MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

This exploit uses the users’ common sense against themselves.

Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.

This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.

Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.

Read the article to see how this attack is accomplished…

Source: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

Hackers pounce on 3 vulnerable WordPress plugins – Naked Security

Remember the old saying about bad things coming in threes? Flaw hunters Wordfence would probably agree with the sentiment after uncovering some nasty zero-day flaws in a trio of WordPress plugins.

Not a great start, then, but much worse is that the vulnerabilities were already being exploited when the company discovered them by chance during recent attack investigations – meaning anyone running them is vulnerable and should update immediately.

Read the article to see what plugins are affected

Source: Hackers pounce on 3 vulnerable WordPress plugins – Naked Security

Beware! Don’t Fall for FireFox “HoeflerText Font Wasn’t Found” Banking Malware Scam

For all you FireFox users…

The malicious scam campaign, “The ‘HoeflerText’ font wasn’t found,” is back, which was previously targeting Google Chrome users to trick them into installing Spora ransomware on their computers.

This time the campaign has been re-designed to target Mozilla Firefox users with a banking trojan, called Zeus Panda.

Interestingly, the attackers behind this new campaign are so stupid that they forgot to change the name of the font, i.e. HoeflerText, due to which it was easily caught by Kafeine, a security researcher at Proofpoint.

Read the article…

Source: Beware! Don’t Fall for FireFox “HoeflerText Font Wasn’t Found” Banking Malware Scam

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

For all you do-it-yourself-ers, this is why it’s important to stay current on your core, theme, and plugin updates.  If you can’t find the time, hire me, or another professional, to do it consistently.  Most updates should not be considered “optional.”  They are done to stay ahead of hackers or fix exploit flaws.

WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.

The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.

The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

Read the article…

Source: Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

How to Make Windows Troubleshoot Your PC’s Problems for You

Why not let Windows do all the heavy lifting when you have a problem?

Windows includes a variety of “troubleshooters” designed to quickly diagnose and automatically solve various computer problems. Troubleshooters can’t fix everything, but they’re a great place to start if you encounter a problem with your computer.

Troubleshooters are built into the Control Panel on Windows 10, 8, and 7, so practically all Windows users can take advantage of them. On Windows 10’s Creators Update, most troubleshooters are now available through the Settings app.

Read the article to find out more…

Source: How to Make Windows Troubleshoot Your PC’s Problems for You

How to Open Office Files Without Being Hacked

Here are some good safety tips for opening Word documents, especially since Microsoft seems to be so slow at patching known exploits.  The easiest and most foolproof (so far) method is to open your documents in an online service: either Office online or Google Docs.  This way the desktop exploits can’t be utilized.

Microsoft Office document files you download from the internet can harm your PC. Office files can contain dangerous macros, but macros aren’t the only risk. With new malware attacking PCs through dangerous Office documents that don’t even contain macros, keeping yourself safe in Office is just one of the security practices you should follow.

Read article…

Source: How to Open Office Files Without Being Hacked

Beware of an Unpatched Microsoft Word 0-Day Flaw being Exploited in the Wild

As a general rule, you should never open a file from anyone that you aren’t expecting.  If your best friend or family member sends you a file you didn’t ask for, email them and make sure they sent it. This exploit bypasses the disabled macro settings and is very devious.

According to researchers, this zero-day attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it does not require victims to enable Macros.

Due to these capabilities, this newly discovered attack works on all Windows operating systems even against Windows 10, which is believed to be Microsoft’s most secure operating system to date.

Besides this, the exploit displays a decoy Word document for the victims to see before terminating in order to hide any sign of the attack.

Read the entire article…

Source: Beware of an Unpatched Microsoft Word 0-Day Flaw being Exploited in the Wild

No More Ransom — 15 New Ransomware Decryption Tools Available for Free

If viable, these could be very valuable tools…

Launched less than a year ago, the No More Ransom (NMR) project has increased its capacity with new partners and new decryption tools added to its now global campaign to combat Ransomware.

Started as a joint initiative by Europol, the Dutch National Police, Intel Security and Kaspersky Lab, No More Ransom is an anti-ransomware cross-industry initiative to help ransomware victims recover their data without having to pay ransom to cyber criminals.

The online website not just educates computer users to protect themselves from ransomware, but also provides a collection of free decryption tools.

Source: No More Ransom — 15 New Ransomware Decryption Tools Available for Free

Google Does It Again: Discloses Unpatched Microsoft Edge and IE Vulnerability

Again, how can this be good for Microsoft business?

This month has yet been kind of interesting for cyber security researchers, with Google successfully cracked SHA1 and the discovery of Cloudbleed bug in Cloudflare that caused the leakage of sensitive information across sites hosted behind Cloudflare.

Besides this, Google last week disclosed an unpatched vulnerability in Windows Graphics Device Interface (GDI) library, which affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.

While the Windows vulnerability has yet to be patched by the company, Google today released the details of another unpatched Windows security flaw in its browser, as Microsoft did not act within its 90-day disclosure deadline.

Read the article…

Source: Google Does It Again: Discloses Unpatched Microsoft Edge and IE Vulnerability

Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

This newly discovered bugs in Java and Python is a big deal today.

The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses.

And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures.

The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol (FTP) links, where they don’t syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw.

Read more…

Source: Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

Could this be one of the reasons why Microsoft is no longer an industry leader?

Microsoft is once again facing embarrassment for not patching a vulnerability on time.

Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.

A few months back, the search engine giant disclosed a critical Windows vulnerability to the public just ten days after revealing the flaw to Microsoft.

Source: Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

Microsoft Joins The Linux Foundation — Turns Love Affair Into a Relationship

You won’t believe your eyes while reading this, but this is true. Microsoft just joined the Linux Foundation as a high-paying Platinum member.

Microsoft’s love with open source community is embracing as time passes. At its first Connect event in 2013, the company launched Visual Studio 2013. A year later, Microsoft open sourced .NET, and last year, it open sourced the Visual Studio Code Editor, as well.

Read the entire article…

Source: Microsoft Joins The Linux Foundation — Turns Love Affair Into a Relationship

Adobe Flash Hacked in 4 Seconds, Safari Pwned In Less Than Half Minute

Most software vendors do not take security very seriously.  This was a huge wake-up call to the world at large.

PwnFest 2016 has become a death call for many software vendors. The hackers have managed to take down Apple’s Safari web browser in 20 seconds using a root privilege escalation zero-day. Another team managed to compromise Adobe Flash using an exploit that took just 4 seconds to run.fresh bytes of technology and more

Source: Adobe Flash Hacked in 4 Seconds, Safari Pwned In Less Than Half Minute

Google discloses Critical Windows Zero-Day that makes all Windows Users Vulnerable

Users are advised to update their Flash software now and apply Windows patches as soon as they become available.

Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.

Yes, the critical zero-day is unpatched and is being used by attackers in the wild.

Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.

Source: Google discloses Critical Windows Zero-Day that makes all Windows Users Vulnerable

Warning! Over 900 Million Android Phones Vulnerable to New ‘QuadRooter’ Attack

Download the free utility and see whether your phone needs patching. Verizon has patched only 1 of the 4 vulnerabilities. Shameful!

Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide.

What’s even worse: Most of those affected Android devices will probably never be patched. Dubbed “Quadrooter,” the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device.

The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones.

Read more for a free utility that will test your phone…

Source: Warning! Over 900 Million Android Phones Vulnerable to New ‘QuadRooter’ Attack

How Just Opening an MS Word Doc Can Hijack Every File On Your System | The Hacker News

If you receive a mail masquerading as a company’s invoice and containing a Microsoft Word file, think twice before clicking on it.
Doing so could cripple your system and could lead to a catastrophic destruction.

Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the victims into installing a deadly ransomware, dubbed “Locky,” into their systems.

Read More: How Just Opening an MS Word Doc Can Hijack Every File On Your System | The Hacker News

Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

Please note that he noticed the potential security risks inherent in the hospital’s system and medical equipment and got permission to run tests to expose the vulnerabilities.

When we visit a hospital, we put our complete trust in our doctor and the medical equipment that he/she uses. With advancement in technology, these equipment have become more complex and interconnected. Sadly, ensuring standard cybersecurity measures is not a top priority of the medical professionals. This fact was recently outlined by a Kaspersky security researcher who hacked a hospital while sitting in his car.

Source: Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

Uber tests out using smartphones to monitor driver behavior | Ars Technica

So, what could possibly go wrong? Is anyone else weirded out by this?

Uber announced today that it will monitor some of its drivers’ behavior for things like excessive speeding or distracted driving. Starting with a trial in Houston, the program will use Uber drivers’ own smartphones to provide data to the company.

The company will use a phone’s gyroscopes, accelerometers, and GPS to record whether drivers break speed limits or play with their phone while the vehicle is in motion. But in this trial, Uber will only access that data if a customer has a complaint about driving standards.

Always-on monitoring of driving standards may come later, according to Uber Chief Security Officer Joe Sullivan. For now, the initiative is about being able to fact-check complaints and keep the company’s rating system on the rails.

Distracted driving is a serious problem, and it’s responsible for much of the push toward self-driving cars in the US. As companies like Zendrive have shown, the sensors in smartphones today are very capable of assessing whether a phone is being used while traveling in a car.

Source: Uber tests out using smartphones to monitor driver behavior | Ars Technica

From Today Onwards, Don’t You Even Dare To Use Microsoft Internet Explorer | The Hacker News

From Today Onwards, Don’t You Even Dare To Use Microsoft Internet Explorer

Are we prepared to play this out without setting any groundwork and without mitigating and reducing the consequences of an all-automated society?

Yes, from today, Microsoft is ending the support for versions 8, 9 and 10 of its home-built browser Internet Explorer, thereby encouraging Windows users to switch on to Internet Explorer version 11 or its newest Edge browser.
Microsoft is going to release one last patch update for IE8, IE9 and IE10 today, but this time along with an “End of Life” notice, meaning Microsoft will no longer support the older versions.
So, if you want to receive continuous updates for your web browser and avoid being exposed to potential security risks after 12 January, you are advised to upgrade your browser to Internet Explorer 11, or its new Edge browser.

Source: From Today Onwards, Don’t You Even Dare To Use Microsoft Internet Explorer | The Hacker News

‘Ridiculous’ Bug in Popular Antivirus Allows Hackers to Steal all Your Passwords

‘Ridiculous’ Bug in Popular Antivirus Allows Hackers to Steal all Your Passwords

If you have installed Trend Micro’s Antivirus on your Windows computer, then Beware.

Your computer can be remotely hijacked, or infected with any malware by even through a website – Thanks to a critical vulnerability in Trend Micro Security Software.

The Popular antivirus maker and security firm Trend Micro has released an emergency patch to fix critical flaws in its anti-virus product that allow hackers to execute arbitrary commands remotely as well as steal your saved password from Password Manager built into its AntiVirus program.

The password management tool that comes bundled with its main antivirus is used to store passwords by users and works exactly like any other password manager application.

Even Websites Can Hack Into Your Computer

Google’s Project Zero security researcher, Tavis Ormandy, discovered the remote code execution flaw in Trend Micro Antivirus Password Manager component, allowing hackers to steal users’ passwords.

In short, once compromised, all your accounts passwords are gone.

Read the entire article…

Source: ‘Ridiculous’ Bug in Popular Antivirus Allows Hackers to Steal all Your Passwords | The Hacker News

Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System | Techdirt

Rockin’ Encryption, Open Back Door…

Few doubt Chaum’s cryptography skills or pedigree. He was instrumental in the early days of computer cryptography and what anonymity we have online today owes a lot to Chaum. But his latest plan is… troubling:

At the Real World Crypto conference at Stanford University today, Chaum plans to present for the first time a new encryption scheme he calls PrivaTegrity. Like other tools Chaum has spent his long career developing, PrivaTegrity is designed to allow fully secret, anonymous communications that no eavesdropper can crack, whether a hacker or an intelligence agency.

That part sounds good, right? But then there’s this:

That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.

Whoever controls that backdoor within PrivaTegrity would have the power to decide who counts as “evil”—too much power, Chaum recognizes, for any single company or government. So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications. The result, Chaum argues, is a new approach that “breaks the crypto wars,” satisfying both the law enforcement agencies who argue that encryption offers a haven for criminals, and also those who argue that it’s necessary to hobble mass spying.

Unfortunately, Chaum is both totally missing the point and playing right into the FBI’s hands. The argument of basically every other cryptographer is that building any encryption system is incredibly difficult — and introducing any sort of backdoor opens up massive and dangerous vulnerabilities — whether the original creators recognize it or not. The second you introduce a backdoor — even using Chaum’s weird “nine people in nine countries” system — you have introduced a vulnerability. A vulnerability that can and will be abused by others. You are introducing a security flaw. And that’s a massive security problem.

Source: Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System | Techdirt

Get A Glimpse Of The Cyber Threat Landscape For 2016 And Beyond | Hacked

Here’s a rundown of the cyber threat landscape for 2016 and beyond, courtesy of a report from Intel security.
Coming In 2016

The 2016 predictions covers threats from ransomware, infrastructure attacks, attacks on automobile systems and the sale and warehousing of stolen data.

• Hardware: Attacks on hardware and firmware will continue while the market for the tools that facilitate them will increase. System firmware toolkits could target virtual machines.

• Ransomware: Ransomware is a growing threat that could anonymize payment methods and networks. More inexperienced cybercriminals will use ransomware-as-a-service.

• Wearables: Most wearable devices store only small amounts of information, but cybercriminals could target them to undermine the smartphones that manage them. The industry will have to protect attack surfaces like networking and wi-fi software, operating system kernels, memory, user interfaces, storage systems and local files, web apps, virtual machines and security and access control software.

• Employee systems: Attackers are likely to target organizations through their employees, including their home security systems, to access corporate networks. Organizations will have to stay vigilant by implementing new security technologies, create effective policies and hire experienced people.

• Cloud services: Attackers could exploit vulnerable security policies that protect cloud services. These services could undermine business strategy, financials, portfolio strategies, next-generation innovations, employee data, acquisition and divestiture plans, and other data.

• Automobiles: Connected automobile systems that lack security capabilities will be potential scenarios for exploitation. Automakers and IT vendors will partner to provide standards and solutions to protect attack surfaces like engine and transmission engine control units (ECUs), remote key systems, advanced driver assistance system ECUs, passive keyless entry, USBs, OBD IIs, V2X receiver, smartphone access and remote link type apps.

• Warehouses of stolen data: The dark market for stolen, personally-identifiable information and user names and passwords will increase in 2016. Big data warehouses that link together stolen, personally-identifiable information sets make combined records more valuable to attackers.

• Integrity attacks: Selective compromises to systems and data mark one of the most significant new attack vectors. Such attacks seize and modify transactions or data to favor perpetrators. An attacker can change direct deposit settings for a victim’s paychecks and direct the deposit to a different account. Cyber thieves could steal millions of dollars in an integrity attack in the financial sector in 2016, McAfee Labs predicts.

• Sharing threat intelligence: Enterprises and security vendors will increasingly share intelligence. Legislative action could allow governments and companies to share threat intelligence. Best practices in this area will increase, allowing success metrics to emerge and quantify protection improvement. Threat intelligence cooperatives among vendors will grow.

Source: Get A Glimpse Of The Cyber Threat Landscape For 2016 And Beyond | Hacked

Adobe to Kill ‘FLASH’, but by Just Renaming it as ‘Adobe Animate CC’ – The Hacker News

Adobe to Kill ‘FLASH’ by Just Renaming it as ‘Adobe Animate CC’

“What it won’t bring is:

Fix for the number of security issues that have plagued Adobe Flash for years

The platform has a new name, but the development tool lives on.

So, Flash isn’t actually dead; it’s just renamed.

“Adobe’s strategy is to make money regardless of what happens in the market,” says Jeffrey Hammonds, principal analyst at Forrester Research. “They understand that there is a slow transition to HTML5 going on.”

“At some point you have to embrace the change,” Hammond adds. “The rebranding is the visible sign of that, but the internal focus on supporting the technologies like HTML5 has been going on a while.”

So, hiding Flash behind a different name doesn’t solve the stability and security issues. In fact, a recently uncovered flaw in the software was so nasty that the only way to get rid of it was to completely uninstall Flash Player.”