New Windows Vulnerability Allows Attackers to Steal Your Files

Mar 28, 2018360TS

A critical vulnerability, CVE-2018-0878, has been found in Microsoft’s Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal users’ files on the targeted machine.

Files Can Be Stolen with One Click

Windows Remote Assistance is a built-in tool that allows someone to control your PC so they can help you resolve your computer problems remotely.

Under the hood, this feature counts on the Remote Desktop Protocol(RDP) to build a secure connection between two windows machines.

Due to a flaw inside the MSXML3 parser of the implementation of RDP, attackers can use “Out-of-Band Data Retrieval” attack technique by offering the victim access to their computer via Windows Remote Assistance.

Two options is given when setting up Windows Remote Assistance – Invite someone to help you or Help someone who needs assistance.

The first option generates an invitation file which is used by Windows Remote Assistance and contains data required for authentication in XML format. By exploiting the flaw of the parser, the attacker can craft an invitation file containing a malicious payload which instructs the victim’s computer to upload the content of the specified files to any remote servers controlled by the attackers.

As long as the victim respond to the Remote Assistance invitation sent from the attacker, files will be stolen automatically.

Tips to Protect Your Digital Assets

For the time being, an official update has been made available via 360 Total Security or Windows Update.

To stay protected, 360 Security Center recommends users to:

  1. 1. Apply the hotfix as soon as possible.
  2. 2. Disable Windows Remote Assistance feature if you don’t need it.
  3. 3. Don’t respond to unknown Windows Remote Assistance request.