Microsoft closes two ways to attack its software • The Register


Written by admin



Microsoft is trying to close the door on several routes that cybercriminals have used to attack users and networks.

The corporate IT giant’s policy to block Visual Basic for Applications (VBA) macros in downloaded Office documents by default has been re-enabled after a short pause to accommodate feedback from users who have experienced security issues.

Also this week, Microsoft included a default setting in Windows 11 designed to block or slow down obvious Remote Desktop Protocol (RDP) attacks.

Both policies are expected to close down opportunities that criminals have exploited for years to infiltrate systems, steal data, and distribute malicious code.

Macro problem

The problem of macros has become especially painful for the software giant.

“For years, Microsoft Office has delivered powerful automations called active content, the most common of which are macros,” Kelly Eikmeier, Microsoft’s chief product manager, wrote in a blog post in February when the IT titan announced its lockdown plans. default. macros that work in Office files you download or get online.

“While we provided a notification bar to alert users to these macros, users could still choose to enable macros by clicking a button. Attackers send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe, including malware, compromised identity, data loss, and remote access.”

Eikmeier added that “to protect our customers, we need to make it difficult to include macros in files obtained from the Internet.”

The policy was to block these specific macros by default in Access, Excel, PowerPoint, Visio, and Word, although after months of—sometimes negative—user feedback, Microsoft temporarily put the initiative on hold. Complaints ranged from criticisms of how the lock was implemented to the negative impact it had on some users’ systems.

In an update this week to the original announcement, Eikmeier wrote that Microsoft is “resuming the rollout of this change in the Current Channel. clarify what options you have for different scenarios.”

End users can click here for more information, and IT administrators can go here.

Holding back the Years

Macros have been a security issue for years when Microsoft released a tool in 2016 that allowed administrators to set a policy on when and where these scripts were allowed to run. In addition, users were asked if they really wanted to run macros before allowing them to run.

The problems continue to this day. The threat intelligence team at HP Wolf Security wrote this month about OpenDocument files being used to spread Windows malware. These documents have been emailed to stamps and if they are opened the user will be asked if the fields with links to other files should be updated and if they click yes an excel file will open and another prompt will ask the question is whether macros should be enabled. . If a user activates macros, their systems are infected with the nasty open source AsyncRAT backdoor.

As far as RDP brute force attacks go, Windows 11 builds now include a default account lockout policy that should at least slow down would-be attackers.

In brute-force attacks, cybercriminals use automated tools to guess the password of someone’s account: the tools look at a huge list of passphrases until one of them works and enters the victim’s account. According to tweet from Dave Weston, VP of Corporate Security and OS Security at Microsoft, such tools are being used to spread ransomware and commit other crimes.

The default policy for Windows 11 builds – specifically Insider Preview 22528.1000 and later – automatically locks out accounts for 10 minutes after 10 failed login attempts. Users can customize this by changing the number of failed login attempts that trigger a ban and the duration of an account ban.

In his tweet, Weston wrote that “this control will make brute force a lot harder, which is great.”

In a report last year, researchers from Malwarebytes Labs detailed RDP brute-force attacks, stating that they “pose a serious ongoing risk to Internet-connected Windows computers.”

“While there are many ways to break into a computer connected to the Internet, one of the most popular targets is the Remote Desktop Protocol (RDP), a Microsoft Windows feature that allows someone to use it remotely,” they wrote. “This is the front door to your computer, which can be opened from the Internet by anyone with the correct password.”

The clever guys at Malwarebytes Labs have mapped out a number of ways to protect against RDP brute-force attacks, from permanently disabling RDP to using strong passwords, multi-factor authentication and VPNs, and limiting guesswork to account lockouts. . ®

#Microsoft #closes #ways #attack #software #Register



About the author


Leave a Comment