Skip to main content

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

You have always been warned not to share remote access to your computer with untrusted people for any reason—it's a basic cybersecurity advice, and common sense, right?

But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft's Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.

Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.

The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.

However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim's system.

The vulnerability, which has been fixed by the company in this month's patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Exploiting Windows Remote Assistance to Steal Files


Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.

In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use "Out-of-Band Data Retrieval" attack technique by offering the victim access to his/her computer via Windows Remote Assistance.

While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.

Selecting the first option helps users generate an invitation file, i.e. 'invitation.msrcincident,' which contains XML data with a lot of parameters and values required for authentication.
Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.
"The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action," Microsoft explains
"This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information," Ahmed warns.
Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.

YOU MAY ALSO LIKE:
Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

Microsoft To Update Windows ‘Notepad App’ After Years, Teases New Features

E very week or the other, Microsoft releases a new build for the fast ring insiders. The latest Windows 10 Insider Preview Build 17713 bring a pack of surprises for Windows users. Redmond always listens to users, and this time, they have heard to Notepad users who were fed up with the uninteresting interface. Microsoft is giving its text editor Notepad new features after a very long time. Yes, the very same app that people use to write random text, create batch files and HTML pages, etc. Among the new Notepad features being added to Windows, you would be able to zoom into text by using the mouse wheel while holding down the Ctrl key. A long requested feature is coming for users; Microsoft is adding ctrl+backspace support to delete a previous word. Other than these, you will now have the ability to wrap around find and replace. Also, the status bar is now enabled by default in Notepad. There are few performance improvements for large...
Post a Comment
Read more

Google starts rolling out ‘Call Screen’ feature for Pixel smartphones

San Francisco, Dec 2 (IANS) Google has started rolling out a feature for its Pixel smartphones that lets users make use of the Google Assistant to see who is calling and why before they answer a call. The feature allows users to see a real-time transcript of how the caller responds so that they can then decide whether to pick up, respond by tapping a quick reply (for example, “I’ll call you back later”), or mark the call as spam and dismiss. “Call Screen is only available to English speakers in the United States who have Pixel 2, 2 XL, 3, or 3XL devices. If you don’t see Call Screen in the Phone app’s settings, it’s not available yet,” Google said. Call Screen, which can help users save the time spent on picking up unimportant calls from unknown numbers, does not use Wi-Fi or mobile data of the user. This feature does not work with third-party call recording and screen recording apps as these apps may interfere with how the feature works. It is better to turn off these app...
Post a Comment
Read more

Facebook Fined £500,000 for Cambridge Analytica Data Scandal

Facebook has finally been slapped with its first fine of £500,000 for allowing political consultancy firm Cambridge Analytica to improperly gather and misuse data of 87 million users. The fine has been imposed by the UK's Information Commissioner's Office ( ICO ) and was calculated using the UK's old Data Protection Act 1998 which can levy a maximum penalty of £500,000 — ironically that’s equals to the amount Facebook earns every 18 minutes. The news does not come as a surprise as the U.K.'s data privacy watchdog already notified the social network giant in July this year that the commission was intended to issue the maximum fine. For those unaware, Facebook has been under scrutiny since earlier this year when it was revealed that the personal data of 87 million users was improperly gathered and misused by political consultancy firm Cambridge Analytica, who reportedly helped Donald Trump win the US presidency in 2016. The ICO, who launched an investigatio...
Post a Comment
Read more