Hello, welcome to the Tuesday, October 27, 2020 edition of the Sand Center Storm Center's

Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

The DE today is talking about a new trick that he found used in Excel 4 Macro, something that

the has been writing in the past about.

Now, XL4 of course, no longer an active version of Excel, but these Excel 4 macros

will still be parsed fine by current versions of Excel. And one property that's often used by Malware is the visibility field in Excel spreadsheets.

So each sheet has its own visibility, and this can be either visible, hidden, or very hidden, taking up two bits in a byte that's otherwise

not defined. So very hidden would mean that the bit value 2 is set, hidden bit value 1 and

visible while the value is 0. The other bits are ignored, and that's, of course, a great opportunity for Malware

writers to evade signatures.

If particular Anteimalver is just looking for these predefined visibility values, then

they may not identify a sheet as very hidden and the signature

may fail, while Excel, of course, will just ignore the other bits and open that macro

just fine.

And if you're using an HP printer and a Mac, you may have had some problems these last couple days with the HP printer applications refusing to launch.

Apparently the problem here was that one of the signing certificates being used by HP had been revoked.

And as a result, of course, the operating system did no longer allow that software to run.

Of course, the entire certificate revocation ecosystem is kind of messy.

Also the same for a Mac OS.

It didn't affect all versions of Mac OS.

Apparently older versions of Mac OS do no longer update the database of revoked certificates,

...