Maldoc XLS Invoice with Excel 4 Macros, (Sun, Apr 5th)

This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2]. Using Didier‘s oledump.py tool, I checked the spreadsheet using plugin plugin_biff with option -x which show Excel 4 macros: Next step will be to check for any embeded URL …

CVE-2020-11498

Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user’s own context, e.g., for user-level persistence or to bypass security controls. NOTE: the vendor …

Very Large Sample as Evasion Technique?, (Thu, Mar 26th)

Security controls have a major requirement: they can’t (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x bytes) for performance reasons. Can we consider a very big file as a technique to …

Another Critical COVID-19 Shortage: Digital Security, (Tue, Mar 24th)

Following is a guest cross-post from John Scott-Railton, a Senior Researcher at The Citizen Lab. His work focuses on technological threats to civil society. We all know about global shortages of ventilators, protective equipment, and pharmaceuticals. But as work moves home, it will be much less secure, harder to defend, and easier to snoop on. …

Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability, (Mon, Mar 23rd)

Microsoft announced limited exploitation of a zeroday remote code execution vulnerability in the type 1 font parser. There are two RCE vulnerabilities in Windows Adobe Type Manager Library on Windows system, when parsing Adobe Type 1 PostScript format. There are multiple attack vectors, like documents. Microsoft is working on a patch. Following mitigation actions can …

CVE-2019-14881 (moodle)

A vulnerability was found in moodle 3.7 to 3.7.2 and before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.

CVE-2019-14882 (moodle)

A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.