Hackers posing as computer users in need of help were infiltrating data on their victims’ PCs
A vulnerability in Microsoft’s Remote Assistance tool allows hackers the opportunity to steal or delete files in specific targeted attacks.
The remote access feature is built in to all versions of Windows post-XP, and enables users to give or receive help from trusted networks based anywhere in the world.
Belgian researcher Nabeel Ahmed spotted a critical vulnerability in February 2017 and reported it to Microsoft in October.
The bug – named CVE-2018-0878 – has now been patched and details of the vulnerabilities can be reported.
It’s important to understand that though this flaw was described as critical, it requires a certain amount of phishing or social engineering to exploit it.
Also, the hack targets a specific computer or user – meaning it can’t be mass-exploited.
Quick Assist works like this: a user requests help from another individual and sends them a file via email or through other means to connect the two computers.
When the helper double-clicks the file, named invitation.msrcincident, it links the two via a remote desktop session.
Ahmed discovered that a hacker could manipulate the XML file to embed an XML External Entity (XEE) exploit into it.
Once opened, the malicious bug can then steal data and upload it to a remote server.
As Ahmed explained, this attack is only successful if the victim has been tricked into opening the file, for example, a phishing email sent by someone posing as a colleague.
But it can accomplish a dangerous attack that could recover sensitive data or logins and passwords.
Microsoft released the update during March's Patch Tuesday, which was last week.
Its latest version of the tool, called Quick Assist, is not vulnerable to the hack as it generates access codes instead of sending the file.