

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

Rodriguez, who also discovered iPhone lock screen hacks in the past, has posted two videos (in Spanish) on his YouTube channel under the account name Videosdebarraquito demonstrating a complicated 37-step iPhone passcode bypass process.

The iPhone authorization screen bypass flaw works on the latest iPhones, including the iPhone XS, running Apple’s latest iOS 12 beta and iOS 12 operating systems.

Video Demonstrations: Here’s How to Bypass iPhone Passcode

As you can watch in the video demonstrations, the iPhone hack works provided the attacker has physical access to the targeted iPhone that has Siri enabled and Face ID either disabled or physically covered.

Once these requirements are satisfied, the attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone’s passcode.

Soon after Rodriguez released his videos, a tech channel on YouTube under the handle EverythingApplePro published a video in English explaining the same passcode bypass hack on iPhone XS.

This iPhone passcode bypass method potentially allows the attacker to access the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Though Apple has some built-in security measures to prevent this from happening, Rodriguez found a way to bypass those security barriers, as you can see in the video.

Here’s how to Fix the iPhone Passcode Bypass Bug

The passcode bypass methods work on all iPhones including the latest iPhone XS lineup, but the company does not appear to have patched the vulnerabilities in the latest iOS 12.1 beta.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lockscreen. Here’s how to disable Siri:

  • Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked.”

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the issue as soon as possible.

iPhone passcode bypass hack has become common over the last few years and appears almost after every iOS release. An iOS 9.3.1 passcode bypass was found last year, allowing an attacker to bypass Siri to search Twitter and gain access to locked iPhone’s photos and contacts.

Go to Source

Pangu Hackers have Jailbroken iOS 12 on Apple’s New iPhone XS

Bad news for Apple.

The Chinese hacking team Pangu is back and has once again surprised everyone with a jailbreak for iOS 12 running on the brand-new iPhone XS.

Well, that was really fast.

Pangu jailbreak team has been quiet for a while, since it last released the untethered jailbreak tool for iOS 9 back in October 2015.

Jailbreaking is a process of removing limitations on Apple’s iOS devices so users can install third-party software not certified by Apple.

Today, Android and iOS security researcher Min(Spark) Zheng shared a Tweet with two screenshots showing a working jailbreak on Apple’s newly released iPhone XS with A12 Bionic chip achieved by one of the Pangu researchers.

The Tweet also revealed that the iOS 12 jailbreak works by bypassing a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple’s A12 Bionic chip.

pangu hacking team

Moreover, since the hardware of iPhone XS is very much identical to iPhone XS Max, the new iOS 12 jailbreak exploit should also work on both Apple’s latest flagship iPhones.

Since the Pangu jailbreak team has not made any official announcement regarding the new jailbreak, it is not clear whether or not the team will release the iOS 12 jailbreak to the public.

Also, before jailbreaking your Apple devices, just keep in mind that this will violate your End User License Agreement with Apple and also exposes your iOS device to security bugs, putting your personal data at risk, for which you won’t be getting Apple’s help if anything goes wrong.

Jailbreaking your iPhones also opens up your device to iOS malware such as KeyRaider and YiSpectorthat specifically targeted iOS users with jailbroken devices.

So, how are you feeling right now about the new jailbreaking? Let us know in the comments below.

Go to Source

Watch Out! This New Web Exploit Can Crash and Restart Your iPhone

It’s 2018, and just a few lines of code can crash and restart any iPhone or iPad and can cause a Mac computer to freeze.

Sabri Haddouche, a security researcher at encrypted instant messaging app Wire, revealed a proof-of-concept (PoC) web page containing an exploit that uses only a few lines of specially crafted CSS & HTML code.

Beyond just a simple crash, the web page, if visited, causes a full device kernel panic and an entire system reboot.

The Haddouche’s PoC exploits a weakness in Apple’s web rendering engine WebKit, which is used by all apps and web browsers running on the Apple’s operating system.

Since the Webkit issue failed to properly load multiple elements such as “div” tags inside a backdrop filter property in CSS, Haddouche created a web page that uses up all of the device’s resources, causing shut down and restart of the device due to kernel panic.

You can also watch the video demonstration published by the researcher, which shows the iPhone crash attack in action.

All web browsers, including Microsoft Edge, Internet Explorer, and Safari on iOS, as well as Safari and Mail in macOS, are vulnerable to this CSS-based web attack, because all of them use the WebKit rendering engine.

Windows and Linux users are not affected by this vulnerability.

The Hacker News tested the attack on different web browsers, including Chrome, Safari, and Edge (on MacBook Pro and iPhone X) and it still worked on the latest version of both macOS and iOS operating systems.

So, Apple users are advised to be vigilant while visiting any web page including the code or clicking on links sent over their Facebook or WhatsApp account, or in an email.

Haddouche has posted the source code of the CSS & HTML web page that causes this attack on his GitHub page

Haddouche said he already reported the issue to Apple about the Webkit vulnerability and the company is possibly investigating the issue and working on a fix to address it in a future release.

Go to Source

New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs

Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.

The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.

However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.

Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.

“Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk,” the security firm warns in a blog post published today.

 

Video Demonstration of the New Cold Boot Attack

Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices. You can also watch the video demonstration performing the attack below.

Like the traditional cold boot attack, the new attack also requires physical access to the target device as well as right tools to recover remaining data in the computer’s memory.

“It’s not exactly easy to do, but it is not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” says F-Secure principal security consultant Olle Segerdahl, one the two researchers.

“It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

 

How Microsoft Windows and Apple Users Can Prevent Cold Boot Attacks

cold boot attack on full disk encryption

According to Olle and his colleague Pasi Saarinen, their new attack technique is believed to be effective against nearly all modern computers and even Apple Macs and can’t be patched easily and quickly.

The two researchers, who will present their findings today at a security conference, say they have already shared their findings with Microsoft, Intel, and Apple, and helped them explore possible mitigation strategies.

Microsoft updated its guidance on Bitlocker countermeasures in response to the F-Secure’s findings, while Apple said that its Mac devices equipped with an Apple T2 Chip contain security measures designed to protect its users against this attack.

But for Mac computers without the latest T2 chip, Apple recommended users to set a firmware password in order to help harden the security of their computers.

Intel has yet to comment on the matter.

The duo says there’s no reliable way to “prevent or block the cold boot attack once an attacker with the right know-how gets their hands on a laptop,” but suggest the companies can configure their devices so that attackers using cold boot attacks won’t find anything fruitful to steal.

Meanwhile, the duo recommends IT departments to configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their PCs.

Attackers could still perform a successful cold boot attack against computers configured like this, but since the encryption keys are not stored in the memory when a machine hibernates or shuts down, there will be no valuable information for an attacker to steal.

Go to Source

British Airways Hacked – 380,000 Payment Cards Compromised

British Airways, who describes itself as “The World’s Favorite Airline,” has confirmed a data breach that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks.

So who exactly are victims?

In a statement released by British Airways on Thursday, customers booking flights on its website (ba.com) and British Airways mobile app between late 21 August and 5 September were compromised.

The airline advised customers who made bookings during that 15 days period and believe they may have been affected by this incident to “contact their banks or credit card providers and follow their recommended advice.”

British Airways stated on its Twitter account that personal details stolen in the breach included their customers’ names and addresses, along with their financial information, but the company assured its customers that the hackers did not get away with their passport numbers or travel details.

The company also said that saved cards on its website and mobile app are not compromised in the breach. Only cards that have been used by you to make booking payments during the affected period are stolen.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app,” the company said in a statement. “The stolen data did not include travel or passport details.”

Although the statement released by the did not mention the number of affected customers, the company’s spokesperson confirmed to the media that some 380,000 payment cards were compromised in the breach.

Also currently, it is not clear how the data breach occurred, but some media outlets are reporting that the breach was identified when “a third party noticed some unusual activity” and informed the company about it.

A spokesperson from British Airways confirmed The Hacker News that “this is data theft, rather than a breach,” which suggests someone with privileged access to the data might have stolen it.

British Airways also informed the police and the Information Commissioner and currently reaching out to affected customers directly.

However, the company assured its customers that the security breach has now been resolved, and its website is working normally and is now safe for passengers to check-in online, and book flights online.

The National Crime Agency is aware of the British Airways data breach and is “working with partners to assess the best course of action.”

Air Canada also suffered a severe data breach late last month, which, along with personal data, also exposed passport number and other passport and travel details of about 20,000 mobile app customers.

Go to Source

Cisco Issues Security Patch Updates for 32 Flaws in its Products

Cisco today released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, three of which are rated critical, including the recently disclosed Apache Struts remote code execution vulnerability that is being exploited in the wild.

Out of the rest 29 vulnerabilities, fourteen are rated high and 15 medium in severity, addressing security flaws in Cisco Routers, Cisco Webex, Cisco Umbrella, Cisco SD-WAN Solution, Cisco Cloud Services Platform, Cisco Data Center Network, and more products.

The three critical security vulnerabilities patched by Cisco address issues in Apache Struts, Cisco Umbrella API, and Cisco RV110W, RV130W and RV215W router’s management interface.

Apache Struts Remote Code Execution Vulnerability (CVE-2018-11776)

The vulnerability, reported late last month by Semmle security researcher Man Yue Mo, resides in the core of Apache Struts and originates due to insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.

 

“The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action,” Cisco explains in its advisory.

“In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.”

An unauthenticated, remote attacker can trigger the vulnerability by tricking victims to visit a specially crafted URL on the affected web server, allowing the attacker to execute malicious code and eventually take complete control over the targeted server running the vulnerable application.

All applications that use Apache Struts—supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions—are potentially vulnerable to this flaw, even when no additional plugins have been enabled.

Apache Struts patched the vulnerability with the release of Struts versions 2.3.35 and 2.5.17 last month. Now, Cisco has also released fixes to address the issue in its several products. You can check the list of vulnerable Cisco products here.

Since there are no workarounds for this issue, organizations and developers are strongly advised to update their Struts components as soon as possible.

Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435)

The second critical vulnerability patched by Cisco resides in the Cisco Umbrella API that could allow an authenticated, remote attacker to view and modify data across their organization as well as other organizations.

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats over all ports and protocols by blocking access to malicious domains, URLs, IPs, and files before a connection is ever established or a file is downloaded.

The vulnerability resides due to insufficient authentication configurations for the API interface of Cisco Umbrella, and successful exploitation could allow an attacker to read or modify data across multiple organizations.

Cisco has patched the vulnerability addressed this vulnerability in the Cisco Umbrella production APIs. No user action is required.

Cisco Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423)

The last, but not the least, critical vulnerability resides in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition.

The flaw occurs due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface.

To exploit this vulnerability, an attacker can send malicious requests to a targeted device, triggering a buffer overflow condition.

“A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code,” the company explains.

This vulnerability affects all releases of Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

Cisco has addressed this vulnerability in firmware release 1.0.3.44 for the Cisco RV130W Wireless-N Multifunction VPN Router, and will not release firmware updates for the Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Router.

According to the company’s Product Security Incident Response Team (PSIRT), Apache Struts is being exploited in the wild, while the team is not aware of any exploits leveraging the other two critical flaws.

Go to Source

Air Canada Suffers Data Breach — 20,000 Mobile App Users Affected

Air Canada has confirmed a data breach that may have affected about 20,000 customers of its 1.7 million mobile app users.

The company said it had “detected unusual log-in behavior” on its mobile app between August 22 and 24, during which the personal information for some of its customers “may potentially have been improperly accessed.”

The exposed information contains basic information such as customers’ names, email addresses, phone numbers, and other information they have added to their profiles.

Passport Numbers Exposed in Air Canada Data Breach

However, what’s worrisome?

Hackers could have also accessed additional data including customer’s passport number, passport expiration date, passport country of issuance and country of residence, Aeroplan number, known traveler number, NEXUS number, gender, date of birth, and nationality, if users had this information saved in their profile on the Air Canada mobile app.

The airline assured its customers that credit card information saved to their profile was “encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” and therefore, are protected.

However, Air Canada still recommended affected customers to always monitor their credit card transactions and contact their financial services provider immediately if they found any unusual or unauthorized activity.

Reset Your Password

The company estimates about 1% of its 1.7 million people—or about 20,000 users in total—who use its mobile app may have been affected by the security breach.

Although currently, it is not clear how the data breach occurred, if it was a direct breach of Air Canada’s systems, or if it was due to the reuse of passwords from other sites, the airline encourages users to reset their passwords using improved password guidelines, which says passwords should be at least 10 characters long and contain one symbol.

However, as a precaution, the airline has locked down all 1.7 million accounts until all of its customers—even those whose information was not exposed in the breach—change their passwords.

Air Canada has contacted potentially affected customers directly by email starting August 29 to tell them if their account has potentially been accessed by hackers improperly.

Go to Source