Hello, welcome to the Thursday, November 16th, 2017 edition of the Sands and its Storms,

and it's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Diary from Xavier today about yet another malicious document, the initial infection vector isn't

really all that special, interesting name of the document.

The title is Saudi declare war on Lebanon.

The document itself is well recognized by antivirus by now.

But what sort of interesting is what the script does later.

It does actually make VIRT more vulnerable by enabling macros by default, disabling the

safe loading or protected view in VIRT.

So this way if you then receive additional documents, you will be infected without having to approve macros.

So once the user recognizes that they are infected and if they make the common mistake of just removing the malicious document and whatever malware they can find, they will still be open

for a follow-on infection due to these weakened vert settings.

I think the main lesson here is that if you find an infected system, rebuild it from scratch. Cleaning the malicious software usually isn't sufficient

in order to protect the system going forward. Now you may remember back in September,

Armas security consulting company did publish a video on a paper about the Blueborn attack.

The Blueborn attack was really a set of vulnerabilities in common Bluetooth stacks that in essence

do allow remote code execution on devices via Bluetooth.

Now at the time, Linux kernels, for example, Android did release patches, but two particular

devices were sort of overlooked at the time and that was Amazon's Echo as well as the Google

home device. There are a few million of them out there. They have

now been patched. Nothing you have to do as a user as these devices will patch automatically.

And it used to be good advice to only download Android applications from Google's Play Store.

...