Hello, welcome to the Wednesday, February 2, 2020 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

And we got more proof-of-concept exploits for January's Microsoft patches. The latest one is for CBE 2020-2-21882. This is a privilege

escalation vulnerability and it's affecting most versions of Windows. Source code for the

Proof Concept Exploid has been made available on GitHub, so expected to show up in various other tools and Malware shortly.

And well, then we got more browser tracking this time via the GPU.

No real big surprise here, but with WebGL, it's possible to essentially access the GPU, the graphics

processor on a system rather directly. And by looking at timing differences in how long it

takes to execute certain functions, you may be able to deduct the power and the kind of GPU that's in a system,

which of course gives you another parameter to identify and distinguish between different

users.

Not too much you can do about this.

You could turn off WebGL.

Some prowess actually allow it at, but there are

some notable sites. For example, the paper here notes Microsoft Office, Google Maps, Amazon,

that do take advantage of WebGL, so your user experience on these sites may at least be limited and softball's got an

interesting write-up of malware that they are calling solar marker and now this malware apparently

gets distributed a lot via search engine optimization and the user downloads the malware thinking

that it installs a legitimate application, which it actually still does. It does install the

legitimate application, at least in some cases. So that makes a little bit more difficult

to figure out that the user also installed some maver.

Also an interesting persistence mechanism here.

It does add a link file to the system's startup directory, but that link file points to a random named file with a random extension.

...