Project Zero Chains Bugs for ‘aPAColypse Now’ Attack on Windows 10

Discussion in 'Security News' started by Solarquest, Dec 19, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,841
    14,647
    Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems.

    The attack is a variation of a WPAD/PAC attack. In Project Zero’s case, the WPAD/PAC attack focuses on chaining several vulnerabilities together relating to the PAC and a Microsoft JScript.dll file in order to gain remote command execution on a victim’s machine.
    “We identified 7 security vulnerabilities in (JScript.dll) and successfully demonstrated reliable code execution from local network (and beyond) against a fully patched (at the time of writing) Windows 10 64-bit with Fall Creators Update installed,” wrote Project Zero researchers on the teams’ website Monday.

    The vulnerabilities have since been patched.
    Web Proxy AutoDiscovery (WPAD) protocol attacks are tied to how browsers use PAC (Proxy Auto-Configuration) to navigate HTTP and HTTPS requests. PAC files contain JavaScript that instruct what proxy a browser needs to use to get to a specific URL. If a malicious PAC is introduced to the browser, that allows an attacker to monitor the URL of every request the browser makes.
    ....
    ...
    Despite the fact Microsoft has patched against this type of attack, Project Zero researchers agree with Klein’s assessment.

    “Since the bugs are now fixed, does this mean we are done and can go home? Unlikely.
    ...
    Researchers recommend Microsoft users disable WPAD by default and sandbox the JScript interpreter inside the WPAD service.
     
    harlan4096, daljeet, XhenEd and 6 others like this.
  2. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,188
    5,244
    IRAN
    Windows 10
    ESET
    How?!with Sandboxie? or?
     
    daljeet, bribon77 and BryanB like this.
  3. BryanB

    BryanB Level 3

    Aug 17, 2017
    115
    628
    Handyman
    MI
    Windows 7
    Default-Deny
    Google and Microsoft are taking their gloves off I guess.

    Klein is not referred to here.
     
    daljeet and bribon77 like this.
  4. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,124
    4,863
    business
    Poland
    Windows 10
    Microsoft
    #4 Andy Ful, Dec 19, 2017
    Last edited: Dec 19, 2017
    This exploit requires downloading/running a PAC file, which is an executable script (Windows Script Host) that generates a list of one or more proxy servers given a target host name and URL.
    You may not be worried about this exploit. If I correctly remember Windows Script Host is disabled on your computer.:)
    You are a lucky home user. Blocking Windows Script Host (wscript.exe, cscript.exe, vbscript.dll, jscript.dll, etc.) in Enterprises is usually not possible.
    This exploit is general, so it can be used also against web browser (IE) - but, that would be a different attack (not WPAD/PAC).
    WPAD for ISA Server and Windows Media Proxy Server
     
    Solarquest, daljeet, BryanB and 2 others like this.
  5. bribon77

    bribon77 Level 11

    Jul 6, 2017
    510
    3,494
    spain
    Windows 7
    Emsisoft
    #5 bribon77, Dec 19, 2017
    Last edited: Dec 19, 2017
    And here too:) Thanks to you(y)
     
    Andy Ful, daljeet and BryanB like this.
Loading...
Similar Threads Forum Date
Google Project Zero - Eye Opener? Other Security for Windows Jul 30, 2017
Security Alert Google Project Zero researchers find ‘crazy bad’ Windows RCE flaw Security News May 8, 2017
Google's Project Zero Attacks Web Security Threats News Archive Jul 16, 2014