7-zip now supports Windows ‘Mark-of-the-Web’ security feature
7-zip has finally added support for the long-requested 'Mark-of-the-Web' Windows security feature, providing better protection from malicious downloaded files.
Zoom fixed critical flaw CVE-2024-24691 in Windows software
Zoom fixed 7 flaws in its desktop and mobile applications, including a critical bug (CVE-2024-24691) affecting the Windows software
.png?width=92&height=&ar=&mode=&format=avif&dpr=2)
The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It
If you ever troubleshooted anything on Windows or investigated a suspicious event, you know that Windows store various types of events in Windows Event Log. An application crashed and you want to know more about it? Launch the Event Viewer and check the Application log. A service behaving strangely? See the System log. A user account got unexpectedly blocked? The Security log may reveal who or what blocked it. All these events are getting stored to various logs through the Windows Event Log service. Unsurprisingly, this service's description says: "Stopping this service may compromise security and reliability of the system." The Windows Event Log service performs many tasks. Not only is it responsible for writing events coming from various source to persistent file-based logs (residing in %SystemRoot%\System32\Winevt\Logs), it also provides structured access to these stored events through applications like Event Viewer. Furthermore, this service also performs "event forwarding" if you want your events sent to a central log repository like Splunk or Sumo Logic, an intrusion detection system or a SIEM server. Therefore, Windows Event Log service plays an important role in many organizations' intrusion detection and forensic capabilities. And by extension, their compliance check boxes.
Microsoft disables MSIX protocol handler abused in malware attacks
Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware.
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.
From NtObjectManager to PetitPotam
Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls.
7-zip now supports Windows ‘Mark-of-the-Web’ security feature
7-zip has finally added support for the long-requested 'Mark-of-the-Web' Windows security feature, providing better protection from malicious downloaded files.
Windows 10 gets three more years of security updates, if you can afford them | Ars Technica
Windows 10's end-of-support date is October 14, 2025. That's the day that most Windows 10 PCs will receive their last security update and the date when most people should find a way to move to Windows 11 to ensure that they stay secure. As it has done for other stubbornly popular versions of Windows, though, Microsoft is offering a reprieve for those who want or need to stay on Windows 10: three additional years of security updates, provided to those who can pay for the Extended Security Updates (ESU) program.
How to bypass Windows Hello, log into vulnerable laptops
Hardware security hackers have detailed how it's possible to bypass Windows Hello's fingerprint authentication and login as someone else – if you can steal or be left alone with their vulnerable device. The research was carried out by Blackwing Intelligence, primarily Jesse D'Aguanno and Timo Teräs, and was commissioned and sponsored by Microsoft's Offensive Research and Security Engineering group. The pair's findings were presented at the IT giant's BlueHat conference last month, and made public this week. You can watch the duo's talk below, or dive into the details in their write-up here.
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.
From NtObjectManager to PetitPotam
Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls.
7-zip now supports Windows ‘Mark-of-the-Web’ security feature
7-zip has finally added support for the long-requested 'Mark-of-the-Web' Windows security feature, providing better protection from malicious downloaded files.
The evolution of Windows authentication
Discover how we’re securing authentication and reducing NTLM usage in Windows.
CVE-2023-38146: Arbitrary Code Execution via Windows Themes
This is a fun bug I found while poking around at weird Windows file formats. It's a kind of classic Windows style vulnerability featuring broken signing, sketchy DLL loads, file races, cab files, and Mark-of-the-Web silliness. It was also my first experience submitting to the MSRC Windows bug bounty since leaving Microsoft in April of 2022.
Hackers exploit gaping Windows loophole to give their malware kernel access
Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.
Unmasking the Meduza Stealer: Comprehensive Analysis & Countermeasures
Read Uptycs' analysis of the newly discovered Meduza Stealer malware targeting Windows users, revealing capabilities, potential impact & mitigation steps.
Decrypted: Akira Ransomware
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.
From NtObjectManager to PetitPotam
Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls.
7-zip now supports Windows ‘Mark-of-the-Web’ security feature
7-zip has finally added support for the long-requested 'Mark-of-the-Web' Windows security feature, providing better protection from malicious downloaded files.
Patch Tuesday - Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours
Dive into the analysis and exploitation of a vulnerability in the Windows Ancillary Function Driver for Winsock for Local Privilege Escalation on Windows 11. More from X-Force Red experts.
Windows Installer EOP (CVE-2023-21800)
This blog post describes the details and methodology of our research targeting the Windows Installer (MSI) installation technology.
Threat groups are using Windows LNK files to gain access
Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files – the shortcuts Windows uses to point to other files.
Zoom Patches High Risk Flaws on Windows, MacOS Platforms
Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks.
Exploring ZIP Mark-of-the-Web Bypass Vulnerability (CVE-2022-41049)
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet.
Abusing windows’ tokens to compromise active directory without touching lsass
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows server. Looking at the users connected on the same server, I knew that a domain administrator account was connected. All I had to do to compromise the domain, was compromise the account. This could be achieved by dumping the memory of the LSASS process and collecting their credentials or Kerberos TGT’s. Seemed easy until I realised an EDR was installed on the system. Long story short, I ended up compromising the domain admin account without touching the LSASS process. To do so, I relied on an internal Windows mechanism called token manipulation. The goal of this blog post is to present how I did it. We will see what access tokens are, what they are used for, how we can manipulate them to usurp legitimate accounts without touching LSASS and finally I will present a tool and a CrackMapExec module that can be used during such assessments. All the source code, binaries and CrackMapExec module can be found here https://github.com/sensepost/impersonate.
Chaos is a Go-based Swiss army knife of malware
Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently uncovered a multifunctional Go-based malware developed for Windows and Linux
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe
In February 2022, Microsoft patched the vulnerability I used in TianfuCup 2021 for escaping Adobe Reader sandbox, assigned CVE-2022-22715. The vulnerability existed in Named Pipe File System nearly 10 years since the AppContainer was born. We called it "Windows Dirty Pipe". In this article, I will share the root cause and exploitation of Windows Dirty Pipe. So let's start our journey.
911 Proxy Service Implodes After Disclosing Breach
911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its…
Microsoft finds Raspberry Robin worm in hundreds of Windows networks
Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.