Windows Defender Sandbox, Word Bug, Nasty Malware: Security Snacks Oct-31-18


Adaptiva presents Security Snacks

This week in security snacks, we have:

  • Windows Defender AV Gets a Game-Changing Sandbox
  • Microsoft Word Online Video Remains Hackable
  • The Nastiest Malware of 2018
  • You Aren’t Patching/Fixing Security Fast Enough
  • The Nastiest Malware of 2018

Let the tasting begin….

Windows Defender AV Gets a Game-Changing Sandbox


Microsoft just silenced critics of Windows Defender Antivirus with radical, innovative virtualization that protects this crucial security function in Windows 10 systems.


Microsoft’s new Windows Defender sandbox has leveled up their security technology in a powerful way that is likely to set a new standard all security vendors will scramble to meet. It will be rolled out gradually.

Quick recap of the benefits of virtualization for security. If somebody gets unauthorized access to a virtualized process they can only do damage within the virtual machine. The rest of the system is protected.

Microsoft is already doing this with the Edge browser, but implementing this with their antimalware engine required a lot of new engineering.

Essentially, some parts of the security software is fully virtualized in a secure layer. Functions that need greater access to the system, however, live in a separate layer with higher privileges.. Microsoft even developed an efficient way for to the layers to communicate with each other.


For a deeper dive into how all this works, read this nice writeup from Zeljka Zorz from Help Net Security: Windows Defender can now run inside a sandbox.

Microsoft Word Online Video Remains Hackable


A vulnerability in Microsoft Word’s Online Video feature lets hackers run malicious code really easily, and the only fix is to block documents with embedded videos.


Microsoft Word has a feature that allows you to insert videos directly into documents. Cyberattackers can put a nefarious payload into the video’s embed code. This allows an attacker can run malicious HTML/JavaScript code. At that point, they can pretty much wreak havoc such as phishing attacks on your system—without raising a security warning.

It’s like this:

  • The feature uses an associated document.xml file
  • That xml file has a parameter called embeddedHtmlthat refers to a YouTube iframe code
  • By editing the document, an attacker can replace the YouTube video with HTML/JavaScript code
  • When the code is run, no security warning is triggered

The vulnerability affects Word 2016 and older versions. Microsoft acknowledges the issue, but says Word is working as designed. They have not classified it as a problem, and have no announced plans to fix it.

If you are worried about it, you can block documents with embedded videos. In spite of Microsoft’s non-response, I wouldn’t be surprised if they issue a fix for this non-bug in a future version of Office.


Learn more in this article by Abeerah Hashim of Cyber Security News: Vulnerability In Microsoft Word Online Video Feature Allows for Phishing.

The Nastiest Malware of 2018


You should know what the top ransomware is these days, and here it’s presented in a convenient list broken down by type.


Botnets and banking: The top three malware in botnets and banking are Emotet, Trickbot, and Zeus Panda. They all basically multiply themselves in a variety of ways throughout the network trying to gather credentials. If they get them….

Cryptomining & Cryptojacking: The top three here are: Ghostminr, WannaMine, and Coinhive. They all try to evade detection from system admins with different points of entry and different ways to hide. However, they all cause strangely high CPU usage.

Ransomware: The top three are Crysis/Dharma, GandCrab, and SamSam. From hiding in unsanctioned top-level domains (.bit) to compromised RDP attacks that have taken down cities (Atlanta), these are stealthy and ruthless.


You can get a lot more details about these baddies in this article from Channel Partners, Beware the Worst Malware of 2018.

You Aren’t Patching/Fixing Security Fast Enough


A new survey says that  70% of security vulnerabilities remain open four weeks after disclosure, though 12% more are getting closed than were a year ago.


Although IT pros are not patching fast enough, at least they are getting faster. Even so, the lag between discovery and update or remediation leaves cyberattackers a window.

Here are some interesting stats from the survey:

  • Close to 55% of vulnerabilities remain unresolved three months after discovery
  • Over 85% of apps used by corporations contain at least one vulnerability 13 percent high-risk)
  • 69% of vulnerabilities are eventually secured, and improvement from 57% a year ago


Of course there are many more stats you can sink your teeth into about how far behind most companies are on applying new security updates and recommended configurations. For more, read this ZDNet article, Most enterprise vulnerabilities remain unpatched a month after discovery.

Have You Patched WebEx for Windows Since Oct 3?


A bug in WebEx allows insider attacks, but a fix was issued on October 3, 2018.


Users with access to the system, either local or via domain, can trigger remote code execution. The problem is related to the way Cisco used Access Control Lists (ACL) in the WebExService service, which gets installed as part of the WebEx client.

Not a big deal—if you update.


More info in this article from TechTarget SearchSecurity titled WebExec vulnerability leaves Webex open to insider attacks.

Bill Bernat
Director of Product and Content Marketing, Adaptiva