Security Central: Microsoft Catches and Patches Security Bug, Hacker Ends Virtual Currency Project Journey – June 24, 2016

A Chinese researcher discovers a decades-old Windows vulnerability and hackers drain the Decentralized Autonomous Organization of over $50 million in this week's Security Central.

June 24, 2016

3 Min Read
Security Central: Microsoft Catches and Patches Security Bug, Hacker Ends Virtual Currency Project Journey – June 24, 2016

By Pino Vallejo

A crucial catch by a researcher in China this week may have saved Microsoft from a potential massive security breach. Yang Yu, director of Xuanwu Lab of Tencent in Beijing, discovered an error in the security design that affects all versions of the Microsoft Windows operating system, a potentially disastrous flaw that has gone undetected for the past 20 years. To give you an idea how far back that is, think Windows 95.

In an interview with security news site Dark Reading, Yu spoke about the implications of the security vulnerability, dubbed ‘BadTunnel’.  “This vulnerability has a massive security impact – probably the widest impact in the history of Windows. It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years. It can be exploited silently with a near perfect success rate.”

Thankfully, there is no indication that the vulnerability was discovered by cybercriminals. It’s a good thing, too – BadTunnel would have made it possible for an attacker to hijack the data in a target victim or organization’s network seamlessly while remaining completely undetected. How? This isn’t your typical bug.  BadTunnel isn’t just one isolated glitch in a system, it exploits a unique combination of security vulnerabilities that would allow the attacker to breeze past firewalls and defenses and break in without having to deploy malware, which is what usually makes most other attacks easier to spot. The exploitation comes in when the unsuspecting user visits a bad web page via Microsoft browsers Internet Explorer or Edge, or perhaps opens a corrupted Office document.

Microsoft issued a patch for the BadTunnel bug last week. Yu will present on his findings more in-depth in July at the 2016 Black Hat USA conference in Las Vegas with his presentation BadTunnel: How Do I Get Big Brother Power? 

While the industry has made substantial strides in detecting, combating and successfully preventing cyber-attacks in many instances, criminals still triumph upon occasion. Such was the case last Friday when a hacker drained more than $50 million of digital money from the Decentralized Autonomous Organization (DAO), a crowdsourced company heading a hugely successful “experimental virtual currency project,” according to The New York Times. The organization had raised $160 million in Ether, a form of cryptocurrency similar to Bitcoin.

The impact of the DAO hack is particularly devastating as it pokes significant holes in the viability of digital currency, a concept thousands of investors and participants have been working to prove the advantages of. The technology behind virtual currencies is known as blockchain, which tracks and stores every detail of each transaction. “The strength of blockchain tech is that it is a ledger, a statement of truth,” Bruce Fenton, a board member with the Bitcoin Foundation, wrote on Friday. Because of this level of transparency, the technology has been touted as having the leg up on traditional money transactions. However, the attack has stirred up a wave of skepticism and has prompted a closer examination and discussion surrounding the safety and security of cryptocurrencies.

Unfortunately, this likely means the end of the road for the DAO, but the advantages of the technology behind digital currency, particularly the ‘statement of truth’ aspect, still holds the interest of those who see its transformative potential for the world of commerce. Who knows? The virtual universe may still have great things in store for cybercurrency.






Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like