Month: March 2019

Google’s Project Zero has called-out Microsoft for white-listing the auto-run of Flash by site.  This allowed specific sites to run Flash without users approving/denying the action. This is seen by many as a mechanism for future vulnerabilities. Microsoft appeared to want to hide this capability as the web sites are listed in a .bin file as hashes rather the more traditional .txt plain-text configuration file. After the call-out out about 90 days ago, Microsoft paired back the white-list to just two entries. Both entries are for Facebook sites. The hash file is at
C:Windowssystem32edgehtmlpluginpolicy.bin
The record layout is
sha256 hash (domain name) followed by a permission mask.

SOURCE

Google Project Zero

Keywords: flash auto-run bypass

Description

Last week Check Point Research published information about a (19 year old!) vulnerability in WinRAR, a popular file compression tool. WinRAR can de/compress files with a variety of compression algorithms. The vulnerability is possible because of a specific implementation of the ACE algorithm. ACE is an uncommon and older type of compression. The vulnerability, during decompression, allows the archive to surreptitiously designate the target path for the inflated files. Combine that ability with compressed archive’s ability to sneak past anti-virus programs, and you have a serious threat.

Mitigation

To mitigate the vulnerability the authors of WinRAR have removed support for ACE effective in version 5.70 beta 1 and later. Check Point updated their Sandblast Agent to catch this vulnerability.

CVE

2018-20251

Keywords: anti-virus, rar, malware, winrar