As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

1697072747595

Posts

  • RiemannLivesRiemannLives Registered User regular
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    Attacked by tweeeeeeees!
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    It may be that the source isn't detected by any files it is further corrupting are being picked up.

  • bowenbowen How you doin'? Registered User regular
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    false positives via the pattern matching are definitely things

    I don't think I've seen anything take advantage of jpgs or bmps in like 20 years. Last thing I remember that was remotely like that was something that changed the way the exe file was presented with file extensions turned off displaying a jpg icon for the exe.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • RiemannLivesRiemannLives Registered User regular
    bowen wrote: »
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    false positives via the pattern matching are definitely things

    I don't think I've seen anything take advantage of jpgs or bmps in like 20 years. Last thing I remember that was remotely like that was something that changed the way the exe file was presented with file extensions turned off displaying a jpg icon for the exe.

    yeah this is specifically a couple images used by Tabletop Simulator mods. When downloading those images windows defender flags them as containing a trojan (always the same images) and blocks them. So next time I update it tries to download them again as they don't exist on the disc (as they were blocked) and the same thing happens.

    Attacked by tweeeeeeees!
  • NEO|PhyteNEO|Phyte They follow the stars, bound together. Strands in a braid till the end.Registered User regular
    bowen wrote: »
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    false positives via the pattern matching are definitely things

    I don't think I've seen anything take advantage of jpgs or bmps in like 20 years. Last thing I remember that was remotely like that was something that changed the way the exe file was presented with file extensions turned off displaying a jpg icon for the exe.

    yeah this is specifically a couple images used by Tabletop Simulator mods. When downloading those images windows defender flags them as containing a trojan (always the same images) and blocks them. So next time I update it tries to download them again as they don't exist on the disc (as they were blocked) and the same thing happens.

    I think I might have an idea of what's going on here. There is some witchery you can do with images where you can embed nonpicture data into them. IIRC Spore did this with its creature files, you had a PNG of what the creature looks like and then buried in the file is also the actual information for plugging it into the game. Could be TTS can use the same stuff, and AVs get twitchy about it.

    It was that somehow, from within the derelict-horror, they had learned a way to see inside an ugly, broken thing... And take away its pain.
    Warframe/Steam: NFyt
  • RiemannLivesRiemannLives Registered User regular
    NEO|Phyte wrote: »
    bowen wrote: »
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    false positives via the pattern matching are definitely things

    I don't think I've seen anything take advantage of jpgs or bmps in like 20 years. Last thing I remember that was remotely like that was something that changed the way the exe file was presented with file extensions turned off displaying a jpg icon for the exe.

    yeah this is specifically a couple images used by Tabletop Simulator mods. When downloading those images windows defender flags them as containing a trojan (always the same images) and blocks them. So next time I update it tries to download them again as they don't exist on the disc (as they were blocked) and the same thing happens.

    I think I might have an idea of what's going on here. There is some witchery you can do with images where you can embed nonpicture data into them. IIRC Spore did this with its creature files, you had a PNG of what the creature looks like and then buried in the file is also the actual information for plugging it into the game. Could be TTS can use the same stuff, and AVs get twitchy about it.
    NEO|Phyte wrote: »
    bowen wrote: »
    Is it possible, on a fully patched Windows 10 Home machine, for a trojan embedded in an image file to be dangerous? If not, could Windows Defender be giving false positives on trojans in image files simply because by chance the binary contents of the image match a pattern?

    Getting some odd warnings about images which are part of steam workshop mods.

    false positives via the pattern matching are definitely things

    I don't think I've seen anything take advantage of jpgs or bmps in like 20 years. Last thing I remember that was remotely like that was something that changed the way the exe file was presented with file extensions turned off displaying a jpg icon for the exe.

    yeah this is specifically a couple images used by Tabletop Simulator mods. When downloading those images windows defender flags them as containing a trojan (always the same images) and blocks them. So next time I update it tries to download them again as they don't exist on the disc (as they were blocked) and the same thing happens.

    I think I might have an idea of what's going on here. There is some witchery you can do with images where you can embed nonpicture data into them. IIRC Spore did this with its creature files, you had a PNG of what the creature looks like and then buried in the file is also the actual information for plugging it into the game. Could be TTS can use the same stuff, and AVs get twitchy about it.

    Yeah some image formats allow embedded of arbitrary data in the header. I've written some encoders / decoders for dealing with that before. But as far as I know that data is inert and not interpreted / executed by programs unless they are specifically written to do so. Like in the low level windows APIs for inking you can save ink out to a GIF that has the vector data for the ink in the header. So a program that knows how can reload the ink as a vector rather than a bitmap from that GIF.

    Attacked by tweeeeeeees!
  • CarpyCarpy Registered User regular
    Toss it at virus total and see what it says

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Every so often there's a bug found in one of the image or video library codecs though, and a properly constructed media file could compromise a vulnerable PC. This might be one of those cases, though hopefully if Defender is catching it you're not vulnerable to it.

  • DonnictonDonnicton Registered User regular
    I'll take "security companies who ignore security practices" for $1000, Alex

    https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8
    On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

    And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.

    ...

    The malicious updates - sent between March and June, when America was hunkering down to weather the first wave of coronavirus infections - was “perfect timing for a perfect storm,” said Kim Peretti, who co-chairs Atlanta-based law firm Alston & Bird’s cybersecurity preparedness and response team.

    Assessing the damage would be difficult, she said.

    “We may not know the true impact for many months, if not more – if not ever,” she said.

    ...

    In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.

    One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.

    Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

    “This could have been done by any attacker, easily,” Kumar said.

    Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.

  • TomantaTomanta Registered User regular
    "How could hackers add bad code to a software update?"
    "Oh, for Christ's sake!"

  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Welp.

  • MugsleyMugsley DelawareRegistered User regular
    The Fed is also reeling from this. There are a couple articles about it. Basically the $$$$$$$ system that Homeland Security set up to monitor attacks like this didn't include heuristics for novel/new attacks and only relied on already known forms of attack.

    Also the WaPo article about how the Fed is handling it has some wildly polar comments. More than one person is accusing Melania of masterminding this from the WH. I'm not kidding.

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Mugsley wrote: »
    The Fed is also reeling from this. There are a couple articles about it. Basically the $$$$$$$ system that Homeland Security set up to monitor attacks like this didn't include heuristics for novel/new attacks and only relied on already known forms of attack.

    Also the WaPo article about how the Fed is handling it has some wildly polar comments. More than one person is accusing Melania of masterminding this from the WH. I'm not kidding.

    Oh my god, what? They actually thought only existing forms of attack were worth preparing for? In a world of day zero attacks?

    VuIBhrs.png
  • MugsleyMugsley DelawareRegistered User regular
    edited December 2020
    https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html
    The Russians, whose operation was discovered this month by a cybersecurity firm that they hacked, were good. After initiating the hacks by corrupting patches of widely used network monitoring software, the hackers hid well, wiped away their tracks and communicated through IP addresses in the United States rather than ones in, say, Moscow to minimize suspicions.

    The hackers also shrewdly used novel bits of malicious code that apparently evaded the U.S. government’s multibillion-dollar detection system, Einstein, which focuses on finding new uses of known malware and also detecting connections to parts of the Internet used in previous hacks.

    But Einstein, operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), was not equipped to find novel malware or Internet connections, despite a 2018 report from the Government Accountability Office suggesting that building such capability might be a wise investment. Some private cybersecurity firms do this type of “hunting” for suspicious communications — maybe an IP address to which a server has never before connected — but Einstein doesn’t.

    “It’s fair to say that Einstein wasn’t designed properly,” said Thomas Bossert, a top cybersecurity official in both the George W. Bush and Trump administrations. “But that’s a management failure.”

    CISA spokeswoman Sara Sendek said the breaches stretch back to March and were not caught by any intrusion detection or prevention system. As soon as CISA received indicators of the activity it loaded them into Einstein to help identify breaches on agency networks, Sendek said.

    Mugsley on
  • SiliconStewSiliconStew Registered User regular
    Mugsley wrote: »
    The Fed is also reeling from this. There are a couple articles about it. Basically the $$$$$$$ system that Homeland Security set up to monitor attacks like this didn't include heuristics for novel/new attacks and only relied on already known forms of attack.

    Also the WaPo article about how the Fed is handling it has some wildly polar comments. More than one person is accusing Melania of masterminding this from the WH. I'm not kidding.

    Oh my god, what? They actually thought only existing forms of attack were worth preparing for? In a world of day zero attacks?

    By definition you cannot protect against attacks you don't know can exist. There is no such thing as "heuristics for new attacks" because heuristics are looking for patterns of behavior known to be malicious. If a new/novel attack doesn't fit those known patterns, it won't be detected.

    That said, watching for stuff like outbound connections starting to go to servers you've never used before is not a new or novel approach to security if you're really trying to lock things down.

    Just remember that half the people you meet are below average intelligence.
  • IncenjucarIncenjucar VChatter Seattle, WARegistered User regular
    The product of an attack is still something you can keep an eye out for. An attack is typically going to have an affect on the system that can be detected, even if you have no initial idea of how they made that change.

  • nexuscrawlernexuscrawler Registered User regular
    Yes but with further investigation lots of attacks could be found. All you need is a system that flags things that are unusual or unexpected so they can be looked into.

    Even if you don't know the exact exploit being used you might still be able to block the traffic.

  • SiliconStewSiliconStew Registered User regular
    edited December 2020
    Yes but with further investigation lots of attacks could be found. All you need is a system that flags things that are unusual or unexpected so they can be looked into.

    Even if you don't know the exact exploit being used you might still be able to block the traffic.

    Except you need to do that without making the system mostly useless by burying your monitoring staff in millions of false positives every day. Because if you can't do that all you're doing is creating a massive log archive you might be able to go back through and search well after an attack, but it would be no good for near real time detection of issues or stopping attacks in progress, which is the real goal. If defining "unusual" were actually that easy, security wouldn't be so hard.

    But Solarwinds being both a device management and monitoring software means it is already trusted by the system so things it does may not be getting flagged as "unusual" in the first place and any monitoring/logging you're doing on the device for indicators of compromise cannot be trusted once it has been compromised itself. But this is also why you do defense in depth and use things like network intrusion detection monitoring that doesn't rely on the compromised endpoint device itself to detect things.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
  • IncenjucarIncenjucar VChatter Seattle, WARegistered User regular
    The answer to "we can't monitor everything" isn't "let's not bother figuring out how things could catch fire until they're already on fire".

    Even if the practice wouldn't have helped in a given situation, it's a practice that should be followed for all the other situations it could resolve.

  • SiliconStewSiliconStew Registered User regular
    edited December 2020
    But they obviously already have that sort of after-the-fact log archiving if they could figure out the attacks started back in March.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
  • SixSix Caches Tweets in the mainframe cyberhex Registered User regular
    I work for a security vendor and our IR team is on customer calls basically 24/ at this point. The solarwinds db and svc accounts as well as the local system account on the solarwinds box light up like Christmas trees if you’ve been hit and you’ve got good UEBA in place that’s looking at AD.

    One of the interesting things about this is that apparently word at the Fed is that there were so many FE guys onsite everywhere and they were the only ones actually catching Russian intrusion. So they went after FE to get their tools to figure out why they kept getting caught.

    can you feel the struggle within?
  • MugsleyMugsley DelawareRegistered User regular
    It's a fantastic idea. A countermeasure keeps blocking you, so hack the countermeasure

  • SixSix Caches Tweets in the mainframe cyberhex Registered User regular
    edited December 2020
    The obfuscation and anti-forensics going on is pretty incredible too. Use DNS to look up local host names in the environment and then use similar host names to make things look normal. Use normal IP addresses so void triggering geo-hopping alerts. Couch all command and control communication in Solarwinds’ OIP protocols so everything looks normal.

    This is all over Fed systems right now and tons of commercial companies too. Microsoft sinkholed the CnC domain but that only stops the initial command and control. There are tons of compromised environments already.

    Edit: A good way to think about this is that a burglar gets into a building through an open window. Killing the CnC domain closes that window, but you have no idea if they’re still inside, what they already did, what they still may be doing, and whether they opened up new windows.

    Six on
    can you feel the struggle within?
  • nexuscrawlernexuscrawler Registered User regular
    Six wrote: »
    The obfuscation and anti-forensics going on is pretty incredible too. Use DNS to look up local host names in the environment and then use similar host names to make things look normal. Use normal IP addresses so void triggering geo-hopping alerts. Couch all command and control communication in Solarwinds’ OIP protocols so everything looks normal.

    This is all over Fed systems right now and tons of commercial companies too. Microsoft sinkholed the CnC domain but that only stops the initial command and control. There are tons of compromised environments already.

    Edit: A good way to think about this is that a burglar gets into a building through an open window. Killing the CnC domain closes that window, but you have no idea if they’re still inside, what they already did, what they still may be doing, and whether they opened up new windows.

    And they’re dressed up as a security guard

  • SixSix Caches Tweets in the mainframe cyberhex Registered User regular
    edited December 2020
    If anyone’s curious, I’m doing a live stream in five minutes with one of our Incident Response guys to talk about sunburst and what we’ve seen.

    Edit: and we’re out

    Six on
    can you feel the struggle within?
  • DonnictonDonnicton Registered User regular
    So these are cool and awesome Win10 things that have apparently existed for some time.

    Both of them can be executed with no special permissions.

    Not going to quote the actual commands but you can find them in the articles.

    https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
    "Critically underestimated" NTFS vulnerability

    In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed.
    When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records.
    The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version.
    What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems.
    A drive can become corrupted by merely trying to access the $i30 NTFS attribute on a folder in a certain way.

    *WARNING* Executing the below command on a live system will corrupt the drive and possibly make it inaccessible. ONLY test this command in a virtual machine that you can restore to an earlier snapshot if the drive becomes corrupted. *WARNING*
    An example command that corrupts a drive is shown below.

    <>

    The Windows NTFS Index Attribute, or '$i30' string, is an NTFS attribute associated with directories that contains a list of a directory's files and subfolders. In some cases, the NTFS Index can also include deleted files and folders, which comes in handy when conducting an incident response or forensics.

    It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn't work.
    'I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I'll leave it to the people with the source code,' Jonas told BleepingComputer.
    After running the command in the Windows 10 command prompt and hitting Enter, the user will see an error message stating, "The file or directory is corrupted and unreadable."
    Windows 10 will immediately begin displaying notifications prompting the user to restart their PC and repair the corrupted disk volume. On reboot, the Windows check disk utility runs and starts repairing the hard drive, as demonstrated in the video below.
    After the drives become corrupted, Windows 10 will generate errors in the Event Log stating that the Master File Table (MFT) for the particular drive contains a corrupted record.
    In tests conducted by BleepingComputer, threat actors can use the command maliciously in various PoC exploits.

    One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to <> would trigger the vulnerability even if the user never opened the file!
    As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon.
    To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process.
    Next, "restart to repair hard drive" notifications start popping up on the Windows PC—all this without the user even having opened or double-clicked on the shortcut file.

    Creative attackers can also deliver this payload in a variety of ways to the victim.
    While the same-origin policy on most browsers would limit such attacks being served from a remote server (e.g., a remote HTML document referencing <>), creative means exist to work around such restrictions.
    The researcher briefly stated that other vectors could be used to trigger this exploit remotely, such as via crafted HTML pages that embed resources from network shares or shared drives that have references to the offending $i30 path.
    In some cases, according to the researcher, it is possible to corrupt the NTFS Master File Table (MFT).
    During our research, BleepingComputer came across a caveat.
    In some tests, after the Windows 10 chkdsk utility had "repaired" the hard drive errors on reboot, the contents of the exploit file, in this case, the crafted Windows shortcut with its icon set to <> would be cleared and replaced with empty bytes.
    This means the crafted Windows shortcut file was enough to pull a one-off attack if this happens.
    Besides, a victim is not likely to download a Windows shortcut (.url) file from the internet.
    To make the attack more realistic and persistent, attackers could trick users into downloading a ZIP archive to deliver the crafted file.
    An attacker can, for example, sneak in their malicious Windows shortcut file with a large number of legitimate files inside a ZIP archive.
    Not only is a user more likely to download a ZIP file, but the ZIP file is likely to trigger the exploit every single time it is extracted.

    https://www.bleepingcomputer.com/news/security/windows-10-bug-crashes-your-pc-when-you-access-this-location/
    A bug in Windows 10 causes the operating system to crash with a Blue Screen of Death simply by opening a certain path in a browser's address bar or using other Windows commands.
    Last week, BleepingComputer learned of two bugs disclosed on Twitter by a Windows security researcher that can be abused by attackers in various attacks.
    The first bug allows an unprivileged user or program to enter a single command that causes an NTFS volume to become marked as corrupted. While chkdsk resolved this issue in many tests, one of our tests showed that the command caused corruption on a hard drive that prevented Windows from starting.
    Today, we look at the second bug that causes Windows 10 to perform a BSOD crash by merely attempting to open an unusual path.

    Since October, Windows security researcher Jonas Lykkegaard has tweeted numerous times about a path that would immediately cause Windows 10 to crash and display a BSOD when entered into the Chrome address bar.
    When developers want to interact with Windows devices directly, they can pass a Win32 device namespace path as an argument to various Windows programming functions. For example, this allows an application to interact directly with a physical disk without going through the file system.
    Lykkegaard told BleepingComputer that he discovered the following Win32 device namespace path for the 'console multiplexer driver' that he believes is used for 'kernel / usermode ipc.' When opening the path in various ways, even from low-privileged users, it would cause Windows 10 to crash.

    <>

    When connecting to this device, developers are expected to pass along the 'attach' extended attribute to communicate with the device properly.
    Lykkegaard discovered if you try to connect to the path without passing the attribute due to improper error checking, it will cause an exception that causes a Blue Screen of Death (BSOD) crash in Windows 10.
    Even worse, low privileged Windows users can attempt to connect to the device using this path, making it easy for any program executed on a computer to crash Windows 10.
    In our tests, we have confirmed this bug to be present on Windows 10 version 1709 and later. BleepingComputer was unable to test it in earlier versions.
    BleepingComputer reached out to Microsoft last week to learn if they knew of the bug already and if they would fix the bug.
    “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible,” a Microsoft spokesperson told BleepingComputer.

  • SiliconStewSiliconStew Registered User regular
    Well that's just lovely.

    About the only thing I can say is I guess it's a "good" thing most attackers these days are more interested in persistent running malware or money making extortion than outright killing machines.

    Just remember that half the people you meet are below average intelligence.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Hoping to get a bit of advice on an emerging situation, which is being made worse by pandemic distancing meaning I can't fix this situation in person.

    Short version: My parents got suckered in by a phishing email, and opened a potentially malicious PDF.

    Long version: My mother got an email telling her that her Amazon Prime account declined her credit card, and that she had to download and open a PDF and follow the directions. So she did, and the PDF said "Go to this webpage". She clicked the link to go to the webpage, but Chrome blocked it (thank god). I don't think her information got phished, because Chrome stopped her before she entered it in, but the fact that she opened a PDF tells me she likely infected her computer in the process.

    She's running a Mac, though admittedly it's bareback without any malware protection because "It's a Mac" (which is bullshit). If I could visit in person I would nuke the system and start her fresh from Backups, but there's no way in hell I can do that over the phone and the pandemic means I'm not going to be able to touch that computer for at LEAST six months.

    Is there some reasonable tool I might be able to use to remote-access a Mac, one that hopefully is easy to install? My parents have a hard time just figuring out how to open Chrome, so they're not going to be able to do this on their own, and I'm pretty sure they just compromised the hell out of themselves.

    And I REPEATEDLY tell them not to download things from emails, or click links. "But it was from Amazon!" Uuuuuggggh.....

    VuIBhrs.png
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    If you're not willing/able to go to them, can they ship you the computer? It really should be slagged down and rebuilt just to be safe, and you're not going to be able to do that via remote access I don't think.

  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    You might be able to get on with teamviewer but the macOS access restrictions are going to make install time an absolute chore, though the installation script does pop up buttons linking to the relevant preferences page.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    I'll give TeamViewer a shot, but I won't hold out much hope. I might just see if they're willing to put the computer in a box forever.

    VuIBhrs.png
  • bowenbowen How you doin'? Registered User regular
    It's also very unlikely a PDF executed code, let alone on a Mac, so you are probably in the clear. OSX has a lot of permissions things it deals with that it inherited from unix/BSD and it's just extremely unlikely someone went to that length to make sure their PDF executed code on both OSX and Windows.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • MugsleyMugsley DelawareRegistered User regular
    Can you try to walk them through the process via FaceTime or similar video chat on a phone or tablet? If you can see their screen, it may be easier to direct them how to fix it. Or would they be willing to watch a YT vid and then ask you questions during the process?

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Mugsley wrote: »
    Can you try to walk them through the process via FaceTime or similar video chat on a phone or tablet? If you can see their screen, it may be easier to direct them how to fix it. Or would they be willing to watch a YT vid and then ask you questions during the process?

    That's a great suggestion, but half the time I try that, they point their phone at the wall or the table, and they don't understand why I can't see the screen.

    In the interim, I have convinced them to turn the computer off and stop using it entirely. I am trying to move on to convince them to bury it in the backyard. Maybe cover it in concrete. It's the only way to be sure.

    Though seriously, thank you all for your advice and help <3 Once I'm able to wrangle them into a long remote session, I'll hopefully be able to address the issue. I'm hoping that Bowen is correct, but I just can't be certain yet.

    VuIBhrs.png
  • MugsleyMugsley DelawareRegistered User regular
    It's crazy because you get frustrated that you have to spend money on something like this, but what about having them set up an appointment at an Apple Store to reimage the machine? Even if it's out of AppleCare, the cost would be worth it since you know it will be given back with a clean install.

  • RiokennRiokenn Registered User regular
    edited January 2021
    My folks clicked the little drop down arrow to preview what was attached in an email and in the little preview window was some pdf file. They didn’t do anything else and deleted it but it’s still a little jarring if previewing it could trigger something.

    Riokenn on
    OmSUg.pngrs3ua.pngvVAdv.png
  • SiliconStewSiliconStew Registered User regular
    edited January 2021
    Riokenn wrote: »
    Should I be worried about previewing a PDF in a suspicious email?
    My folks clicked the little drop down arrow to preview what was attached in an email and in the little preview window was some pdf file. They didn’t do anything else and deleted it but it’s still a little jarring if previewing it could trigger something.

    Yes, if there is a vulnerability in the email client's viewer, you can potentially be infected from previewing files. Though it is less risky overall as the email preview doesn't have all the functionality of a full application like Adobe Reader or Word.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2021
    There's a new wide-scale compromise that struck in the last few days. It leveraged vulnerabilities in Microsoft's Exchange Server. Four zero-day exploits, to be exact.
    Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.

    While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide -- so far -- there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses.

    On March 2, Microsoft released patches to tackle four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in "limited, targeted attacks."

    Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide.

    While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches -- and the number of estimated victims continues to grow.


    This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.

    Chris Krebs is the former director of the Cybersecurity and Infrastructure Security Agency.

    It's very likely that we'll be seeing fallout from this in the coming days.

    TetraNitroCubane on
    VuIBhrs.png
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    Any word on how/if this affects Exchange Online/Outlook.com?

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Mr_Rose wrote: »
    Any word on how/if this affects Exchange Online/Outlook.com?

    I haven't seen word on that specifically, but Microsoft themselves rolled out patches on the quick. On further investigation the primary concern appears to be that numerous large companies were not prompt with their patching. If that's the case, then Outlook.com is likely okay - But that would assume that no bad actors hit any of the four vulnerabilities prior to the patch.

    VuIBhrs.png
Sign In or Register to comment.