hoopsdavis 0 Posted January 16, 2020 Share Posted January 16, 2020 I'm interested to know if there's any news or information on the Vulnerability CVE-2020-0601. Will Eset put a patch/update in place to detect the mentioned vulnerability? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 16, 2020 Administrators Share Posted January 16, 2020 Microsoft has already released a hotfix for the vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 hoopsdavis 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 16, 2020 Share Posted January 16, 2020 The patch was included in the Jan. cumulative update for Win 10 release last Tues.. For Win Server 2016 and 2019 which are also vulnerable, one will have to check with Microsoft on how the patch is being delivered or download the patch from the Win Catalog web site. hoopsdavis 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2020 Share Posted January 17, 2020 (edited) BTW - this patch needs to be applied pronto! PoC Exploits Published For Microsoft Crypto Bug Quote Two proof-of-concept (PoC) exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The vulnerability (CVE-2020-0601) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft’s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft. The two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks – allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released by Kudelski Security and the other by a security researcher under the alias “Ollypwn”. https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/ Edited January 17, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2020 Share Posted January 17, 2020 (edited) The following is a must read for anyone that cannot apply this Microsoft patch immediately: Quote Worried about an NSA ChainOfFools/CurveBall attack? There are lots of moving parts. Test your system. While many researchers recommend that you install Microsoft’s January Patch Tuesday updates to fend off a not-yet-imminent attack from the CVE-2020-0601 security hole, skeptics who are concerned about buggy Windows updates can now independently check their systems. Thanks to SANS, it’s easy. https://www.computerworld.com/article/3514599/worried-about-an-nsa-chainoffools-curveball-attack-there-are-lots-of-moving-parts-test-your-system.html In regards to the browser test referenced in the article: https://curveballtest.com/index.html , there is also an option to download a test malware executable, fake.exe. Eset detects it immediately on download attempt: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 1/17/2020 2:03:06 PM;HTTP filter;file;https://curveballtest.com/SANSISC_signed_fake.exe;Blocked Object;connection terminated;xxxx\xxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (704D5D7A43739F456D21E1A9B651F44C16D1E73B).;C3ADA8AD836A762AA6063474820B192B26FB780F;1/17/2020 2:03:06 PM Kudos to Eset on this one! The bad cert. detection for an executable is very important because: Quote However, the bad binary will still be executed on a patched machine, silently, without any warning except the event log above. This is a serious issue since the patch will not prevent such a maliciously signed binary from working, it will just create a log. Endpoint protection software should, hopefully, in this case correctly detect and block such an attempt. https://isc.sans.edu/forums/diary/Summing+up+CVE20200601+or+the+Lets+Decrypt+vulnerability/25720/ Edited January 17, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2020 Share Posted January 17, 2020 (edited) Invoking the principle that that "two opinions are better than one," here's another test web site set up by one of POC exploit authors where you can also see if your browser is vulnerable: http://testcve.kudelskisecurity.com/ . If you are using FireFox, the exploit attempt should be blocked by FireFox. Edited January 17, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2020 Share Posted January 17, 2020 (edited) I have previously applied the patch. Tried this exploit test, http://testcve.kudelskisecurity.com/ , on IE11 and nothing happened. No web site redirect w/ "Hello World" displayed, no certificate alert, nada. So don't know what to make of it other than it appears the exploit attempt didn't work. Since Eset is supposed to be performing certificate checking w/SSL/TLS protocol scanning enabled, appears the bad cert. was caught but the alert was never generated. Might also be a SmartScreen conflict. If I try to go to https://testcve.kudelskisecurity.com/ which is the redirected site, I get an IE11 error about a bad certificate. -EDIT- I have IE11 custom configured to max. security protection. As such, appears the test web site redirect attempt is being blocked by IE11. This is the real reason the test is not working for me. With default IE11 config., I would say it is vulnerable w/o the OS patch applied. Edited January 17, 2020 by itman Link to comment Share on other sites More sharing options...
jdashn 12 Posted January 17, 2020 Share Posted January 17, 2020 Would have hoped i could tell our decision makers that not only have we patched but Eset would also have our backs on this (similar to eternalblue, etc). Seems this is not the case judging from @Marcos 's comment? Just want to be sure, would hate to sell ESET short. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2020 Share Posted January 17, 2020 (edited) 2 hours ago, jdashn said: similar to eternalblue, etc Not even close to that. The SMBv1 vulnerability allowed for a multi-stage attack deploying a worm, backdoor setting, and remote code execution infection. Edited January 17, 2020 by itman Link to comment Share on other sites More sharing options...
jdashn 12 Posted January 20, 2020 Share Posted January 20, 2020 Maybe you misunderstood my comment? I said that i wished ESET had our backs on this like they did for eternal blue. Not that the vulnerability is similar, obviously SMB1 is different from this CryptoAPI vulnerability, also different from Apache struts for that matter. All three have been patched to varying degrees by their respective software vendors, all three exploit very different things. I was asking if Eset would block and alert on attempts to exploit the CryptoAPI Vulnerability (as they do with attempts to exploit Eternalblue, apache struts, etc, etc) mostly so i can tell our decision makers that not only are we patched, and our checkpoint firewall will block the attacks, but ESET has our backs as well. If not and our only layers of defense are our firewall (it will alert at attempts of cryptoapi spoofing), and the patching of windows (there is also an event triggered on exploit attempt here), so be it - I was just asking if we had a 3rd layer of protection in ESET on this particular vulnerability. Is this something you know the answer to @itman or is this a better question for @Marcos ? Thanks! Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 20, 2020 Share Posted January 20, 2020 (edited) 26 minutes ago, jdashn said: Is this something you know the answer to @itman or is this a better question for @Marcos ? Eset CVE detection/protection is handled by Eset IDS protection. Whether this or for that matter, all known CVE's are covered is only something Eset can answer. Since @Marcos did not specifically state this CVE was covered by Eset, I assume it is not. -EDIT- As posted above, Eset will protect against signed binaries exploiting this vulnerability. Also note the MS patch does not protect against this. FireFox is not vulnerable. Neither is latest ver. of Chrome which was recently patched by Google. Edited January 20, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 20, 2020 Most Valued Members Share Posted January 20, 2020 On 1/18/2020 at 12:09 AM, jdashn said: Would have hoped i could tell our decision makers that not only have we patched but Eset would also have our backs on this (similar to eternalblue, etc). Seems this is not the case judging from @Marcos 's comment? Just want to be sure, would hate to sell ESET short. It's different as ITMAN said , EternalBlue had the American Gov's malware creators do that exploit and then it was leaked by them or by mistake , I don't remember This is a different thing , whatever still both of them were reported by the NSA , so don't be surprised if the NSA still have many like these in their pocket without telling Microsoft about them , as they did with the EternalBlue. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 20, 2020 Share Posted January 20, 2020 28 minutes ago, Rami said: EternalBlue had the American Gov's malware creators do that exploit and then it was leaked by them or by mistake , I don't remember Shadow Brokers was responsible for all this havoc: https://en.wikipedia.org/wiki/The_Shadow_Brokers Also these were old exploits and Win 10 for the most part was not affected. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 20, 2020 Most Valued Members Share Posted January 20, 2020 2 hours ago, Rami said: It's different as ITMAN said , EternalBlue had the American Gov's malware creators do that exploit and then it was leaked by them or by mistake , I don't remember This is a different thing , whatever still both of them were reported by the NSA , so don't be surprised if the NSA still have many like these in their pocket without telling Microsoft about them , as they did with the EternalBlue. As the user has stated it's not how they work but if eset will block an attempt to use the exploit Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 20, 2020 Share Posted January 20, 2020 (edited) SANS updated their web page in regards to the binary exploit test: Small update: Quote Just a small update regarding digital signatures for binaries. First, the binary we put last night was not signed - we have put a signed one up now (with a fake signature), it is available at the following URL: https://curveballtest.com/SANSISC_signed_fake.exe Additionally, the fact that Windows will not prevent the binary from being executed is correct (thanks Stefan for the comment). The only sign of something going wrong will be when elevated, when the UAC prompt is shown. On a vulnerable system, the following prompt is shown: While a patched system will display the UAC prompt stating an unknown publisher. The binary test file is password protected, so Eset can't detect on download. Downloaded the file. Tried to extract the file and run it by using password. Eset detected and all is well.☺️ Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 1/20/2020 2:33:31 PM;Real-time file system protection;file;C:\Users\xxxxx\AppData\Local\Temp\Temp1_SANSISC_signed_fake.zip\SANSISC_signed_fake.exe;Win32/Exploit.CVE-2020-0601.A trojan;cleaned by deleting;xxxx\xxxxx;Event occurred on a new file created by the application: C:\Windows\explorer.exe (726C9D759C5F02080FA003B50466A3BE0C959865).;C3ADA8AD836A762AA6063474820B192B26FB780F;1/17/2020 2:03:06 PM Edited January 20, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 20, 2020 Share Posted January 20, 2020 (edited) Hum ........... Here's something to ponder. If an attacker can spoof a binary code sig., can he also spoof a Microsoft code signed driver? If so, he could bypass Win 10 Secure Boot protection. With a kernel mode device driver, attacker can do almost anything. -EDIT- Maybe nothing nothing to worry about. MS code signing certs. don't chain to ECC root CA cert.. Checked Win driver directory and everything seems to be using RSA but, I have an old PC. I guess it is possible an attacker could drop a driver using ECC? Most are not using Secure Boot. -EDIT- ECC can only be used for cert. signing. RSA is used for encryption method. So yes, driver certs. can also be spoofed by this vulnerability as I see it. Assume Eset will detect those on file creation as it did for an executable. Edited January 21, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 (edited) 14 hours ago, peteyt said: As the user has stated it's not how they work but if eset will block an attempt to use the exploit Ah didn't pay attention , it should indeed block the exploits as far as I know , but it's better to keep the systems up to date , but I kind of think that Microsoft need to do better in terms of Windows security. NSA is always in their pocket finding vulnerabilities , reporting some , and keeping some, just like the EternalBlue , just like any individual or a team that aren't script kiddies can do also the same and keep their 0-day exploit in their pockets to use whenever they want , without causing so much noise , wondering how safe is this. We are just surprised once we see the vulnerability on the internet , but we never know for how long they have used it and how long it took them to find it and fix it , but it was there all the time , only known to those who look for them and keep them in their pockets for their own usage like the NSA do , if the NSA do such things that exploits you instead of protecting you from it because they are a 'Security Agency' which should be working on the Security of the Nation to protect it's people from the dangers outside but yet they were doing the opposite thing so if an Agency that is responsible for Security is exploiting the systems that everyone in the world use and keeping the exploits as weapons to be used once needed , then what would you expect from a group of hackers or individual that do this for money or for some kind of a mission complete we can do this or espionage or whatever the mission is. We should reach to a conclusions that our systems aren't safe , and they have much vulnerabilities that we don't know about , and 1 update in a month is very slow updating , exactly like Microsoft do , even though if there was something critical they will release a hotfix , but yet still they do monthly updates to their systems , something like this headline : A bug that causes context menus to be displayed under the taskbar is still around in Windows 10 - This was a bug since Windows XP. - It doesn't matter if the bug is not important or considered to be LOW in the status and not critical , it's in the system since Windows XP , so I think also there could be few like it yet remaning in Windows 10 And yet we still rely on our AV products to protect us from these kind of threats and our firewalls , but yet how much protection could they give us if the system itself is vulnerable? and if we got infected because the malware was written new and used some kind of vulnerability or an exploit that would elevate the permission of the malware or used a signed process that will elevate it's permissions and then bypassed the UAC or/and the AV , then we are compromised and then we start to blame our AV companies that we use , for what we pay money? and that is the straight blame. You go ahead and set the UAC to the maximum because that what Microsoft wants , a Yes or No question for the normal user to decide if this is malicious or not , just imagine a normal user with no experience with computers that is using his PC for office work or university and then he have a Yes or No question about something he never saw in his life , and doesn't know the differences between a good EXE and bad one , so the protection of your system is at the stake of your Yes or No , for example this kind of Bot will bypass the UAC Using Windows 10 UAC bypass When executed, TrickBot will check if the operating system is Windows 7 or Windows 10. If it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will now use the Fodhelper UAC Bypass. The endless ransomware's wave is an example of how our systems are vulnerable. More variants , more generation of malware variants , less detections , different ways of infecting or exploiting and yet even the AI won't catch it, because the AI has never seen anything before like it , and yet comes the other modules that will give you protection from that kind of threat where it's not seen , like a sandbox or whatever it is but still the important thing , the base system is not secure as it should be. Like Windows Defender before the Anti-Tamper and I don't know how good the Anti-Tamper is , but Defender was a joke , you could disable it with a registry key, if a normal user can do that , then why the malware won't be able to do it ? and it took Microsoft a long time to fix that. So who cares about our Security more than our-selves? , Microsoft yea. Edited January 21, 2020 by Rami Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 2 hours ago, Rami said: Ah didn't pay attention , it should indeed block the exploits as far as I know , but it's better to keep the systems up to date , but I kind of think that Microsoft need to do better in terms of Windows security. NSA is always in their pocket finding vulnerabilities , reporting some , and keeping some, just like the EternalBlue , just like any individual or a team that aren't script kiddies can do also the same and keep their 0-day exploit in their pockets to use whenever they want , without causing so much noise , wondering how safe is this. We are just surprised once we see the vulnerability on the internet , but we never know for how long they have used it and how long it took them to find it and fix it , but it was there all the time , only known to those who look for them and keep them in their pockets for their own usage like the NSA do , if the NSA do such things that exploits you instead of protecting you from it because they are a 'Security Agency' which should be working on the Security of the Nation to protect it's people from the dangers outside but yet they were doing the opposite thing so if an Agency that is responsible for Security is exploiting the systems that everyone in the world use and keeping the exploits as weapons to be used once needed , then what would you expect from a group of hackers or individual that do this for money or for some kind of a mission complete we can do this or espionage or whatever the mission is. We should reach to a conclusions that our systems aren't safe , and they have much vulnerabilities that we don't know about , and 1 update in a month is very slow updating , exactly like Microsoft do , even though if there was something critical they will release a hotfix , but yet still they do monthly updates to their systems , something like this headline : A bug that causes context menus to be displayed under the taskbar is still around in Windows 10 - This was a bug since Windows XP. - It doesn't matter if the bug is not important or considered to be LOW in the status and not critical , it's in the system since Windows XP , so I think also there could be few like it yet remaning in Windows 10 And yet we still rely on our AV products to protect us from these kind of threats and our firewalls , but yet how much protection could they give us if the system itself is vulnerable? and if we got infected because the malware was written new and used some kind of vulnerability or an exploit that would elevate the permission of the malware or used a signed process that will elevate it's permissions and then bypassed the UAC or/and the AV , then we are compromised and then we start to blame our AV companies that we use , for what we pay money? and that is the straight blame. You go ahead and set the UAC to the maximum because that what Microsoft wants , a Yes or No question for the normal user to decide if this is malicious or not , just imagine a normal user with no experience with computers that is using his PC for office work or university and then he have a Yes or No question about something he never saw in his life , and doesn't know the differences between a good EXE and bad one , so the protection of your system is at the stake of your Yes or No , for example this kind of Bot will bypass the UAC Using Windows 10 UAC bypass When executed, TrickBot will check if the operating system is Windows 7 or Windows 10. If it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will now use the Fodhelper UAC Bypass. The endless ransomware's wave is an example of how our systems are vulnerable. More variants , more generation of malware variants , less detections , different ways of infecting or exploiting and yet even the AI won't catch it, because the AI has never seen anything before like it , and yet comes the other modules that will give you protection from that kind of threat where it's not seen , like a sandbox or whatever it is but still the important thing , the base system is not secure as it should be. Like Windows Defender before the Anti-Tamper and I don't know how good the Anti-Tamper is , but Defender was a joke , you could disable it with a registry key, if a normal user can do that , then why the malware won't be able to do it ? and it took Microsoft a long time to fix that. So who cares about our Security more than our-selves? , Microsoft yea. The thing is every OS has bugs and exploits. I remember an apple fanboy telling me there where no security issues with Apple and I pointed out they'd just released an update to fix some and his reply was yeah but that means there's none now. If there hasn't been an issue found it's not that there's none there they just haven't been discovered yet. I mean how long did things like spectre and heartbleed go undetected. The update thing is interesting because when it comes to updates they have slowed down. Microsoft was doing 2 big updates a year with obviously security ones throughout. Now they seem to be doing 1 big one and then one that is like a service pack which fixes bugs and stability issues. People complained the updates where too many and often buggy. I wouldn't mind seeing more updates but instead of big ones smaller ones throughout so new features get included throughout the year but with the testing period and to avoid bugs it might be tricky. Also this is why I never recommened using an unsupported OS. Windows 10 has the best security over previous versions and with many other versions unsupported including windows 7 now, using them puts users at risk as some bugs and vulnerabilities won't be fixed. An AV for example can be useless if your using an old unpatched OS Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 (edited) 3 hours ago, peteyt said: The thing is every OS has bugs and exploits. I remember an apple fanboy telling me there where no security issues with Apple and I pointed out they'd just released an update to fix some and his reply was yeah but that means there's none now. If there hasn't been an issue found it's not that there's none there they just haven't been discovered yet. I mean how long did things like spectre and heartbleed go undetected. The update thing is interesting because when it comes to updates they have slowed down. Microsoft was doing 2 big updates a year with obviously security ones throughout. Now they seem to be doing 1 big one and then one that is like a service pack which fixes bugs and stability issues. People complained the updates where too many and often buggy. I wouldn't mind seeing more updates but instead of big ones smaller ones throughout so new features get included throughout the year but with the testing period and to avoid bugs it might be tricky. Also this is why I never recommened using an unsupported OS. Windows 10 has the best security over previous versions and with many other versions unsupported including windows 7 now, using them puts users at risk as some bugs and vulnerabilities won't be fixed. An AV for example can be useless if your using an old unpatched OS Indeed that is true what you are talking , that there is no operating system that has no vulnerabilities and/or security problems and they are all able to being exploited or hacked depending on how market share that operating system has and what is the interest or the impact of hacking that system and to how much it could spread to. Looking at Linux they always have the LTSB version for even Desktop version , Microsoft only recently introduced this with their Enteprise version only , so you are still stuck with the major upgrade every while and it's painful if you are in a working environment without an Enterprise license because it costs more than a Professional would cost , but Linux do follow the update style of small updates coming in fast , just like ESET does , fast updates and tiny , because they all come small , and once needed for a big update it will come. But yet still , The normal user isn't experienced as most of us in this forum or the little bit advanced user in the PC world , so he will probably not know all of these things , and even about the vulnerabilities and exploits. But security and privacy are serious subjects for work environments and also home , no body wants his data removed or someone leaking it to the outside , or encrypted and being asked for money for their data while most of these people don't know how to use BitCoin , but they aren't being treated as serious as it looks like. And you could say it's about how fast you will apply the updates , It's fine , this panic is only because you knew that this vulnerability or exploit is available now , but think about it , it's available since the time that the first one found it and kept it for him, not all people will go to report so they can take a little money from the company that he reported to or just to put his name on the thank you page. It's cyber warfare , even in politics , health , consumer , whatever , that shows us all , that most of our operating systems are not secure unless you tweak the hell out of them and make them secure as much as possible and then you get to see that still it's not secure. NSA blames Russia for the leak , Russia says I don't know what you are talking about and it's kind of the fight between the 2 classmates in the school while neither of them has an evidence of something and yet one blames the other and the other says I wasn't there , and then yet still not one word about our Privacy or Security by both the NSA or Microsoft or by any kind of another system , and also as the NSA have these exploits for Windows , they for sure have it for all kind of other operating systems , including iOS , OSX , Linux , FreeBSD , Android etc.. It's no surprise that the Russian Gov develops and maintain it's own system for their Army and different departments : Quote "Astra Linux is a Russian Linux-based computer operating system developed to meet the needs of the Russian army, other armed forces and intelligence agencies. ... It has been officially certified by Russian Defense Ministry, Federal Service for Technical and Export Control and Federal Security Service." They do this , they craft their own system from Linux and do it the way they want and secure it as good as they see , because they really know that the normal consumer have operating systems that are so vulnerable and this endless chain of exploits , 0-day infections , vulnerabilities will never end and it will just be more and more , Good thing about Open Source that too much eyes are looking at the code and might look for the mistake , but in the same time , it's open source so you could understand what is happening behind the scenes without the need to debug or reverse engineer or whatever it is. There is no use of the traditional AV against the 0-day infection , it doesn't matter if it can recognize 1 million malware and slips 1 that could destroy your whole work infrastructure and spreads to all And yet still you can't blame the AV because it won't protect you 100% and yet the other modules that should protect you maybe didn't work as it supposed to , or the malware evaded them and yet again you will rely on your system security structure One good thing about Linux is the sudo , you can't do anything without it , and yet still if your root password is stolen , then you are gone. Whatever the message is from white hat or black hat or color less hat , their message from all of these malwares , exploits , vulnerabilities , etc , the message from them to us that our operating systems are not safe and secure And for them , it's all fun because it's an art of work what they do and they do that because they do love to do so and they will never stop , with bundles that are made to generate variants of Malwares that will look new to the AVs each time there is a new generation , it will be endless signature updates for the AV companies and hard work to improve machine learning A.I and yet that can also be evaded. For an example in Linux , download a script or some kind of a weird file , it won't be able to execute unless you give it permissions to , so if you are a normal user who doesn't know what the hell is going on , he won't even know how to give it permissions , compare to Microsoft , double click , Yes/No question , click the wrong button and you die and even so if the malware was smartly written then even so clicking no won't save you because it has already elevated itself through somekind of another process or somekind of exploit/vulnerability Quote As Fodhelper is a trusted Windows executable, it allows auto-elevation without displaying a UAC prompt. Any programs that it executes will be executed without showing a UAC prompt as well. TrickBot utilizes this bypass to launch itself without a warning to the user and thus evading detection by the user. It's bad to rely on the user re-action for his own security when most of the people who use smart phones and PCs are not experienced enough to distinguish what is good and what is bad , and even the experienced one can fall sometimes. So I wonder if we want to ask how secure our systems are ? The answer is I believe , not secure. Let alone the apps that you remove from Windows 10 and then Windows 10 decides that you need them , you must need them! , because we have some kind of marketing deal. Edited January 21, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Share Posted January 21, 2020 (edited) 6 hours ago, Rami said: Using Windows 10 UAC bypass When executed, TrickBot will check if the operating system is Windows 7 or Windows 10. If it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will now use the Fodhelper UAC Bypass. This is only the latest among numerous other ways to employ Win OS "living of the land" legit executables to perform hidden escalation to admin privileges. Thankfully, most but not all, can be thwarted by setting UAC to its maximum setting. The issue is how many have UAC set to that level? Many don't care for its alerts at the default setting and will certainly object to more alerts at the maximum level. -EDIT- Then there is the real question of how many have the technical skills to effectively respond to an unexpected UAC alert. Finally, there is Microsoft's atypical statement that "UAC is not a security boundary." BTW - logging on under a standard user account will also prevent most of these hidden escalation attempts. Edited January 21, 2020 by itman Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 2 minutes ago, itman said: This is only the latest among numerous other ways to employ Win OS "living of the land" legit executables to perform hidden escalation to admin privileges. Thankfully, most but not all, can be thwarted by setting UAC to its maximum setting. The issue is how many have UAC set to that level? Many don't care for its alerts at the default setting and will certainly object to more alerts at the maximum level. Then there is Microsoft's atypical statement that "UAC is not a security boundary." I know a guy who works as an IT who turn off the UAC as soon as he gets to work on the Windows Server , you can't rely on people for their own protection in the cyber world. and normal people surely won't really dig into maximizing the UAC for their own protection , while their mission on the computer is only to get that doc file or see something on the internet and turn off the PC. I don't like the debate of which system is better , but for sure in terms of security and/or permissions , Windows falls behind Linux and Unix , the security is built better on these systems. But that doesn't say that they cannot be hacked or exploited or whatever , Some wizard with 99+ Keyb0ard SKiLL will sure find his way Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 4 hours ago, Rami said: , you can't rely on people for their own protection in the cyber world. and normal people surely won't really dig into maximizing the UAC for their own protection , while their mission on the computer is only to get that doc file or see something on the internet and turn off the PC. This is the problem though - most people want their OS and AV to do everything for them and until people change their mindset about this hacks will always happen. Users have to take control of their own security. An AV is never 100 percent - if for example you keep visiting dodgy sites there's always a risk that you might eventually get infected. If you just click links in emails blindy, open attachments etc. then there is also a risk. I remember when apple seemed to suffer a big iCloud hack and started rolling two step authentication because of it but interestingly as far as I know they never admitted they were hacked and I think this is because they probably weren't and most victims feel for forms of social engineering. The problem is 2FA while handy isn't perfect - I've heard of hackers pretending to be from Apple tricking people into disabling it e.g. "There is a problem with your account but we cannot access it to fix because of 2FA, please disable." Until people start actually looking at what they are doing and questioning things there will always be hacks. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 23, 2020 Most Valued Members Share Posted January 23, 2020 (edited) 36 minutes ago, barryallen1337 said: i think this vulnreablity is patched now ! Is that an attempt to spam links? Edited January 23, 2020 by Marcos Links removed Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 23, 2020 Administrators Share Posted January 23, 2020 7 minutes ago, Rami said: Is that an attempt to spam links? Seems so. The user has been banned for spamming. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 23, 2020 Most Valued Members Share Posted January 23, 2020 (edited) 57 minutes ago, Marcos said: Seems so. The user has been banned for spamming. I edited the links to hxxps to prevent clicking but I see that you removed them. Glad he's out. Thank you. Edited January 23, 2020 by Rami Link to comment Share on other sites More sharing options...
Recommended Posts