You are probably aware that sharing remote access to your computer with third-parties and untrusted people is not safe. However, it is worth to mention that sharing a full remote access to anyone could be risky and might get you hacked.
A critical flaw that has been detected in Microsoft’s Windows Remote Assistance also known as Quick Assist feature. The vulnerability can impact all versions of Windows PCs including Windows 10, 8.1, RT 8.1, and 7 and enable hackers to access users’ sensitive files.
Microsoft’s Windows Remote Assistance is a tool which is used to someone user trust to take over full control of the PC. This way can help to fix users digital-related issues from anywhere across the globe.
This feature belongs to the Remote Desktop Protocol or RDP in order to launch a secured connection with another user.
However, Nabeel Ahmed of Trend Micro Zero Day Initiative has detected and announced the flaw in Windows Remote Assistance. The vulnerability CVE-2018-0878 can potentially enable hackers to access details in order to further compromise the user’s system.
The flaw has been fixed in the Windows Remote Assistance processes XML External Entities (XXE). The vulnerability impacts Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10, 8.1, RT 8.1 and 7.
Exploiting Windows Remote Assistance
This vulnerability was patched and the technical details and proof-of-concept exploit code were released.
The vulnerability relies on MSXML3 parser, and if cybercriminals want to exploit the flaw, they have to use “Out-of-Band Data Retrieval” attack method and offer the potential victim access to the device using Windows Remote Assistance.
Windows Remote Assistance provides users with two options including:
- Invite someone you trust to help you;
- Help someone who has invited you.
If you select the first option, an invitation file is generated ‘invitation.msrcincident’ which includes XML data. Due to the parser which does not properly validate the content, the hacker is able to send a specially crafted Remote Assistance invitation file. This file in infected with malicious payload and is transferred to the victim’s device.
According to Microsoft, “The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”
However, Ahmed warns that the flaw can be used in phishing attacks.
This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information.
Windows PCs users are recommended to update their Windows Remote Assistance as soon as possible in order to avoid any possible attacks.