GreyhoundGroup: RT @Greyhound_R: Is @Microsoft truly changing under @SatyaNadella? https://t.co/WAzPRkGbJB > #Insights from @s_v_g #Cloud #Mobile #Analyti…

GreyhoundGroup: RT @Greyhound_R: Is @Microsoft truly changing under @SatyaNadella? https://t.co/WAzPRkGbJB > #Insights from @s_v_g #Cloud #Mobile #Analyti…

Greyhound_R: Is @Microsoft truly changing under @SatyaNadella? https://t.co/WAzPRkGbJB > #Insights from @s_v_g #Cloud #Mobile #Analytics #Windows10

Greyhound_R: Is @Microsoft truly changing under @SatyaNadella? https://t.co/WAzPRkGbJB > #Insights from @s_v_g #Cloud #Mobile #Analytics #Windows10

Want to see BitTorrent client Torrex on the Xbox One? You can now pledge your support

Popular BitTorrent client Torrex is exploring the possibility of making its app available on the Xbox One. With the Unified Windows Store launching later this year — paving the way for UWP apps to make their way to the console — the Xbox One will see a noticeable uptick in the number of apps.

http://feedproxy.google.com/~r/wmexperts/~3/zPXCyZ6rmmI/want-see-bittorrent-client-torrex-xbox-one-you-can-now-pledge-your-support

?Duqu 2.0 kernel exploitation technique analysis (part 1 of 2)

Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its elevation-of-privilege attack.
Early this year, Kaspersky Lab discovered Duqu 2.0 and named it as such due to its close similarity to the original Duqu malware. Microsoft patched the vulnerability and published Security bulletin MS15-061 on June 9, 2015.
This blog takes a closer look at the exploitation technique used and not the vulnerability itself.
The road to corruption and control
The nature of the vulnerability itself is very straightforward. After the userland process registers its own ClientCopyImage callback, and when the callback is called from kernel, it destroys the Windows object. It also unregisters the associated class that triggered the callback, which leads to use-after-free condition. When the vulnerability is easy to understand, we found that the exploitation technique used was very complicated.
By indirectly allocating a structure just after the use-after-free condition, the attacker can control what happens next. The exploit calls the NtUserThunkedMenuItemInfo function. The call allocates various objects in place of the freed memory location.  The exploit then allocates objects to guarantee alignment precision such that the attacker-controlled address is used as a pointer to an object that is passed to HMUnlockObject, which is called by the kernel after the ClientCopyImage callback finishes.
The pointer falls just to the right location inside the tagCLS object to overwrite the cbclsExtra field when the instruction inside HMUnlockObject decreases the object reference counter. The tagCLS object address is calculated using the _MapDesktopObjectWin32k function.

    Figure 1: How the use-after-free condition works
From the code below, rcx points inside of one of the tagCLS objects that the fake object points to. The instruction highlighted in yellow decreases the DWORD value of that memory location.

    Figure 2: HMUnlockOBject to corrupt a memory location
The corruption target, rcx+8, points to cbclsExtra field of the tagCLS object. The tagCLS object is pre-allocated by calling a series of Windows APIs. The field indicates the size of extra class memory. Usually, APIs like GetClassLong and SetClassLong, are used to access extra class memory.

    Figure 3: Original tagCLS object
The field is initialized to 0 in this case, which means there is no extra memory for this class. But with the HMUnlockObject instruction’s corruption of the memory, it becomes -1 or 0xffffffff in unsigned DWORD form.

    Figure 4: Corrupt tagCLS object
With the corrupt cbclsExtra field, the exploit can freely access extra memory address space using GetClassLong and SetClassLong API sets.
Because the code used ja instruction to check the maximum value for the APIs’ index parameter, there is an unsigned comparison between 0xffffffff and the index value. It then allows the exploit to access a wide range of kernel memory with read and write privilege.

    Figure 5: Out of bounds index
 
Opening up 64-bit memory address for read and write access
The tactic the attacker chose after the first corruption stage is also very interesting. It looks for a specific structure inside the tagWND class. The location of tagWND and its member object is calculated using the _MapDesktopObjectWin32k function.
By carefully calculating the tagWND objects’ location inside the kernel based on the object returned from the call, it locates the strName member variable inside the tagWND object by adding 0x0d8 value to the base of object.

    Figure 6: Locating tagWND.strName
It is very interesting to know the reason why the exploit is using this field. Even when you have a wide range of read/write access to the system memory, you don’t cover the whole 64-bit memory space with GetClassLong and SetClassLong APIs. This is because they are bound by 32-bit index value even if the exploit runs on a 64-bit system. It is also not easy to know what address you are actually reading or writing. The exploit’s tactic is to corrupt the strName.Buffer member variable from tagWND and use it as leverage for further memory access. This time, it has full memory access with 64-bit memory range and with arbitrary length of data.
For example, from the following API log, NtUserSetClassLongPtr API was used to set the tagWND.strName.Buffer value to fffff6fb7dbedf90, which is arbitrary kernel memory location. If the InternalGetWindowText function is called, it retrieves bytes from the designated tagWND.strName.Buffer location.
Therefore, if you know the address of the memory location, you can read any data from the kernel.

    Figure 7: Using InternalGetWindowText API to read from kernel memory
Another way is also possible, which is writing arbitrary memory location with any data. Use NtUserSetClassLongPtr API to set the tagWND.strName.Buffer value and call NtUserDefSetText function. It then writes any designated bytes to the target kernel memory location.

    Figure 8: Using NtUserDefSetText API to write to kernel memory
In this way, malware perpetrators use the simple use-after-free vulnerability as a very powerful exploit that has full kernel memory access. Even when the exploit acquires full memory read and write privilege on the kernel, it is still tough to achieve code execution.
In the next blog, we will discuss the stage after this step, which is also quite interesting because it is about Windows kernel mitigations.
Acknowledgement: Thanks to Elia Florio for his advice on kernel land vulnerability analysis.
MMPC
Jeong Wook Oh

https://blogs.technet.microsoft.com/mmpc/2016/05/29/%E2%80%8Bduqu-2-0-kernel-exploitation-technique-analysis-part-1-of-2-3/

?Duqu 2.0 kernel exploitation technique analysis (part 1 of 2)

Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its elevation-of-privilege attack.
Early this year, Kaspersky Lab discovered Duqu 2.0 and named it as such due to its close similarity to the original Duqu malware. Microsoft patched the vulnerability and published Security bulletin MS15-061 on June 9, 2015.
This blog takes a closer look at the exploitation technique used and not the vulnerability itself.
The road to corruption and control
The nature of the vulnerability itself is very straightforward. After the userland process registers its own ClientCopyImage callback, and when the callback is called from kernel, it destroys the Windows object. It also unregisters the associated class that triggered the callback, which leads to use-after-free condition. When the vulnerability is easy to understand, we found that the exploitation technique used was very complicated.
By indirectly allocating a structure just after the use-after-free condition, the attacker can control what happens next. The exploit calls the NtUserThunkedMenuItemInfo function. The call allocates various objects in place of the freed memory location.  The exploit then allocates objects to guarantee alignment precision such that the attacker-controlled address is used as a pointer to an object that is passed to HMUnlockObject, which is called by the kernel after the ClientCopyImage callback finishes.
The pointer falls just to the right location inside the tagCLS object to overwrite the cbclsExtra field when the instruction inside HMUnlockObject decreases the object reference counter. The tagCLS object address is calculated using the _MapDesktopObjectWin32k function.

    Figure 1: How the use-after-free condition works
From the code below, rcx points inside of one of the tagCLS objects that the fake object points to. The instruction highlighted in yellow decreases the DWORD value of that memory location.

    Figure 2: HMUnlockOBject to corrupt a memory location
The corruption target, rcx+8, points to cbclsExtra field of the tagCLS object. The tagCLS object is pre-allocated by calling a series of Windows APIs. The field indicates the size of extra class memory. Usually, APIs like GetClassLong and SetClassLong, are used to access extra class memory.

    Figure 3: Original tagCLS object
The field is initialized to 0 in this case, which means there is no extra memory for this class. But with the HMUnlockObject instruction’s corruption of the memory, it becomes -1 or 0xffffffff in unsigned DWORD form.

    Figure 4: Corrupt tagCLS object
With the corrupt cbclsExtra field, the exploit can freely access extra memory address space using GetClassLong and SetClassLong API sets.
Because the code used ja instruction to check the maximum value for the APIs’ index parameter, there is an unsigned comparison between 0xffffffff and the index value. It then allows the exploit to access a wide range of kernel memory with read and write privilege.

    Figure 5: Out of bounds index
 
Opening up 64-bit memory address for read and write access
The tactic the attacker chose after the first corruption stage is also very interesting. It looks for a specific structure inside the tagWND class. The location of tagWND and its member object is calculated using the _MapDesktopObjectWin32k function.
By carefully calculating the tagWND objects’ location inside the kernel based on the object returned from the call, it locates the strName member variable inside the tagWND object by adding 0x0d8 value to the base of object.

    Figure 6: Locating tagWND.strName
It is very interesting to know the reason why the exploit is using this field. Even when you have a wide range of read/write access to the system memory, you don’t cover the whole 64-bit memory space with GetClassLong and SetClassLong APIs. This is because they are bound by 32-bit index value even if the exploit runs on a 64-bit system. It is also not easy to know what address you are actually reading or writing. The exploit’s tactic is to corrupt the strName.Buffer member variable from tagWND and use it as leverage for further memory access. This time, it has full memory access with 64-bit memory range and with arbitrary length of data.
For example, from the following API log, NtUserSetClassLongPtr API was used to set the tagWND.strName.Buffer value to fffff6fb7dbedf90, which is arbitrary kernel memory location. If the InternalGetWindowText function is called, it retrieves bytes from the designated tagWND.strName.Buffer location.
Therefore, if you know the address of the memory location, you can read any data from the kernel.

    Figure 7: Using InternalGetWindowText API to read from kernel memory
Another way is also possible, which is writing arbitrary memory location with any data. Use NtUserSetClassLongPtr API to set the tagWND.strName.Buffer value and call NtUserDefSetText function. It then writes any designated bytes to the target kernel memory location.

    Figure 8: Using NtUserDefSetText API to write to kernel memory
In this way, malware perpetrators use the simple use-after-free vulnerability as a very powerful exploit that has full kernel memory access. Even when the exploit acquires full memory read and write privilege on the kernel, it is still tough to achieve code execution.
In the next blog, we will discuss the stage after this step, which is also quite interesting because it is about Windows kernel mitigations.
Acknowledgement: Thanks to Elia Florio for his advice on kernel land vulnerability analysis.
MMPC
Jeong Wook Oh

https://blogs.technet.microsoft.com/mmpc/2016/05/29/%E2%80%8Bduqu-2-0-kernel-exploitation-technique-analysis-part-1-of-2-2/

Red, white and blue sale: Save 20% on Windows Phone accessories!

In honor of the brave men and women who gave their lives for our country, we’re offering 20% off all Windows Phone accessories at the Windows Central Shop.

Starting today until Tuesday, May 31, you can pick up a new case, backup battery, screen protector or wireless charger for your Windows Phone and enjoy a 20% savings by using coupon code: RWB16 at checkout. There’s an extensive selection of Windows Phone accessories to choose from, along with a convenient 60-day return policy and free shipping on all orders over $50 in the US and Canada.

http://feedproxy.google.com/~r/wmexperts/~3/0My8kkQVvAA/red-white-and-blue-sale-save-20-windows-phone-accessories-0

This Week in Xbox – Xbox 'Scorpio' rumor round-up, Phil Spencer teases E3 (Giveaway!)

This week we’re rounding up all the latest Xbox One hardware rumors!

We’re also giving away another copy of Overwatch to one lucky commenter! Simply leave a reply and join the discussion for a chance to win.

Every week, I summarize some of the biggest rumors and talking points in one handy post every weekend. You can also rely on this weekly column to catch up with all the latest Xbox One game releases.

Welcome to the latest edition of This Week in Xbox One News.

http://feedproxy.google.com/~r/wmexperts/~3/zg_ojQpW1ns/week-xbox-may-29th-2016

The untold "app gap" story Part II: App gap? What app gap?

The term “app gap” suggests a numeric disparity exists between the number of apps available on iOS and Android and that of Microsoft’s Windows Store.

However, as I mentioned in “Part I of this series: Human behavior, the overlooked variable” , the term “app gap”, has evolved to also include a “quality of app” factor. Thus “app gap” now carries the additional connotation that there is a quality gap between some of the apps of the dominant platforms and Microsoft’s.

There has, however, been an even more dramatic evolution of the term. Due to how it is presented in most reporting without the context of how the average smartphone user (at least in the US) behaves in relation to apps, “app gap” has further evolved to mean a dramatically inferior or nearly unusable smartphone experience if a consumer chooses Windows Phone.

Though not explicitly stated this way clear recommendations away from Windows Phone and other inferences strongly imply this. This logic, however, is not necessarily valid. Human behavior is a critical factor to incorporate when we consider the empirical data of the app quantity and sometimes the quality disparity between Windows phone and iPhone and Android apps.

In Part I, we gave a broad view of the effect of human behavior on app usage and the general smartphone experience of the average US smartphone user. We surmised that the impact of certain missing apps from the Windows Store would not dramatically affect the average smartphone user’s experience. This conclusion was reached based on an analysis of the 2015 US Mobile App Report which presented data reflecting human behavior in relation to apps.

In this piece we will look more closely at that data and talk in greater detail about what apps are most used, by most users, most of the time; and why that information effectively precludes an “app gap”, in the sense of a dramatically inferior or unusable smartphone experience, for the average US smartphone user who chooses Windows Mobile.

As I proceed with this analysis, please note, I will be speaking from the perspective of the demographic reflected in this data: US smartphone users. It may, however, be reasonable to conclude that human behavior in other regions may yield a similar concentration of app usage on a small core assortment of apps.

http://feedproxy.google.com/~r/wmexperts/~3/8DoX0T1UBUA/untold-app-gap-story-part-ii-app-gap-what-app-gap

This week in Windows Mobile: May 29, 2016

There’s a lot going on in the world of Windows Phone. So much, in fact, that it is sometimes tough to catch every important story.

Device rumors come and go. New apps join the Windows Phone Store, and your favorite app can get a big update with a new look or new features.

Therefore, every week we will compile a list of the Windows Phone news that you just shouldn’t miss. Welcome to the “Windows Mobile Weekly Digest.”

http://feedproxy.google.com/~r/wmexperts/~3/ONxzivJ0vK8/week-windows-mobile-may-29-2016