Microsoft Warns about Vulnerability Targeting Taiwan

The tech giant warned about new unpatched software vulnerability affecting almost all Windows computers. The flaw looks very similar to the one used in recent hacker attacks on the Ukrainian government. Now it is being used against Taiwanese targets: the attackers create malicious PowerPoint documents which launch exploit code on target machines when opened. The security experts admit the hackers could have used any Office file, but for some reason those chose PowerPoint.

Cyber intelligence experts warned that another (though similar) flaw was being used in so-called “Sandworm” attacks against Ukraine, the European Union, Nato, French telecom companies and even Polish energy suppliers. In previous cases, Russian hackers were suspected of intrusions.

Security companies believe that the two vulnerabilities are linked and have been exploited in the same way. While investigating the patch for the first flaw, the researchers found out that the fix wasn’t working and the vulnerability could still be exploited. However, there is no evidence that the recent flaw was being used by the same Sandworm hacker crew. The security firm’s sensors had detected an activity indicating the zero-day vulnerability was being used to attack people in Taiwan. They came to a conclusion that the Microsoft’s patch for the Sandworm flaw didn’t work properly and the new vulnerability exploits that.

The researchers have seen a number of samples, one of which probably targeted Taiwan and delivered the Taidoor malware. This type of activity has been attributed to Chinese cyber espionage in the past.

3 Google and 2 McAfee researchers were credited with disclosing the latest flaw to Microsoft. It turned out that the vulnerability targets all supported versions of Windows except Windows Server 2003, originating from a technology called an Object Linking and Embedding (OLE) object – this one is used to share data between several applications. For example, in Microsoft Office this technology is used when parts of a file appear within another file, like when an Excel chart is included in a Word document.

When the victim opens a malicious document, usually received via email, they risked handing over control of their machine to the attackers. The experts point out that this vulnerability can’t directly grant an attacker administrator-level access, but would allow them the same permissions as the victim. Advanced users will notice the “User Access Control” popup that requires consent when a malicious file is opened. In the meantime, Microsoft didn’t disclose when it was going to release a patch for the bug, but the company has included a fix-it solution in its advisory.

So, for now, Internet users are recommended to be careful about opening Office documents received via email, social media or instant messengers from unknown parties. Everyone is also reminded of links from untrusted sources, because those may be used to launch a malicious Office document from the hacker’s website.

Google Offers Physical USB Security Key

The tech giant has finally announced a physical USB Security Key for two-factor authentication. The key is expected to ensure that users keep their accounts safe from intruders, but it has its own limitations. Users can buy a compatible USB from a third-party supplier and add the Security Key functionality. After doing so, they can start using it when logging in to Google’s services, including Gmail and Google Drive. The key will contain the code required for two-factor authentication, if the latter has been switched on.

Two-factor authentication is a popular method of security protection. It required both a password and an additional data able to verify the identity of the person logging in. Before, Google provided users with the second piece of authentication data by sending the code via text message or the Authenticator app. Now the USB key can be used without any input required from the keyboard.

The company promises that accounts with Security Key enabled will remain secure from hacking (unless hackers manage to steal the plastic key). This method is presented as more secure than using a smartphone, because hackers have infected mobile devices in the past to steal security codes.

The USB key will also make sure that the website the user is on is owned by Google and not by a third party who uses it for a “man-in-a-middle” attack. The Security Key will not transmit its cryptographic signature if some phishing service is trying to pretend a Google login page.

Google explains that instead of typing a code, you can now insert the Security Key into the USB port of your machine and tap it when prompted in Chrome. The company guarantees that the cryptographic signature can’t be phished when you sign into your Google Account using Chrome browser and the Security Key.

As you might have noticed, there is one significant limitation: the USB key only works via the Chrome browser, and people who use other Internet browsers won’t like it. In addition, there’s the need for added hardware – this can also put some people off.

Apparently, this innovation has its own disadvantages: it is another thing to carry around and keep track of, it requires the Chrome browser to work, and it can’t be used on mobile devices as it needs a USB port to work. Perhaps, the target audience for this innovation is non-technical people who don’t use smartphones and apps. Anyway, if this increases the number of people using two-factor authentication, it is a useful thing.
Besides that, Google is also joining and championing a movement called the FIDO (Fast IDentity Online) Alliance. The goal of the latter is to spread the open Universal 2nd Factor (U2F) protocol used by the Security Key across various websites, so people will only require one USB key for all of them.

FIDO Universal Authentication Framework is widely used in payments apps from PayPal, Samsung, AliPay, and others, and with Google now using FIDO U2F, it is clear that a new era has arrived, where users and providers are urged to move beyond single-factor passwords to more secure authentication.

Source: ET