Other Surface devices, including Surface Pro 4 and Surface Book, are not considered affected by this issue. Although the Surface Pro 3 was released in June 2014 and discontinued in November 2016, the manufacturer claims that third-party machines using a similar BIOS may also be vulnerable.

Fortunately, an attacker would need either access to the device owner’s credentials or physical access to the tablet to successfully exploit the new bug.

The problem is identified as CVE-2021-42299 (5.6 CVSS) and Google Software Engineer Chris Fenner who discovered the bug, gave a bug name TPM Carte Blanche.

Device Health Attestation is a cloud-based and on-premises service that checks TPM and PCR logs and informs Mobile Device Management (MDM) whether Secure Boot, BitLocker, Early Launch Antimalware (ELAM) protection is enabled, Trusted Boot signed correctly, and so on.

Thanks to CVE-2021-42299, an attacker can tweak the TPM and PCR logs to obtain false attestation, which will ultimately disrupt the entire Device Health Attestation validation process.

A Google expert has already released a PoC exploit demonstrating how this vulnerability can be exploited.

Let me remind you that we also said that Microsoft warned of a critical vulnerability in Cosmos DB.

The post Microsoft warns of dangerous vulnerability in Surface Pro 3 devices appeared first on Gridinsoft Blog.

EFS has been part of Windows operating systems since the release of Windows 2000. Unlike full BitLocker encryption, EFS can selectively encrypt individual files or folders. Researchers are now warning that EFS present significant interest to criminals.

“The fact is that using the “native” functions of Windows itself can be confusing for security solutions that will eventually lose sight of the encryptor”, — says Safebreach Labs researchers.

To start the attack, the ransomware will need to generate a key for EFS using AdvApi32! CryptGenKey. Next, generated the certificate using Crypt32! CertCreateSelfSignCertificate that is added to the certificate store via Crypt32! CertAddCertificateContextToStore. An EFS key is assigned for this certificate using AdvApi32! SetUserFileEncryptionKey.

As a result, the ransomware gets the opportunity to use AdvApi32! EncryptFile to encrypt any file and folder. The next step is to save the key file to memory and delete it from %APPDATA% \Microsoft\Crypto\RSA\[user SID]\ and %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\. Then the EFS data is erased from memory using the undocumented AdvApi32! FlushEfsCache and the encrypted files become unreadable to the user and the OS. The ransomware can also “wipe” free parts of the disk to ensure that data from deleted key files and temporary files are not restored.

“With a final chord, the malware can encrypt the key file data and send the decryption key to the attacker. As a result, the only way to decrypt the affected files is to use the private key of the attacker”, – report experts of Safebreach Labs.

Researchers successfully tested the EFS encryptor created for tests on 64-bit versions of Windows 10 1803, 1809, and 1903. Analysts also write that the malware should work with 32-bit versions of Windows and earlier versions of the OS (Windows 8.x, Windows 7 and Windows Vista).

The malware was tested in combination with ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861 (a), as well as MS Windows 10 Controlled Folder Access in the 64-bit version of Windows 10 1809 (build 17763). None of these solutions detected an attack and a threat, but this was expectable because the cryptographer used legitimate functions and manipulated system logic.

Researchers immediately informed 17 major manufacturers of security solutions about their findings, showing them their proof-of-concept. Most of them have recognized the existence of the problem and have already made corrections to their products.

Recently, Windows faced a true plaque. The NSA said it found one of the most dangerous vulnerabilities in Windows, only yesterday a temporary patch for a serious bug appeared in IE.

Turn off your system and leave into the desert. Ok, it was a joke. Keep up your system up to date with the latest information security solutions. I am sure you know which one will for sure protect you!

The post Windows EFS can help encryptors and make work of antiviruses more difficult appeared first on Gridinsoft Blog.