Tag Archives: AppContainer

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.

1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Attention! Attention! Ransomware Cerber talks to you

16 April 2016

I use Adobe Flash Player only if there’s no other way. The plugin is deactivated by default, and activated only in the case I view an SC Magazine seminar.

Nevertheless, the latest security flaws, in particular CVE-2016-1019, must be patched as soon as possible. Because this bug was being exploited in drive-by download attacks that infect computers with ransomware Cerber after visiting tainted websites.

New on Cerber is that it has a computer-generated voice. And, that the malware is delivered by a drive-by download. With this, the first line of defense, your users, is of limited effectiveness because they are unable to determine that they were tricked.

From my point of view, a next generation endpoint protection tool, that containerizes all applications which connect to the Internet, is the means of choice in the defense of drive-by attacks. Since I am a strong advocate of the Zero-Trust Network concept, I recommend to containerize applications even if they access internal network resources only.

In addition, containerization frees us from the patching treadmill, at least to some extent, since we are no longer forced to install every patch on thousands of computers.

Unfortunately, Microsoft missed the opportunity to run Flash Player more secure in Windows 10.

Process Explorer View of Edge and FLashPlayer

Process Explorer View of Edge and Flash Player. Click to enlarge.

Edge runs by default at integrity level AppContainer. This makes sure that access to system resources is widely blocked. By contrast, Flash Player has access to lots of system resources because it runs at Medium Integrity Level.

Have a good weekend, and patch your Flash Player!

Poweliks it is still stuck in my mind

17 August 2014

It may sound funny, but Poweliks is still stuck in my mind. The bad news for me is: Poweliks resides only in Windows registry.

The good news is: To start at every login the malware uses the Windows registry, namely the outdated method of using the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] key.

And this is exactly the vulnerability of Poweliks we can use for taking counter measures!

The Windows policy ‘Do not process the legacy run list’ could be used to block Poweliks. If enabled this policy blocks the programs listed in the run key from getting executed during login. That’s it!

Do Not Process Legacy Run List Policy

Do Not Process Legacy Run List Policy

To enable the ‘Do not process the run once list’ policy start the local group policy editor gpedit.msc and navigate to section User Configuration\Administrative Templates\System\Logon. Double click the policy, select option ‘Enabled’, enter a comment and click ‘Apply’.

Use policy ‘Run these programs at user logon’ to whitelist the programs which you want to start at login. To prevent unwanted programs from getting started during system boot, enable the ‘Do not process the run once list’ in Computer Configuration as well.

Sounds somewhat strange, like fighting fire with fire. A much better solution would be to isolate all applications in AppContainers like Internet Explorer and run them at integrity level “Low” when connected to whatever network.

Microsoft, please do us this favour in Windows 10 the latest!