Friday, 8 May 2020

Adobe FLASH RIP

Adobe posted on the 25th of July 2017 the forthcoming death of Flash player.

Adobe has long played a leadership role in advancing interactivity and creative content – from video, to games and more – on the web. Where we’ve seen a need to push content and interactivity forward, we’ve innovated to meet those needs. Where a format didn’t exist, we invented one – such as with Flash and Shockwave. And over time, as the web evolved, these new formats were adopted by the community, in some cases formed the basis for open standards, and became an essential part of the web.

But as open standards like HTML5, WebGL and WebAssembly have matured over the past several years, most now provide many of the capabilities and functionalities that plugins pioneered and have become a viable alternative for content on the web. Over time, we’ve seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards. Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins.

Given this progress, and the collaboration of several technology giants – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe has planned to 'switch off' Flash. Specifically, they will stop updating and distributing the Flash Player at the end of 2020. They encourage content creators to migrate any existing Flash content to these new open formats.

Firefox and Chrome keep notifying users when visiting flash enabled sites that they will stop working at the very same date. Thus get prepared, any site you depend on, is using Flash, you will not be able to open or run (if you are the owner/hoster) by the end of this year.

Monday, 6 April 2020

Critical Flaw in Windows Preview Pane

Microsoft on 23/3/2020 issued Security Advisory ADV200006 for a "Critical"-rated remote code execution vulnerability in both supported and unsupported Windows systems.

Microsoft updated its security advisory on March 24 to indicate that the vulnerability is just rated "Important" for Windows 10, Windows Server 2016 and Windows Server 2019 systems. It's still rated "Critical" for older systems, though. "We do not recommend that IT administrators running Windows 10 implement the workarounds described below," the advisory explained.

The vulnerability, associated with the Adobe Type Manager Library in Windows systems, has been exposed to "limited, targeted attacks," per the advisory. The library "improperly handles a specially crafted multi-master font." This flaw can be exploited by "convincing a user to open a specially crafted document or viewing it in the Windows [Explorer] Preview pane."

There's no patch currently available. Microsoft's advisory offered three "workarounds" to implement, but they all have limitations.

More info & sources: Microsoft, Redmond

Thursday, 2 April 2020

Zoom: It appears to have more problems than it solves

Zoom admits meetings don't use end-to-end encryption

Video conferencing app Zoom does not use end-to-end encryption, according to reports, despite specifically stating that it does on its website.


Though Zoom offers users the option to “enable an end-to-end (E2E) encrypted meeting,” and provides a green padlock that claims “Zoom is using an end to end encrypted connection,” the company this week admitted that offers no such thing.

A spokesperson for the company told The Intercept that, despite its claims, it was "currently not possible" to enable end-to-end encryption for its video meetings.

Instead, the spokesperson revealed, the service uses Transport Layer Security (TLS) which encrypts data between user's meetings and Zoom's servers. End-to-end refers to data encrypted between calls, blocking out third parties - which includes the service provider. As a result, the company can see and use the data for things like targeted ads. 

"When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the spokesperson added.

Part of Zoom's appeal to organisations is its simplicity and the fact it can be used for free, albeit without any premium features, which lets businesses try it out before forking out any money. "Video conferencing is a fantastic necessity in times like these but it is vitally important to understand the security and privacy concerns that go in parallel with this increasingly popular form of communication," said Jake Moore, a cyber security specialist for ESET. "For social and light business meetings they are fine as long as users realise what data is being shared by Zoom to third parties. I certainly wouldn't recommend using free software for sensitive or private meetings."

Unpatched Zoom App Bug Lets Hackers Steal Your Windows Password

According to the latest finding by cybersecurity expert @_g0dmode, which was also confirmed by researcher Matthew Hickey and Mohamed A. Baset, the Zoom client for Windows is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems.


The attack involves the SMBRelay technique wherein Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.

The attack is possible only because Zoom for Windows supports remote UNC paths, which converts such potentially insecure URLs into hyperlinks for recipients in a personal or group chat.


To steal the login credential of user running zoom for Windows, all an attacker needs to do is sent a crafted URL (i.e. \\x.x.x.x\abc_file) to the victim over its chat interface, as shown, and wait for the victim to click it once.

To be noted, the captured passwords are not plaintext, but a weak one can easily be cracked in seconds using password cracking tools like HashCat or John the Ripper.

In a shared environment, like office space, stolen login details can be reused immediately to compromise other users or IT resources and launch further attacks.

Besides stealing Windows credentials, the flaw can also be exploited to launch any program already present on a targeted computer or downloaded as part of the attacker's social engineering campaign.


Zoom has already been notified of this bug, but since the flaw has not yet been patched, users are advised to either use an alternative video conferencing software or Zoom in your web browser instead of the dedicated client app.

Source(s) & more info: Hacker News, ITPro

Sunday, 29 March 2020

UPDATED: Zoom beams iOS user data to Facebook for targeted ads

According to ITPro, Zoom has updated the code in its platform to remove the in-app ‘Login with Facebook’ feature on iOS platforms after it emerged the Facebook SDK was unnecessarily collecting user device information.

The conferencing app, which has exploded in popularity, doesn’t explicitly say it sends data to Facebook in its privacy policy

The video conferencing platform Zoom is sending iOS users’ analytics data to Facebook without explicit consent, even if users don’t have an account with the social networking giant.

The popularity of the online communications software has exploded in the last few weeks as more and more workers and individuals adjust to remote working and life in self-isolation, and search for ways to stay in touch.

Zoom is transferring some user data to Facebook through one of the social media platform’s software development kits (SDKs), however, according to an analysis by Motherboard. Zoom users may not be aware this is happening, however. 

The conferencing app connects to Facebook’s Graph application programming interface (API) after downloading and opening the app. This API is the main route through which developers can send and receive data to and from Facebook. 


According to the analysis, Zoom notifies Facebook when an iOS user opens the app, and then provides details on the user’s device, including the model, as well as their time zone, and city they’re connecting from. 

More info and resources: Motherboard, ITPro

Saturday, 28 March 2020

Microsoft Teams

Microsoft Teams Commercial Cloud Trial offer

The Microsoft Teams Commercial Cloud Trial is replaced by Microsoft Teams Exploratory beginning in January 2020. To learn about this new offer, read Manage Teams Exploratory license.

The Microsoft Teams Exploratory experience lets users in your organization who have Azure Active Directory (AAD) and are not licensed for Teams initiate an exploratory experience of Teams. Admins can switch this feature on or off for users in their organization. The earlier Microsoft Commercial Cloud Trial is now replaced by The Teams Exploratory experience.

Who's eligible?

As long as the user has a managed AAD domain email address and currently does not have/haven't been assigned a Teams license, they are eligible for this experience. For example, if a user has Office 365 Business (which doesn't include Teams), they're eligible for the Teams Exploratory experience.

How users sign up for the Teams Exploratory experience

Eligible users can sign up for the Teams Exploratory experience by signing in to Teams (teams.microsoft.com). They will be assigned this license automatically and the tenant admin will receive an email notification the first time someone in your org starts the Teams Exploratory experience.

Differences between Microsoft Teams and Microsoft Teams free

Microsoft Teams free
Microsoft Teams
Features
Maximum members
500,000 per org
Potentially 
unlimited 
with an 
enterprise 
license
File storage
2 GB/user and 10 GB 
of shared storage
1 TB/user
Guest access
checkmark
checkmark
1:1 and group online 
audio and video calls
checkmark
checkmark
Channel meetings
checkmark
checkmark
Screen sharing
checkmark
checkmark
Scheduled meetings
checkmark
Meeting recording
checkmark
Available with 
MS Stream
Phone calls and audio 
conferencing
checkmark
Administration
Admin tools for managing 
users and apps
checkmark
Usage reporting for 
Office 365 Services
checkmark
99.9% financially-backed 
SLA uptime
checkmark
Configurable user 
settings and policies
checkmark
More info and sources: Microsoft Support website, Microsoft Docs

Wednesday, 11 December 2019

Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

Cybersecurity researchers have spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims' files to avoid antivirus detection.

Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software.

Snatch has been active since at least the summer of 2018, but SophosLabs researchers spotted the Safe Mode enhancement to this ransomware strain only in recent cyber attacks against various entities they investigated.

"The ransomware, which calls itself Snatch, sets itself up as a service [called SuperBackupMan with the help of Windows registry] that will run during a Safe Mode boot."

"When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware."

What makes Snatch different and dangerous from others is that in addition to ransomware, it's also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations.

Source and more info: Hacker News

Tuesday, 19 November 2019

Microsoft Office 2010 end of support

Office 2010 will reach its end of support on October 13, 2020. If you haven't already begun to upgrade your Office 2010 environment, we recommend you start now.

Also, support for Windows 7 ends on January 14, 2020. Even though Office 2010 is still supported until October, Windows 7 will no longer receive security updates after January 2020, unless you purchase Extended Security Updates (ESU). Without ESU, Windows 7 is vulnerable to security threats. For more information, see the Windows 7 end of support site and Lifecyle FAQ-Extended Security Updates.

What does end of support mean?

Office 2010, like almost all Microsoft products, has a support lifecycle during which we provide bug fixes and security fixes. This lifecycle lasts for a certain number of years from the date of the product's initial release. For Office 2010, the support lifecycle is 10 years. The end of this lifecycle is known as the product's end of support. When Office 2010 reaches its end of support on October 13, 2020, Microsoft will no longer provide the following:

  • Technical support for issues
  • Bug fixes for issues that are discovered
  • Security fixes for vulnerabilities that are discovered
  • Because of the changes listed above, we strongly recommend that you upgrade as soon as possible.

What are my options?

With Office 2010 reaching its end of support, this is a good time to explore your options and prepare an upgrade plan to either of these latest versions of Office:

Office 365 ProPlus, the subscription version of Office that comes with most Office 365 enterprise plans.

Office 2019, which is sold as a one-time purchase and available for one computer per license.

A key difference between Office 365 ProPlus and Office 2019 is that Office 365 ProPlus is updated on a regular basis, as often as monthly, with new features. Office 2019 only has the same features that it had when it was released in October 2018.

source and more reading: Microsoft