“So, a ransomware developer could adapt their software to use OLE objects to change / delete / encrypt files invisibly for the files owner,” the researcher explains.
This would be possible because Office executables are by default whitelisted and allowed to make changes to files placed in protected folders, without restrictions, even when a malicious actor uses OLE/COM objects to control Office executables programmatically. Thus, malware and other unauthorized apps would not be able to touch the files in those directories.Īccording to Yago Jesus, however, this added protection can be easily bypassed by using an authorized application such as Office to access the data. When announcing the feature, Microsoft described it as a layer of real-time protection that would allow users to prevent ransomware from accessing their data by defining what programs have access to certain folders. It’s rather trivial to bypass the anti-ransomware feature that Microsoft introduced in its Windows 10 Fall Creators Update, a security researcher claims.ĭubbed Controlled folder access, the anti-ransomware feature was announced as part of Windows Defender Exploit Guard, a new set of host intrusion prevention capabilities in Microsoft’s latest platform iteration.
0 kommentar(er)
