Security

Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

Oh, and Flash! Arrrrrggghhh

Gareth Corfield Tue 19 Mar 2019 // 15:12 UTC

Eight out of the ten most exploited vulnerabilities tracked by threat intelligence biz Recorded Future in 2018 targeted Microsoft products – though number two on its list was, surprise surprise, a Flash flaw.

The most exploited vuln in the firm's hall of shame was a remote code execution flaw in Windows' VBScript engine that could pwn users who opened a booby-trapped web page with Internet Explorer.

"Exploit kits associated with this vulnerability were noted to spread the malware Trickbot through phishing attacks," said Recorded Future in a report published today.

The Flash vuln was none other than one exploited by North Korean state-backed hackers – first detected by South Korea's CERT, which discovered a flood of booby-trapped MS Office documents, web pages, spam messages and more.

Meanwhile, a near three-year-old vuln continues to be one of the most exploited flaws tracked by Recorded Future. Unveiled in July 2016, the Neutrino exploit kit was built out of code first published by white hats trying to provoke Microsoft into cleaning up an Internet Explorer zero-day vuln.

Recorded Future said it had seen five new exploit kits using the underlying code to target hapless IE users, warning that "the only workarounds are restricting access to two common dynamic-linked library files: VBScript.dll and JScript.dll".

The threat intelligence biz used a list of 167 exploit kits to define its master list of commonly abused vulns, as well as 492 remote-access Trojans. Its report specifically excluded Spectre, Meltdown and Eternalblue, on the grounds that the latter was "not used by the criminal underground", while the former pair were also not "heavily utilized" by miscreants. ®

Similar topics

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

FabricScape: Microsoft warns of vuln in Service Fabric

Not trying to spin this as a Linux security hole, surely?

Richard Speed Wed 29 Jun 2022 // 13:40 UTC

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.
The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.
Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

Continue reading
Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Jessica Lyons Hardcastle Tue 14 Jun 2022 // 13:30 UTC

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.

Continue reading
Microsoft unboxes Exchange Online certification in bid to push customers off-prem

More support engineers needed to keep the email flowing, it seems

Richard Speed Fri 24 Jun 2022 // 12:18 UTC

Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.
The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.

Continue reading

Microsoft postpones shift to New Commerce Experience subscriptions

The whiff of rebellion among Cloud Solution Providers is getting stronger

Simon Sharwood, APAC Editor Wed 29 Jun 2022 // 06:47 UTC

Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.
Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.
Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

Continue reading
Symantec: More malware operators moving in to exploit Follina

Meanwhile Microsoft still hasn't patched the fatal flaw

Jeff Burt Thu 9 Jun 2022 // 11:45 UTC

While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.
Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.
In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

Continue reading
Start using Modern Auth now for Exchange Online

Before Microsoft shutters basic logins in a few months

Jeff Burt Wed 29 Jun 2022 // 22:59 UTC

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.
In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.
"Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

Continue reading

Microsoft gives its partners power to change AD privileges on customer systems – without permission

Somewhat counterintuitively, this is being done to improve security

Simon Sharwood, APAC Editor Fri 1 Jul 2022 // 06:02 UTC

Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.
Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.
To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

Continue reading
PowerShell pusher to log off from Microsoft: Write-Host "Bye bye, Jeffrey Snover"

'If you ever were rooting for somebody, please do him a favor and go tell him'

Richard Speed Wed 29 Jun 2022 // 09:05 UTC

Jeffrey Snover's lengthy and occasionally controversial term at Microsoft is to come to an end this week, as the PowerShell inventor sets off for pastures new after more than two decades at the Windows giant.

Continue reading
How refactoring code in Safari's WebKit resurrected 'zombie' security bug

Fixed in 2013, reinstated in 2016, exploited in the wild this year

Jeff Burt Tue 21 Jun 2022 // 08:31 UTC

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

Continue reading
Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches

Only way to resolve is a rollback – but update included security fixes

Richard Speed Mon 20 Jun 2022 // 15:30 UTC

Updated Microsoft's latest set of Windows patches are causing problems for users.
Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).
KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs