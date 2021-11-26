Security Leftovers
Authentication and Authorisation Using Single Sign-On
In the first blog of this series, we explored multi-factor authentication and a move away from credentials that can be stolen, as motivated by recent attacks. This blog will dive into authorisation and single sign-on to aid in technology selection and deployment considerations. It provides a foundation for the following blog post that introduces emerging standards that have taken into account learnings from the challenges of past protocols, reducing points of vulnerability where possible.
Attackers have found a way to bypass a crucial Microsoft Office patch | TechRadar
Attackers have managed to create a novel exploit capable of bypassing a critical remote code execution vulnerability in Microsoft Office which was patched earlier this year.
According to new research from the cybersecurity firm Sophos, the attackers were able to take a publicly available proof-of-concept Office exploit and weaponize it to deliver the Formbook malware.
Back in September, Microsoft released a patch to prevent attackers from executing malicious code embedded in a Word document that downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. By reworking the original exploit and placing the malicious Word document inside a special crafted RAR archive, the attackers created a “CAB-less” form of the exploit capable of successfully evading the original patch.
Surprisingly though, this novel exploit was distributed using spam emails for approximately 36 hours before it disappeared completely. Sophos' researchers believe that the exploit's limited lifespan could mean that it was a “dry run” experiment that could be used in future attacks.
Attackers find new way to exploit Office hole patched by Microsoft
The original exploit affected the Office file format. To take advantage of this flaw, attackers could execute malicious code embedded in a Word document that downloads a Microsoft Cabinet archive, which, in turn, contained a malicious executable.
A statement from Sophos said: "Attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, 'CAB-less' form of the exploit successfully evades the original patch.
Best Free and Open Source Alternatives to Autodesk ShotGrid
Autodesk, Inc. is an American multinational software company that makes software products and services for the architecture, engineering, construction, product design, manufacturing, media, education, and entertainment industries. It bills itself as a “… leader in 3D design, engineering and entertainment software”. The company was founded in 1982 by John Walker, who was a joint developer of the first versions of AutoCAD, the company’s best known software application. Autodesk is listed on the Nasdaq stock exchange, it has over 11,000 employees, and is headquartered in the San Francisco Bay Area. While Autodesk develops many high quality applications they are proprietary software. And the vast majority of their products are not available for Linux. This series looks at the best free and open source alternatives.
