Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New Attack Method Delivers Malware Via Mouse Hover
Newest First  |  Oldest First  |  Threaded View
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
6/10/2017 | 1:02:34 PM
Hold Software Vendors Accountable
I remember reading pages upon pages of complaints about the configuration of mouse hover on Microsoft support forums.  In fact if you want to see the inevitability of this exploit just read the last seven or so years of complaints and pleading by Microsoft customers in Microsoft Community boards related to this feature.  It's one of hundreds that have high visibility and practically define the exploit requirements for malicious coders.  Similar exploits have appeared in public databases the last couple years.

A user's security needs to be a vendor's first priority and community support forums are the bedrock of user security issues and concerns.  For all the anger this particular configuration item generated since 2010 over multiple versions of Microsoft software, one finds it hard to understand how the feature in 2017 is still not buttoned down and causing users even more pain.  Especially considering how widely available many exploit databases that had posts which may have predicted the latest thorn in our side. 

On the flip side of this, the exploit reflects the creativity with which malicious coders approach problems and it serves as an example for companies like Microsoft that some elements of their product line may still be constricted by an outmoded development approach.  Creative thinking, approaching a feature's requirements with security a primary development consideration and testing that feature before release with the same level of ingenuity Trojan developers write their code with...  

 

 

 


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.