Security researchers from computer and network security outfit Cybellum have revealed Vulnerability-related.DiscoverVulnerability a new zero-day code injection and persistence technique that can be used by attackers to take over applications and entire Windows machines . They demonstrated the attack on antivirus solutions , and ultimately dubbed it DoubleAgent , as it turns the antivirus security agent into a malicious agent . “ DoubleAgent exploits a legitimate tool of Windows called ‘ Microsoft Application Verifier ’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover Vulnerability-related.DiscoverVulnerability and fix Vulnerability-related.PatchVulnerability bugs in applications , ” the company explained . “ Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier . An attacker can use this ability in order to inject a custom verifier into any application . Once the custom verifier has been injected , the attacker now has full control over the application ” . In fact , the attack can be used to compromise all kinds of applications , but the researchers chose to focus on antivirus solutions since this type of software is generally considered to be trusted . “ By using DoubleAgent , the attacker can take full control over the antivirus and do as he wish without the fear of being caught or blocked , ” they noted . This includes : Cybellum researchers demonstrated a DoubleAgent code injection against Symantec Norton antivirus , and offered PoC exploit code on GitHub . More technical details about the DoubleAgent technique can be found here . The researchers have notified major antivirus vendors of their findings , and some of them ( Malwarebytes , AVG ) have already issued Vulnerability-related.PatchVulnerability a patch for the vulnerability . Among the still vulnerable antivirus apps are those by Avast , BitDefender , ESET , Kaspersky , and F-Secure . “ Microsoft has provided a new design concept for antivirus vendors called Protected Processes . The new concept is specially designed for antivirus services . Antivirus processes can be created as ‘ Protected Processes ’ and the protected process infrastructure only allows trusted , signed code to load and has built-in defense against code injection attacks , ” the researchers explained . “ This means that even if an attacker found Vulnerability-related.DiscoverVulnerability a new zero-day technique for injecting code , it could not be used against the antivirus as its code is not signed . Currently no antivirus ( except Windows Defender ) has implemented this design , even though Microsoft made this design available more than 3 years ago ” . The vulnerability that allows the DoubleAgent attack works on all Microsoft Windows versions and architectures . The attack technique can be used to take over any application , and even the OS . “ We need to make more efforts to detect and prevent these attacks , and stop blindly trusting traditional security solutions , ” the researchers noted . We implemented Vulnerability-related.PatchVulnerability the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products , launched earlier this year , are not vulnerable . It is important to note that the exploit requires administrator privileges to conduct the attack which is difficult for hackers to achieve

Ormandy has reported Vulnerability-related.DiscoverVulnerability several critical security flaws in the password manager during the past week , and this weekend he has managed to discover Vulnerability-related.DiscoverVulnerability a new one . “ I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way , ” he stated in his tweet . Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. pic.twitter.com/vQn20D9VCy — Tavis Ormandy ( @ taviso ) March 25 , 2017 This member of Google ’ s Project Zero security team is already well known for his abilities to locate and report Vulnerability-related.DiscoverVulnerability serious vulnerabilities in many widely used services , and even in the password manager that was supposed to be safe . The comment from LastPass states that the flaw is “ unique and highly sophisticated ” . So far , they have not shared any details that could be exploited Vulnerability-related.DiscoverVulnerability before fixing Vulnerability-related.PatchVulnerability is complete , but this is the second weekend in a row that LastPass security team is on a bug fixing Vulnerability-related.PatchVulnerability duty . They thanked Tavis and others like him for reporting Vulnerability-related.DiscoverVulnerability these sort of problems and helping them make online security even better for the rest of their users . Not everyone was happy about Ormandy ’ s newest twitter news . Some even called him on sharing Vulnerability-related.DiscoverVulnerability the news about the latest bug problem , believing that his actions only cause fear and uncertainty . What they fail to realize Vulnerability-related.DiscoverVulnerability is that all services have to face vulnerabilities from time to time , and all of them get patched up Vulnerability-related.PatchVulnerability as soon as they are discovered Vulnerability-related.DiscoverVulnerability . Most if not all online services have had their fair share Vulnerability-related.DiscoverVulnerability of security issues , and most of them managed to get discovered Vulnerability-related.DiscoverVulnerability and fixed Vulnerability-related.PatchVulnerability by people like Ormandy .

The saga of CVE-2017-0199 , a recently patched zero-day vulnerability affecting Vulnerability-related.DiscoverVulnerability Microsoft Office and WordPad , just got a little stranger yesterday after cyber-security firm FireEye revealed Vulnerability-related.DiscoverVulnerability the vulnerability was used by both cyber-criminals pushing mundane malware , and also by state-sponsored cyber-espionage groups . This twisted tale starts in July 2016 , when security researcher Ryan Hanson discovered Vulnerability-related.DiscoverVulnerability a flaw in RTF files that he could exploit to execute code on the underlying operating system . After finishing his research , Hanson submitted a write-up Vulnerability-related.DiscoverVulnerability on the three bugs he found Vulnerability-related.DiscoverVulnerability to Microsoft in October 2016 , via the company 's bug bounty program . Uncharacteristic to Microsoft , the company took almost six months to fix Vulnerability-related.PatchVulnerability the three bugs discovered Vulnerability-related.DiscoverVulnerability by Hanson , delivering Vulnerability-related.PatchVulnerability patches for all three ( CVE-2017-0106 , CVE-2017-0199 , and CVE-2017-0204 ) in April 's Patch Tuesday . A few days before Microsoft patched Vulnerability-related.PatchVulnerability the zero-day , news about it broke via blog posts from McAfee and FireEye , both companies revealing Vulnerability-related.DiscoverVulnerability the zero-day was under active exploitation . Unfortunately , this long patching period gave others the time to discover Vulnerability-related.DiscoverVulnerability the same flaw . While initially McAfee and FireEye restrained from revealing Vulnerability-related.DiscoverVulnerability any details about the zero-day , now that a patch is available Vulnerability-related.PatchVulnerability , several security firms are now sharing more behind-the-scenes details . According to FireEye , the zero-day first came on their radar on January 25 , 2017 , when they discovered Vulnerability-related.DiscoverVulnerability a FinSpy module exploiting the flaw . While FireEye discovered only this campaign , the cyber-security firm believes Gamma Group made available this new Microsoft zero-day to all of its clients , meaning it was likely used in other countries where the company sold its `` lawful intercept '' spyware . Two months after this campaign , towards the end of March , FireEye says it detected Vulnerability-related.DiscoverVulnerability the zero-day again , but this time used by a group of cyber-criminals spreading LatentBot , a sophisticated backdoor trojan , usually found Vulnerability-related.DiscoverVulnerability in enterprise environments and used for economic espionage campaigns . This group apparently started a yard sale after McAfee and FireEye disclosed Vulnerability-related.DiscoverVulnerability the zero-day in public . Fearing that a patch was coming Vulnerability-related.PatchVulnerability , this group shared Vulnerability-related.DiscoverVulnerability ( most likely sold ) the zero-day exploit with other crimeware groups . While initially this zero-day was classified Vulnerability-related.DiscoverVulnerability as an Office vulnerability , Microsoft 's security advisory revealed Vulnerability-related.DiscoverVulnerability this vulnerability also affected Vulnerability-related.DiscoverVulnerability WordPad , a free document viewer included by default with all Windows versions . This means that if users did n't have Office installed , they were at risk if they chose to open the booby-trapped files with WordPad . In this case , the exploit packed within the file would execute , download an HTA ( HTML application ) file disguised as an RTF , which in turn would run PowerShell commands that exploited the user 's computer .

On Friday , a cache of hacking tools allegedly developed by the US National Security Agency was dumped online . The news was explosive in the digital security community because the tools contained methods to hack computers running Windows , meaning millions of machines could be at risk . Security experts who tested the tools , leaked by a group called the Shadow Brokers , found that they worked . They were panicked : This is really bad , in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe . — Hacker Fantastic ( @ hackerfantastic ) April 14 , 2017 But just hours later , Microsoft announced that many of the vulnerabilities were addressed Vulnerability-related.PatchVulnerability in a security update released Vulnerability-related.PatchVulnerability a month ago . “ Today , Microsoft triaged a large release of exploits made publicly available by Shadow Brokers , ” Philip Misner , a Microsoft executive in charge of security wrote in a blog post . “ Our engineers have investigated the disclosed exploits , and most of the exploits are already patched Vulnerability-related.PatchVulnerability . ” Misner ’ s post showed that three of nine vulnerabilities from the leak were fixed Vulnerability-related.PatchVulnerability in a March 14 security update . As Ars Technica pointed out , when security holes are discovered Vulnerability-related.DiscoverVulnerability , the individual or organization that found Vulnerability-related.DiscoverVulnerability them is usually credited in the notes explaining the update . No such acknowledgment was found in the March 14 update . Here ’ s a list of acknowledgments for 2017 , showing credit for finding security problems in almost every update . One theory among security practitioners is that the NSA itself reported Vulnerability-related.DiscoverVulnerability the vulnerabilities to Microsoft , knowing that the tools would be dumped publicly . Microsoft told ZDNet that it might not list individuals who discover Vulnerability-related.DiscoverVulnerability flaws for a number of reasons , including by request from the discoverer . The US government has not commented on this leak , though previous leaks by the Shadow Brokers claiming to be NSA hacking tools were confirmed at least in part by affected vendors and NSA whistleblower Edward Snowden .