back to article Why we update... Data-thief malware exploits SmartScreen on unpatched Windows PCs

Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information – passwords, cookies, authentication tokens, you name it – to grab and leak. The malware abuses CVE-2023-36025, which Microsoft patched in November. …

  1. chuckufarley Silver badge
    Meh

    I know that data has to be stored somewhere...

    ...But why in the hell is so much of it stored at all? Wouldn't we be better off with a small attack surface and a smaller bag of goodies for the bad guys to steal? The thing that really bothers me is almost everyone reading this already knows what I mean and there isn't much measurable effort being made to communicate the urgency to the average end user. Windows isn't the only place the bloat puts people at risk. On my Linux desktop I try to avoid the truth about the /home/user/.* directories by telling myself "Hey at least you are using some encryption here." Which wouldn't matter if a bug like this could by used by the new in-kernel SMB server. It's not likely that I am risk of much, but I know I have to be at risk of something.

    1. vtcodger Silver badge

      Re: I know that data has to be stored somewhere...

      Wouldn't we be better off with a small attack surface and a smaller bag of goodies for the bad guys to steal?

      Exactly. You're advocating what I'm calling Plan-Z. Plan-Z -- reduce attack surfaces and store as little data as possible -- is where we'll likely end up in a couple of decades after Plans-A thru Y have been proposed, hyped, forced on long-suffering users because they're good for us, and eventually failed.

      Meanwhile, my question after reading the article is -- What the heck is "SMART" about the RubeGoldbergish collection of weird stuff that allows this vulnerability to exist and be exploited?

      1. chuckufarley Silver badge

        Re: I know that data has to be stored somewhere...

        While I do hope we'll get there, I think a few decades is a bit optimistic. The biggest hurdle is making it unprofitable to collect too much data.

    2. Pete Sdev Bronze badge

      Re: I know that data has to be stored somewhere...

      Android at least attempts to prohibit applications accessing the files (e.g. configuration, settings, cache) of other applications. In this case this would limit the damage.

      On a GNU/Linux desktop you'd probably want to play around with something like AppArmor.

      MacOS requires granting permission to programs in order to access certain folders like ~/Documents.

      1. Joe Dietz

        Re: I know that data has to be stored somewhere...

        Exactly this. Cloud applications depend on your client application being able to keep tokens secret. Android and iOS were designed with this in mind and generally a client app can store its tokens with reasonable assurance that other apps (aka malware) can't read them. Windows, Linux, Unix, OSX where all designed long before 'the web' was really a thing. Client apps store data as _you_. As such any application you are running (aka malware) can read any data you can read... including your tokens. Running Linux doesn't make you safe here, it just makes you less likely to be a target in the first place... but that is only the market share of "Linux on the desktop" being essentially a rounding error and thus irrelevant to a malware business.

        1. Paul Crawford Silver badge

          Re: I know that data has to be stored somewhere...

          Fundamentally the "traditional" OK like Windows (NT branch...), Linux and MacOS are all based on the assumption that programs are secure to a large degree as they are tested and installed by the administrator, and thus each user is responsible for accessing their own data and restricted from accessing other users.

          But the problem with Windows (more often then Linux/MacOS) and similar machines today is two fold:

          - Users install any sort of crap as there is no skilled administrator in charge, in fact very few machines are multi-user

          - Users run all sorts of crap because scripting, both web pages and stupid things like auto-run and document macros.

          And the goal of malware has changed, it used to want your machine's resources for other purposes, so needed admin rights, but now it only needs your rights to run ransomware. Linux/MacOS has been less script-y and less easy to run than Windows, but they are all going down the poxy route of stupidly complex build models / library dependency and web-everything with its inherent scripting for practically all web sites today.

        2. Pete Sdev Bronze badge
          Linux

          Re: I know that data has to be stored somewhere...

          GNU/Linux is primarily a server OS, and that's not likely to change any time soon unfortunately.

          On a server, foo_daemon will be run by the foo user, bar_daemon by the bar user, etc. so you can fallback on the security of UNIX file permissions which have existed since the stone age. Add extended attributes for increased security.

          Android aside from being newer, is targeted at end-user client devices, hence the issue of application X shouldn't by default access files from application Y despite being run by the same user has at least been considered.

          I would really like to see an equivalent implementation of Android's system for GNU/Linux Desktops inclusive ease-of-use and overview. The technical foundation is there in something like AppArmor, it just needs something to be more out-of-the-box and accessible on top. And please don't make it dependent on systemd. Unlikely to happen, as as mentioned, the user-base is relatively small.

    3. ldo

      Re: Linux Vulnerabilities

      There were quite a few worms/viruses targeting Linux around a couple of decades ago, back when its installed base was a rounding error compared to what it is today. For example, look up the Ramen worm.

      So Linux is that rare case of a platform that has actually become more secure as its popularity has increased. See—it is entirely doable after all.

  2. Pascal Monett Silver badge

    Geolocation data ? On a PC ?

    It's not a phone. How can any geolocation data be stored ?

    Yes, I can use Chrome and/or Google Maps, but whatever I choose to look at doesn't mean that I live there.

    And if the malware checks the origin of my Internet connection, it will find that I live in Nancy, just like a hundred million other people, because that's where my provider's hub is (hint : Nancy has a population of around 30,000 people).

    So what geolocation data does a PC normally have ?

    A smartphone, I can understand. Please explain geolocation on a PC. I don't get how that works out.

    1. Doctor Syntax Silver badge

      Re: Geolocation data ? On a PC ?

      "So what geolocation data does a PC normally have ?"

      SSIDs, your own and neighbours, as sucked up by Streetview?

      Google maps accessed through Falkon, the KDE browser based on Webkit, open centred about 8 miles away. On the saem laptop Firefox, Seamonkey, Palemoon and Konqueror (the older KDE browser that was the origin of Webkit) open centred within a few hundred metres of home, disturbingly close. Another Mozilla derivative, Waterfox, opens about a mile away. It rather looks as if it's at least partly browser based. Also several browsers are sharing or have independently acquired the same information but where did they acquire it from and where is it stored?

      1. Doctor Syntax Silver badge

        Re: Geolocation data ? On a PC ?

        On further investigation Bing maps open at the same location on all browsers, about a mile away but not the same as Waterfox.

        Perhaps Bing is able to obtain the location of the exchange (equivalent to the first 6 digits of the phone number)) and that Waterfox provides nothing more than that to Google, the two mappers then use their own versions of the centroid of its area. Falkon provides Google rather less, equivalent to the first 4 digits of the phone number. The other browsers, however, are able to provide more information, perhaps the ID of the DSLAM or at least part of the exchange's service area.

        Neither service seems to be using SSID information unless they're hiding it from their mapping service.

        1. Grogan Silver badge

          Re: Geolocation data ? On a PC ?

          Depending on your ISP, IP addresses can map to neighbourhoods and sometimes they get it right. If you have a large one that has large client IP address pools (e.g. < 16 bit CIDR block for clients addresses) it could finger you as being hundreds of miles away. For example, my cable ISP shows me in "Sudbury" Ontario Canada right now which is a good 4 hour drive from here, because the network they have me on is such a large address pool.

          The topology of some of the major ISP networks is known.

    2. vtcodger Silver badge

      Re: Geolocation data ? On a PC ?

      For a long time Google Maps had my home location as a freeway off-ramp in Indiana about 1600km from my home. My guess is that I may have planned a route using that as a starting point and somehow unintentionally misled Google into thinking that was my home.

    3. Joe Dietz

      Re: Geolocation data ? On a PC ?

      Nobody cares where you live, they care to know where google or whoever thinks you are living. This is so when they use the tokens they just harvested, they can spoof the correct geolocation and not set off any alarms in the cloud services from a token performing 'time travel'. Time travel detection (aka you are suddenly in SE Asia, despite logging in from Redmond Washington not 5 minutes ago) is bread and butter of cloud identity security.

      https://upsight.ai/blog/beyond-passwords-decoding-the-vulnerability-of-identity-tokens

  3. BPontius

    Geolocation in Windows 10/11 can be disabled through Services (or a registry hack) and blocked in most browsers. The location information online is from your IP address and shows the location of your ISP's point-of-presence (local access for your service) in the area you live, not your actual location\home. Your PC, laptop, tablet and cell phone can be identified from the MAC address (hardware identifier). On cell phones your location is isolated from the cell phone towers your phone is in contact with, the IP address of your mobile ISP\phone company helping to narrow it down, along with GPS. Chrome browser shares browsing history with Firefox, can be disabled but if it actually stops the data collection, well consider all the other opt-out or ins they continue to ignore.

  4. aerogems Silver badge
    Boffin

    Lesser of Two Evils

    Like a lot of people, I find that having to reboot once a month or so to install the latest patch tuesday updates to be an annoyance, but... it's far less of an annoyance than having to deal with this sort of situation. Not to mention I'm old enough to remember the early aughts, before installing updates was mandatory, and people might be running a gold release of XP and IE6 2+ years after it had been released and their machine was so laden with various forms of malware you may as well just take that install out back and put it out of its misery. We don't see that nearly as much anymore with the upgrades to Windows being offered for free and then updates being made mandatory. Would that we lived in a perfect world where no one would bother exploiting flaws in software, but until that day arrives, this is the lesser of the two evils.

  5. Pete Sdev Bronze badge
    WTF?

    Wow

    Not having a Windows machine since 98SE, I had to look up what on earth Windows Defender SmartScreen is.

    It just goes to illustrate the proverb:

    The only thing worse than no security is a false sense of security

  6. Terry 6 Silver badge

    .cpl

    s it downloads and opens a .cpl file, which is a Windows control panel item.

    I'm pretty sure I was reading of dangers posed by .cpl files decades ago.

    Surely there is some way these could have been sandboxed or limited in function by now?

  7. ldo

    “It appears the .cpl fetched by the .url is really a .dll ...”

    That shall be my phrase of the week.

    Oh, and Microsoft Windows must be the only platform where addons that attempt to patch up its security failings actually increase the vulnerable attack surface, instead of reducing it.

  8. FirstTangoInParis Bronze badge

    There’s security and then there’s security

    I’ve mentioned this elsewhere, but my experience of restricting MS365 users from installing unauthorised software fell at the first fence, when a legitimate Dell update failed to install on my machine with my global admin rights. It’s all or nothing. Maybe I should make it nothing, but I’m not on site during the day and my gut feel is something fundamental will stop working.

    But at least patches are installing on time. I just need to get users to sign out overnight so PC can reboot itself in the small hours.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like