Browser In Your Browser, Sock Puppets, Performance Killing Patches, & GIFShell – PSW #755

"there is a vulnerability in older firmware versions that allows an attacker to modify the internal configuration files. However, this assumes that the attacker has already compromised the device and is therefore able to change the configuration files. In this case, there would be a risk of making this compromise permanent, i.e., after rebooting the device, it would remain compromised." - Trying to dig in and figure out how this works, not enough information yet.

So there are 7, yes, 7, vulnerabilities and general "flaws" in Microsoft Teams that allow an attacker to create a reverse shell using MS Teams. Some of the flaws include the chat transcripts being stored in a user-accessible log file and the ability to embed commands inside GIFs, which in turn are executed: "When a base64 encoded GIF is received in Microsoft Teams and appears in the Teams log files, the GIFs byte content is decoded, and the attacker’s malicious commands that are embedded in the GIF are executed as system commands on the victim’s machine." Microsoft will not immediately fix these vulnerabilities, stating: "This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix." - Seriously? I thought we were past this.

Interesting how they used Shakata Ga Nai (Japanese for "nothing can be done about it"), more information can be found here: https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong. One of the interesting points is that many malware detection vendors may not be checking for older payload encoding, missing some malware that is encoded with Shakata Ga Nai (a polymorphic XOR additive feedback encoder), which was introduced into the Metasploit framework back in 2005. It also exploits PwnKit, the polkit vulnerability found by Qualys researchers last year. (Other article here: https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/)

JavaScript is neat: "The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers." I like this fix, but not certain how feasible it is: "we suggest using an approved list of trusted domains to be loaded to the application’s WebView to prevent loading malicious or untrusted web content."

Its webauthn: "Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed. When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,”" webauthn: "Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity." https://webauthn.guide/#about-webauthn - It sounds like an SSH keypair but for web applications?

Browser-in-the-Browser attacks are neat because the URL bar looks legit and it has the SSL lock. I've seen this in the past where they are both just images rather than actual browser elements.

"Big Blue were so anxious to take their OS into new markets that they localized it into languages which Microsoft hadn’t touched, of which Slovenian was one. But a couple of decades later, could a copy of this rare operating system version be found?"

"As is Apple’s custom, details about the attack(s) taking advantage of this flaw have not been shared, but it’s likely that they are targeted and limited. Nevertheless, users are advised to update their Apple devices as soon as possible."

"TickTock, they explain, relies on the fact that digital MEMS microphones on commodity laptops emanate electromagnetic (EM) signals when active."The emanation stems from the cables and connectors that carry the clock signals to the mic hardware, ultimately to operate its analog-to-digital converter (ADC)," they explain. "TickTock captures this leakage to identify the on/off status of the laptop mic."

" A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs – silicon released between 2015 and 2017 that will still be present in many server fleets." 70% is a lot, but also, servers hang around a while eh? So many advances have been made, yet older computing tech sticks around. I still find vulnerabilities in UEFI systems from a few years ago, and the supply chain dates these components back further. This is a problem.