Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10

Redmond also praised for blocking malware control systems on its clouds

Microsoft has emitted a pair of security patches to address flaws in Windows 10 that can be potentially exploited by miscreants to hijack PCs. A victim simply needs to be tricked into opening a file containing a specially crafted image on a vulnerable system.

The Redmond giant said this week the exploitable bugs, CVE-2020-1457 and CVE-2020-1425, are in the Windows HEVC Codec Library that some applications use to process images.

In the case of CVE-2020-1457, a successful exploit would lead directly to arbitrary code execution on the victim's computer for the attacker, while Microsoft said CVE-2020-1425 would let the aggressor "obtain information to further compromise the user's system" though it is also described as a remote-code-execution flaw.

If there's some good news to be had from this, it is that Windows 10 in its default setup is not vulnerable. The HEVC codec in question is an optional add-on downloaded from the Windows Store.

Windows Server and older versions of Windows are not vulnerable.

It is relatively rare for Microsoft to post security updates outside of its normal Patch Tuesday cadence. In this case, Redmond said it went off-road because HEVC is a Windows Store download, and, therefore, not subject to the same patch release timings for built-in Windows 10 components.

Credit for the discovery went to Abdul-Aziz Hariri working through Trend Micro's Zero Day Initiative. The flaw was privately reported, and thus far there have been no reports of in-the-wild exploits.

Downloading a patch

Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely


Microsoft's next scheduled security update is July 14.

On the bright side for Microsoft, folks at F-Secure are applauding the US tech titan's security gurus for preventing botnet and malware operators from abusing Azure and Office 354 services.

F-Secure's Tim Carrington said his team can no longer use instances on either cloud service to function as command-and-control servers in its C3 framework.

The C3 service functions as a sort of proof-of-concept botnet service that F-Secure offers to help companies test their networks and services against real-world attacks. The idea is that, if testers can get in using C3, it's a safe bet that criminals can as well.

In this case, Carrington explained, Microsoft has beefed up its detection and removal tools, and as a result any attempts to spin up a malware command-and-control server with Office365 or Azure are wiped out within three hours.

"Microsoft has risen to the challenge of using offence to inform defense. This has not only disrupted F-Secure Consulting's red team operators, but delivered a killer blow to real-world threat actors," Carrington said.

"Any effort by an organization that forces attackers to redevelop their toolkit, and results in the redistribution of resources, is a welcome sight." ®

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022