Windows | SecurePC LLC - Computer Repair, Maintenance and Security

Ransomware Is Spreading Through Macros In Word

Security researcher Jaromir Jorejsi of Trend Micro has discovered a disturbing new strain of ransomware named qkG that spreads by way of macros inside MS Word.

The ransomware strain targets only Office documents, encrypting them and infecting the Word default document in order to propagate to newly created documents opened via the Office suite on the infected computer.

This new threat is unusual in the world of ransomware because it abides by a completely different and much more tightly targeted set of operating principles than any other form of ransomware found in the wild today. It’s also a bit of a throwback. The use of macros to spread worms is still fairly commonplace on older machines running out-of-date or pirated copies of Office, but it hasn’t really been in fashion in the mainstream hacking community for quite some time.

An analysis of the code reveals it to be a work in progress. The researchers were quick to point out the ransomware has not found any actual victims to date, and that several different variants and strains of the code were found in different documents, each with a different and slightly more robust feature set.

Based on evidence Horejsi found in the qkG samples he had the opportunity to analyze, the author of this new strain is apparently based somewhere in Vietnam, and goes by the alias “TNA-MHT-TT2.”

The malware is notable for its rather innovative use of malicious macros. Horejsi warns that these techniques will undoubtedly be picked up by other hackers, refined and used more broadly in the months ahead.

That’s likely to pose a special challenge for your IT security team, who have probably fallen out of the habit of watching for such threats, given that they declined in popularity some time ago. It seems, however, that what’s old has been made new again, so alert the troops to be ready.

Microsoft Word Gets Update To Disable DDE After Malware Concerns

In recent months, Microsoft Word has been getting a fair amount of bad press, thanks to an old-but-still-supported feature called DDE (Dynamic Data Exchange). This is the feature that allows Word to pull data from other MS Office applications. For instance, if you embed a chart into your Word document, each time you open the doc, it will automatically poll the spreadsheet the chart was created from and update it dynamically.

It’s a good feature, but unfortunately, it’s subject to abuse by hackers, who can use it to insert malicious code.

For a long time, Microsoft held the opinion that DDE wasn’t flawed per se, and as such, refused to take any action to try and limit its abuse. The thinking was that the company had already done enough since MS Office is designed to display a warning message before actually opening a file, which gives the user a choice.

Unfortunately, hackers have found ways to game that system as well and get around the warning box, and ultimately, that’s what changed the company’s mind.

Back in October, Microsoft published Security Advisory 4053440, which warned of the potential dangers of DDE and advised users on how to disable the feature in Word, Outlook and Excel. The company has now taken things a step further, disabling the feature inside MS Word in the Office Defense in Depth Update, ADV170021.

In fact, the company now sees the problem as being so severe and pervasive that they took the unusual step of issuing an emergency, out-of-band patch to update Word 2003 and 2007, two versions that Microsoft has officially stopped supporting.

If your employees use MS Office, this most recent patch is of critical importance, so if you’re not getting updates automatically, make sure your team knows to grab and apply this one.

Windows 10 Third Party Password Manager Could Have Security Issue

Do you use “Keeper?” If you’re not sure what it is, then you probably don’t. It’s a password manager that Microsoft has been bundling with some of its Windows 10 releases. Either way, there’s a serious flaw in its design that you should be aware of.

Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.

The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.

The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.

I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”

Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”

The two important takeaways here are as follows:

The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.

This temporary measure was implemented as a stop-gap until the bug can be properly patched.

Microsoft May Remove Windows Paint From Operating System

“Paint” is one step closer to being a thing of the past.

In May of this year, Microsoft caught a surprising amount of flak when they announced that the venerable app, which had been included with the OS in every release since 1985, would be going away and replaced by a newer, sleeker version called Paint 3D.

The company had not expected any backlash on the matter and was sent scrambling when tens of thousands of people complained loudly in forums all over the internet.

The company quickly revised its position, explaining that while Paint would no longer come pre-installed on future releases of Windows, it would still be available on Microsoft’s app store. This move seemed to mollify Paint’s surprising number of fans and followers, but now, Microsoft is in the news again over the surprisingly cherished app.

In a recently released Windows 10 Insider Preview, the following message was discovered when accessing Paint: “This version of Paint will soon be replaced with Paint 3D. Classic Paint will then become available in the store.”

Note that this message was not displayed upon opening Paint itself, but rather upon clicking the “Product Alert” button at the top right corner of the app screen.

While the news is certainly no surprise, given the above, the sparse wording of the message does raise the question of whether the transition will be occurring during the next Windows 10 release. So far, the company has not offered any sort of clarification or confirmation.

In any case, we’re now one step closer to saying goodbye to Paint. While it was never a very good image editing program, it has proven to have a surprisingly deep base of support. Support or no, however, the day is soon coming when it will be a thing of the past, unless users go to the store and manually download and install it.

Nvidia Dropping Driver Support For Older Operating Systems

AMD long ago dropped support of 32-bit operating systems, and now, Nvidia is following suit. The long-anticipated move by the company will mean the end of driver support for the 32-bit builds of Windows 7, Windows 8, Windows 8.1, Windows 10, Linux and FreeBSD.

Nvidia is taking a balanced, responsible approach here. The company has pledged to continue offering 32-bit driver security updates until January 2019, but will immediately discontinue making performance updates to the drivers of older OS’s.

In some respects, it’s long overdue. Today’s application environment is incredibly resource intensive, with a growing number of applications requiring more computing horsepower than 32-bit systems can deliver, since a 32-bit OS can only support up to 4GB of RAM.

The picture gets even bleaker if you’re a gamer. Even modest games tend to require more than 4GB of RAM these days, and most top-tier titles no longer offer support for 32-bit systems. That, combined with the fact that 32-bit systems are somewhat less secure overall, it’s probably time they were put to pasture.

Given this landscape, it’s probably time to pronounce the 32-bit operating system dead. If you’ve got some legacy applications still running on an old machine, now is the time to get serious about your migration plan.

Most of the older OS’s are no longer receiving security updates, which leaves you increasingly vulnerable to a wide range of hacks. That, coupled with the increasingly sparse driver support makes it inevitable that you’ll have to migrate at some point, and it’s always better to do it on your terms than someone else’s.

If you haven’t yet worked out what to do about your old legacy systems, it’s long past time to do so. The clock has been ticking for a while now, and the ticking just got a little bit louder.

Microsoft is Adding Much Needed Feature To Windows Defender

Microsoft is getting tough on so-called “registry cleaners”, and it’s about time. The company recently announced a planned change to Windows Defender (the anti-malware program that comes standard with every Windows installation). The change will see to the deletion of an increasing number of these registry cleaners. It’s a great move, and the company deserves credit for it, but there’s a catch. This type of software has been around for decades. So the move, as welcome as it is, comes very late in the game.

It’s overwhelmingly likely that you’ve seen these programs in action. They’re usually free downloads (though there are a few web based services too) that scan your system to find problems with your registry that the software claims are causing performance issues and slowing your machine down.

There are two major problems with this: First, the software tends to be light on details, refusing to provide much information about exactly why the “problems” that have been identified are impacting system performance. Worse, the software often incorrectly identifies critical system files and registry entries as being problematic. So of course, when they are deleted, they actually create many more problems than they solve.

Second, in order to actually fix the problems that have been identified, you’ve got to buy the premium version of the package. The result is that you’re losing money, and the software often breaks your system. Not a pretty picture.

This latest move by Microsoft builds on action they took back in 2016, when the company started penalizing the makers of such registry cleaners if their software didn’t provide adequate information. This missing information included why the problems they found needed to be fixed in the first place, and if they utilized a high pressure up-sell technique.

Ultimately, those moves proved to be insufficient, so Microsoft decided to take things to the next level. Now, they’re simply going to start deleting these no- or low-value programs. Late or not, that’s one less headache for you, and a very good thing.

Microsoft Office Update Available To Only Windows 10 Users

There are big changes coming to MS Office which you need to be aware of, given how widely used “Office” is in most companies.

First, the headline change: When MS Office 2019 is released, it will only run on Windows 10. If you’ve still got machines on older operating systems, and you want to keep your productivity suite up to date, then you’ll need to upgrade those older systems.

Also, be aware that when Office 2019 ships, it will only have “Click-to-Run” technology. No MSI, although Office Server will have an MSI deployment option.

In terms of software support, the company had this to say:

“Office 2019 will provide five years of mainstream support and approximately two years of extended support. This is an exception to our ‘Fixed Lifecycle Policy’ to align with the support period for Office 2016. Extended support will end 10/14/2025.”

The Office 2019 bundle will include the following apps:

Word
Excel
PowerPoint
Outlook
Skype for Business

Additionally, server versions of SharePoint and Exchange will be available.

In conjunction with the announcement above, the company also announced service extensions for Windows 10, and changes to the system requirements for people who use Office 365 ProPlus, the company’s online office suite.

Beginning on January 14, 2020, Office 365 ProPlus will no longer be supported on Windows 7, Windows 8.1, Windows Server 2016, or any Windows 10 LTSC (Long Term Servicing Channel) release. Windows 10 support (versions 1511, 1607, 1703, and 1709) will get an additional six months of support for both enterprise and education customers.

Although these changes will no doubt inconvenience some users, overall, they have to be judged as a positive. Microsoft has been taking a number of meaningful steps in recent years to streamline and simplify their product support, and these latest changes are very much in keeping with that.

Remote Desktop Flaw Affects Every Windows Version

Researchers at Preempt Security recently discovered a critical flaw in Microsoft’s Credential Security Support Provider protocol (CredSSP for short) that impacts every version of Windows in existence. It could allow a hacker to remotely exploit Windows Remote Desktop to execute malicious code and steal any data stored on the machine.

The flaw, logged as CVE-2018-0886 would allow a hacker to execute a man in the middle attack, (provided that they had Wi-Fi or physical access to the machine) and steal authentication data via a Remote Procedure Call attack.

Yaron Zinar, a lead researcher at Preempt, had this to say about the flaw:

“An attacker which has stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default. This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

This is a big deal because Windows Desktop is hands-down the most popular means of performing remote logins. In addition, business of all shapes and sizes make regular use of RDP for a variety of purposes, making them vulnerable until the flaw is patched.

Microsoft released a fix for the issue as part of their March 2018 Patch Tuesday, but security professionals close to the issue warned that simply applying the patch is not enough to provide protection. You’ll also need to instruct your staff to make a few configuration changes (explained in the documentation surrounding the issue), including limiting your use of privileged accounts as much as possible and use non-privileged accounts whenever possible.

The March 2018 patch release was a hefty one, and included patches for a number of products including Core ChakraCore, PowerShell, Microsoft Office, Windows (OS), and both the Edge browser and Internet Explorer.

Having Chrome Issues Since The Latest Windows 10 Update?

Microsoft has been having some “issues” of late. It’s April Windows 10 rollout had to be delayed on account of some mysterious BSOD (“Blue Screen of Death”) issues. This month’s rollout is plagued by similar problems, trading the BSOD issues for problems with both “Hey Cortana” and Google’s Chrome browser.

The problem is that when you try to navigate the web using Chrome with the latest Windows 10 update, the entire system will inexplicably hang. The company is hoping to have a fix ready for release in time for the next “Patch Tuesday” on May 8, but in the meantime, offered the following suggestions to users who are impacted by this issue:

If you’re on a laptop, sometimes (but not always) opening and closing the lid will revive the system.
Failing that, or if you’re not on a laptop, try using the keyboard combination: Win + Ctrl + Shift + B. This activates the “wake screen” sequence.
If you’re on a tablet, press the volume up and volume down buttons at the same time, three times within two seconds. If you hear a short beep, then you know Windows is responsive, and it will attempt to refresh the screen.

If none of the above works for you, then your only other option is to simply reboot the system, which is beyond annoying. Fortunately, however, it’s only temporary. The company is currently working on a fix (although whether it’s ready by Patch Tuesday remains to be seen).

While this is by no means the kiss of death, it is troubling that the last two updates have had major issues. Unless the issue is identified and remedied, the company could be facing larger and more pervasive problems in the months ahead.

Most “Wannacry” Hacks Were On Windows 7 Machines

Last year’s Wannacry attack was bad, but in many ways, it was a self-inflicted wound. According Webroot’s recently published “Annual Threat Report,” almost all of the machines that succumbed to the Wannacry attack were running Windows 7. That attack is estimated to have caused in excess of $4 billion in total losses.

The central problem is that businesses have been much slower than individuals to make the shift from Windows 7 to the much more secure Windows 10. For example, in January 2017, only one Enterprise computer in five was running Windows 10, a figure which climbed to 32 percent by year’s end.

Contrast that with the number of Enterprise computers running Windows 7. In January 2017, a staggering 62 percent of Enterprise computers were still running Windows 7. That figure declined as the year went on, but only marginally, dropping to 54 percent by the end of the year.

Meanwhile, Windows 8 was running on 5 percent of Enterprise computers in January 2017, and had dropped to 4 percent by the end of the year. Windows Vista and XP both represented a tiny fraction (less than 1 percent) of Enterprise OS’s.

Contrast that to the Windows 10 migration figures for individuals. In January 2017, 65 percent of home users had made to switch to Windows 10. By the end of the year, that figure had grown to an impressive 72 percent.

A Webroot spokesperson had this to say about the report:

“While Windows 10 won’t solve all security woes, it’s a step in the right direction. Combined with advanced endpoint protection that uses behavioral analysis and machine learning, adopting Windows 10 can greatly reduce enterprises’ vulnerability to cyber-attacks.”

All that to say, if you haven’t moved away from outdated operating systems at your company, this is yet another compelling reason to do so immediately. No matter what legacy systems you may be running that rely on old OS’s, it’s just not worth the risk.