Microsoft Anti-virus and Healthcare Vulnerability

Introduction

In Week 9 there has not been a shortage of security news. A healthcare organization had a vulnerability that allowed people to look at different patient records, which is quite serious. Microsoft had a remote code execution vulnerability that would allow an attacker to remotely control a machine. There were several other stories, but these were the two I chose to write on.

True Health Vulnerability

True Health Diagnostics located here https://truehealthdiag.com/ had a major vulnerability discovered by a patient. The vulnerability was found on their patient portal, which is located at the following link https://my.truehealthdiag.com/customlogin.htm. The patient was Troy Mursch who is an IT consultant that lives in Las Vegas (Krebs, 2107). Mursch found the vulnerability when he was looking at a PDF of this blood test and saw the link True Health Diagnostics created could be edited. Mursch edited the link to the PDF and was able to access other patient’s test and records. Once Mursch found the vulnerability he called and alerted True Health Diagnostics to the flaw. True Health Group shut down their website while they found and fixed the website.

https://my.truehealthdiag.com/customlogin.htm.

At this point, there is no knowledge of how long the vulnerability has existed. This means patients or an attacker could have been stealing data for several years. True Health Diagnostics needs to hire a forensic company to come in and do an investigation. This is the only way to know if there was unauthorized access to patient’s records. If they don’t hire a forensic investigator then I don’t think they are being ethical. I like the way True Health Diagnostics responded to the vulnerability by shutting off their site. This is the first time I have heard of this and it is truly a bold and interesting move. Most companies would say they will investigate an issue and either fix or not fix it while keeping their website up.

Microsoft Remote Code Execution

It has been discovered that Microsoft has a vulnerability in their malware scanner. Google Project Zero found the remote code execution in Windows anti-malware software. Per thehackernews article the following is the affected software Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection (Kumar, 2017). Google’s Project Zero found that if any of the Microsoft anti-virus programs above scanned a specially crafted file, a hacker could have full control of the computer. The file can get to the computer via an email phishing attack or by downloading the malicious file. One of the important details is that the attack can happen over email without reading or even opening the full email (Mix, 2017). Since Microsoft’s anti-virus programs have real time scanning once the file is created, opened, downloaded or moved it will trigger the exploit (Kumar, 2107). Microsoft has released a patch for Windows 7, 8, 10 and RT in only 3 days!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCzqnnLyAg6_SjOQs2CZIvAQIWV0g-plxCJirtP0cv36sqXxAqjyI6q4-RhXURj_Dq52nI5vW5xuIaE6EQnCl5rfsiyI_x9I-0l6UdtuXL7TAt1bdmEKTZyFnjVs7AzwkaEDscxoJJpd7/s1600/windows-defender-remote-code-executiont.png

The remote code execution in this instance needs a special file for the exploit to work, but hackers can get their hands on this file and use it to spread malware. This “loophole” can allow a hacker to install new programs such as a Trojan or change program permission because it basically gives them ROOT access. It was good to see Microsoft patch this vulnerability, so quickly because it usually takes longer than 3 days. The scary part of this remote code execution exploit is the file doesn’t even need to run to infect the computer, only the Microsoft anti-virus program has to scan it. These types of exploits make a hacker’s job easy because it doesn’t really require them to trick a user into installing a file.

References

Krebs, Brian. "Krebs on Security." Brian Krebs. May 8, 2017. Accessed May 14, 2017. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/.

Kumar, Mohit. "Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner." The Hacker News. May 09, 2017. Accessed May 14, 2017. http://thehackernews.com/2017/05/windows-defender-rce-flaw.html.

Mix. "Microsoft issues fix for critical exploit in Windows Defender found by Google." The Next Web. Accessed May 14, 2017. https://thenextweb.com/microsoft/2017/05/09/microsoft-google-windows-vulnerability/?amp=1.