Windows systems Archives

Winsage

November 8, 2024

Windows PCs targeted by new malware hitting a vulnerable driver

Researchers have identified a new threat campaign called SteelFox, which uses counterfeit software activators and cracks to infiltrate Windows systems. The campaign deploys a vulnerable driver, information-stealing malware, and a cryptocurrency miner, compromising sensitive data and exploiting system resources for illicit mining. Victims are reported globally, including regions from Brazil to China, affecting users of commercial software like Foxit PDF Editor, JetBrains, and AutoCAD. Cybercriminals continue to advertise these fake software solutions, increasing the potential for further infections.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

Winsage

November 5, 2024

Exploring eBPF for Windows: Opportunities and Limitations

The extended Berkeley Packet Filter (eBPF) allows for the execution of custom code in kernel space, enhancing application performance management and security. Windows has introduced support for eBPF, but it has limitations. Microsoft began a project in 2021 to enable eBPF capabilities on Windows, allowing the use of existing Linux eBPF tools and libraries. To install eBPF on Windows, a kernel debugger or test-signing mode is required, which is impractical for production systems. eBPF for Windows is still in development, suitable for experimentation, but not yet ready for real-world deployment. There is no clear timeline for a production-ready version, and development activity has slowed.

Winsage

November 3, 2024

This local privilege escalation vulnerability in iTunes could spell big trouble for Windows users

Cyfirma Research has identified a security vulnerability in iTunes for Windows, designated as CVE-2024-44193, which allows attackers to escalate privileges on systems running versions 12.13.2.3 and earlier. This local privilege escalation vulnerability arises from improper permission management related to the AppleMobileDeviceService.exe, enabling attackers to manipulate files in the C:ProgramDataAppleLockdown directory. The exploitation is straightforward, involving tools like NTFS junctions and opportunistic locks to gain elevated access. Organizations are advised to update iTunes to version 12.13.3 or later to mitigate this risk. Although there is no current evidence of active exploitation, the vulnerability poses a significant threat, particularly to sectors reliant on Windows-based systems, such as media, education, government, and corporate environments.

Winsage

November 1, 2024

Take action now to plug Windows Themes vulnerability, says expert

A significant security vulnerability has been discovered in Windows operating systems due to the use of the outdated NTLM password hashing method. This vulnerability affects all Windows client versions starting from Windows 7, leaving a large number of users at risk. Exploiting the vulnerability does not require special privileges, allowing a wide range of attackers to capture NTLM authentication hashes, which can lead to further security breaches. The vulnerability can be triggered easily by viewing a malicious theme file in Windows Explorer, and users may unknowingly activate it through automatic downloads.

Winsage

October 31, 2024

Microsoft wants $30 if you want to delay Windows 11 switch

Microsoft has introduced an option for Windows 10 home users to postpone their transition to Windows 11 for an additional year by purchasing Extended Security Updates (ESU). Windows 10 will reach its end of support on October 14, 2025, after which users will not receive bug fixes or security updates. Specialized versions like Windows 10 IoT Enterprise LTSC 2021 will be supported until January 13, 2032, and Windows 10 2016 LTSB until October 13, 2026. The ESU program for consumers will be available for enrollment closer to the end of support in 2025. Over 62% of all Windows systems currently run Windows 10, while only 33% operate on Windows 11. Microsoft will start offering Extended Security Updates to enterprise customers on November 1, 2025. Additionally, Microsoft has reopened the Windows 10 beta channel and released the first Windows 10 Beta build since 2021.

Winsage

October 31, 2024

New Microsoft Password Hack Uses Windows Themes 0-Day

Researchers from 0patch discovered a new zero-day vulnerability, CVE-2024-38030, while developing a micropatch for an existing Windows security flaw, CVE-2024-21320, which allowed attackers to extract NT Lan Manager user credentials through malicious Windows theme files. Microsoft’s patch for CVE-2024-21320 did not fully address all potential credential leakage scenarios, prompting the identification of the new vulnerability. 0patch created a more general patch for Windows theme files that covers all execution paths leading to credential leakage. Microsoft has acknowledged the new vulnerability and is working on a fix, but an official patch has not yet been released. Meanwhile, 0patch users can install a micropatch to protect their systems.

Winsage

October 30, 2024

New Zero-Day Vulnerability in Windows Themes Threatens NTLM Security – SOCRadar® Cyber Intelligence Inc.

A newly identified zero-day vulnerability in Windows Themes files allows attackers to exploit NTLM credential leaks by simply having a malicious theme file viewed in Windows Explorer. This vulnerability, reported by ACROS Security, affects fully updated Windows systems, including Windows 11 24H2, and enables remote credential theft without user interaction. Microsoft previously addressed a related issue with a patch for CVE-2024-21320, but researchers discovered that attackers could bypass this fix, leading to the emergence of CVE-2024-38030. ACROS Security has released a temporary micropatch via their 0patch service to prevent NTLM leaks by accurately detecting network paths within theme files. The vulnerability allows attackers to execute NTLM relay and pass-the-hash attacks across multiple Windows versions, from Windows 7 to Windows 11 24H2. A demonstration showed that transferring a malicious theme file to an unpatched PC triggers a network connection that sends NTLM credentials to the attacker, while the micropatch blocks this connection.

Winsage

October 30, 2024

Recurring Windows Flaw Could Expose User Credentials

All versions of Windows clients, from Windows 7 to Windows 11, are exposed to a critical 0-day vulnerability that allows attackers to capture NTLM authentication hashes. This vulnerability was reported by ACROS Security after their investigation into CVE-2024-38030, which involved Windows Themes spoofing. The flaw facilitates an authentication coercion attack, where a vulnerable device sends NTLM hashes to an attacker’s system. The issue arises from how Windows processes theme files, particularly due to inadequate validation of file paths. This is the third vulnerability linked to the same file path problem. Microsoft is aware of the report and will take necessary actions, but no CVE has been issued yet. Attackers do not need special privileges but must convince users to interact with a malicious theme file. Disabling NTLM is advised, although it may cause functional issues in dependent network components.

Winsage

October 29, 2024

New Windows Themes zero-day gets free, unofficial patches

Free unofficial patches have been released to address a zero-day vulnerability in Windows Themes that allows attackers to remotely steal NTLM credentials. This vulnerability affects all fully updated Windows versions, from Windows 7 to Windows 11 24H2. ACROS Security identified the issue while developing a micropatch for another vulnerability (CVE-2024-38030) and created a comprehensive patch that covers all execution paths leading to unauthorized network requests from theme files. They are offering these micropatches for free through their 0patch service until Microsoft provides an official fix. Users need to create a 0patch account and install the 0patch agent to apply the micropatch. Microsoft has acknowledged the issue and intends to release a patch, but the timeline is uncertain.