Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Windows Tooling Updates: OleView.NET

Project Zero - 2 hodiny 38 min zpět
@import url(https://themes.googleusercontent.com/fonts/css?kit=XGMkxXUZTA64h2imyzu79g);.lst-kix_cb3mwjmcuxek-7>li:before{content:"\0025cb "}.lst-kix_cb3mwjmcuxek-4>li:before{content:"\0025cb "}.lst-kix_cb3mwjmcuxek-8>li:before{content:"\0025a0 "}ol.lst-kix_p89tpxkie3qv-7.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-7 0}.lst-kix_cb3mwjmcuxek-3>li:before{content:"\0025cf "}ul.lst-kix_cb3mwjmcuxek-3{list-style-type:none}ul.lst-kix_cb3mwjmcuxek-2{list-style-type:none}ul.lst-kix_cb3mwjmcuxek-5{list-style-type:none}.lst-kix_p89tpxkie3qv-1>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-1}ul.lst-kix_cb3mwjmcuxek-4{list-style-type:none}.lst-kix_cb3mwjmcuxek-1>li:before{content:"\0025cb "}.lst-kix_p9mqotz9vuw2-4>li:before{content:"\0025cb "}ul.lst-kix_cb3mwjmcuxek-1{list-style-type:none}.lst-kix_cb3mwjmcuxek-2>li:before{content:"\0025a0 "}ul.lst-kix_cb3mwjmcuxek-0{list-style-type:none}.lst-kix_p9mqotz9vuw2-2>li:before{content:"\0025a0 "}.lst-kix_p9mqotz9vuw2-3>li:before{content:"\0025cf "}ul.lst-kix_cb3mwjmcuxek-7{list-style-type:none}ul.lst-kix_cb3mwjmcuxek-6{list-style-type:none}.lst-kix_p9mqotz9vuw2-1>li:before{content:"\0025cb "}.lst-kix_cb3mwjmcuxek-0>li:before{content:"\0025cf "}.lst-kix_p89tpxkie3qv-2>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-2}ul.lst-kix_cb3mwjmcuxek-8{list-style-type:none}.lst-kix_p9mqotz9vuw2-0>li:before{content:"\0025cf "}ol.lst-kix_p89tpxkie3qv-8{list-style-type:none}ol.lst-kix_p89tpxkie3qv-7{list-style-type:none}.lst-kix_t5udn3o3z1tu-0>li:before{content:"\0025cf "}ol.lst-kix_p89tpxkie3qv-4{list-style-type:none}.lst-kix_t5udn3o3z1tu-1>li:before{content:"\0025cb "}ol.lst-kix_p89tpxkie3qv-3{list-style-type:none}ol.lst-kix_p89tpxkie3qv-6{list-style-type:none}ol.lst-kix_p89tpxkie3qv-5{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-8{list-style-type:none}ol.lst-kix_p89tpxkie3qv-0{list-style-type:none}.lst-kix_t5udn3o3z1tu-3>li:before{content:"\0025cf "}ul.lst-kix_p9mqotz9vuw2-8{list-style-type:none}ol.lst-kix_p89tpxkie3qv-2{list-style-type:none}ul.lst-kix_p9mqotz9vuw2-7{list-style-type:none}.lst-kix_t5udn3o3z1tu-2>li:before{content:"\0025a0 "}.lst-kix_t5udn3o3z1tu-4>li:before{content:"\0025cb "}ol.lst-kix_p89tpxkie3qv-1{list-style-type:none}ul.lst-kix_p9mqotz9vuw2-6{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-4{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-5{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-6{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-7{list-style-type:none}ul.lst-kix_p9mqotz9vuw2-1{list-style-type:none}.lst-kix_t5udn3o3z1tu-7>li:before{content:"\0025cb "}ul.lst-kix_p9mqotz9vuw2-0{list-style-type:none}.lst-kix_t5udn3o3z1tu-6>li:before{content:"\0025cf "}.lst-kix_t5udn3o3z1tu-8>li:before{content:"\0025a0 "}ul.lst-kix_p9mqotz9vuw2-5{list-style-type:none}.lst-kix_t5udn3o3z1tu-5>li:before{content:"\0025a0 "}ul.lst-kix_p9mqotz9vuw2-4{list-style-type:none}.lst-kix_p9mqotz9vuw2-5>li:before{content:"\0025a0 "}ul.lst-kix_p9mqotz9vuw2-3{list-style-type:none}ul.lst-kix_p9mqotz9vuw2-2{list-style-type:none}ul.lst-kix_t5udn3o3z1tu-8{list-style-type:none}ul.lst-kix_t5udn3o3z1tu-7{list-style-type:none}.lst-kix_p9mqotz9vuw2-6>li:before{content:"\0025cf "}.lst-kix_p9mqotz9vuw2-7>li:before{content:"\0025cb "}ul.lst-kix_t5udn3o3z1tu-6{list-style-type:none}ul.lst-kix_t5udn3o3z1tu-5{list-style-type:none}ul.lst-kix_t5udn3o3z1tu-4{list-style-type:none}.lst-kix_cb3mwjmcuxek-5>li:before{content:"\0025a0 "}ul.lst-kix_t5udn3o3z1tu-3{list-style-type:none}.lst-kix_p9mqotz9vuw2-8>li:before{content:"\0025a0 "}ul.lst-kix_t5udn3o3z1tu-2{list-style-type:none}.lst-kix_cb3mwjmcuxek-6>li:before{content:"\0025cf "}ul.lst-kix_t5udn3o3z1tu-1{list-style-type:none}ul.lst-kix_t5udn3o3z1tu-0{list-style-type:none}ol.lst-kix_p89tpxkie3qv-5.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-5 0}.lst-kix_p89tpxkie3qv-4>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-4}.lst-kix_p89tpxkie3qv-1>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-1,lower-latin) ". "}.lst-kix_p89tpxkie3qv-5>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-5}.lst-kix_p89tpxkie3qv-0>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-0,decimal) ". "}.lst-kix_p89tpxkie3qv-8>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-8,lower-roman) ". "}.lst-kix_c3xw8wo2ynri-4>li:before{content:"\0025cb "}.lst-kix_c3xw8wo2ynri-5>li:before{content:"\0025a0 "}.lst-kix_p89tpxkie3qv-7>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-7,lower-latin) ". "}.lst-kix_c3xw8wo2ynri-6>li:before{content:"\0025cf "}.lst-kix_c3xw8wo2ynri-2>li:before{content:"\0025a0 "}.lst-kix_c3xw8wo2ynri-1>li:before{content:"\0025cb "}ol.lst-kix_p89tpxkie3qv-4.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-4 0}.lst-kix_c3xw8wo2ynri-8>li:before{content:"\0025a0 "}.lst-kix_p89tpxkie3qv-3>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-3,decimal) ". "}.lst-kix_c3xw8wo2ynri-7>li:before{content:"\0025cb "}.lst-kix_c3xw8wo2ynri-0>li:before{content:"\0025cf "}.lst-kix_p89tpxkie3qv-2>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-2,lower-roman) ". "}.lst-kix_p89tpxkie3qv-4>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-4,lower-latin) ". "}.lst-kix_p89tpxkie3qv-5>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-5,lower-roman) ". "}.lst-kix_c3xw8wo2ynri-3>li:before{content:"\0025cf "}.lst-kix_p89tpxkie3qv-6>li:before{content:"" counter(lst-ctn-kix_p89tpxkie3qv-6,decimal) ". "}.lst-kix_p89tpxkie3qv-7>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-7}ol.lst-kix_p89tpxkie3qv-0.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-0 0}.lst-kix_p89tpxkie3qv-8>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-8}ol.lst-kix_p89tpxkie3qv-3.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-3 0}ol.lst-kix_p89tpxkie3qv-6.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-6 0}ul.lst-kix_c3xw8wo2ynri-0{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-1{list-style-type:none}ul.lst-kix_c3xw8wo2ynri-2{list-style-type:none}ol.lst-kix_p89tpxkie3qv-2.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-2 0}ul.lst-kix_c3xw8wo2ynri-3{list-style-type:none}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ol.lst-kix_p89tpxkie3qv-8.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-8 0}.lst-kix_p89tpxkie3qv-6>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-6}ol.lst-kix_p89tpxkie3qv-1.start{counter-reset:lst-ctn-kix_p89tpxkie3qv-1 0}.lst-kix_p89tpxkie3qv-3>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-3}.lst-kix_p89tpxkie3qv-0>li{counter-increment:lst-ctn-kix_p89tpxkie3qv-0}ol{margin:0;padding:0}table td,table th{padding:0}.dnwkefRIXX-c13{padding-top:18pt;padding-bottom:6pt;line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.dnwkefRIXX-c2{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.dnwkefRIXX-c0{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.dnwkefRIXX-c20{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial"}.dnwkefRIXX-c8{color:#000000;text-decoration:none;vertical-align:baseline;font-style:normal}.dnwkefRIXX-c12{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.dnwkefRIXX-c5{font-size:9pt;font-family:"Roboto Mono";color:#37474f;font-weight:400}.dnwkefRIXX-c4{color:#188038;font-weight:400;font-family:"Roboto Mono"}.dnwkefRIXX-c11{text-decoration:none;vertical-align:baseline;font-style:normal}.dnwkefRIXX-c19{font-weight:400;font-size:7pt;font-family:"Roboto Mono"}.dnwkefRIXX-c14{font-weight:400;font-size:16pt;font-family:"Arial"}.dnwkefRIXX-c6{font-size:9pt;font-weight:400;font-family:"Roboto Mono"}.dnwkefRIXX-c16{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.dnwkefRIXX-c9{margin-left:36pt;padding-left:0pt}.dnwkefRIXX-c7{font-size:9pt}.dnwkefRIXX-c15{color:#c5221f}.dnwkefRIXX-c10{color:#b80672}.dnwkefRIXX-c18{color:#9334e6}.dnwkefRIXX-c17{color:#999999}.dnwkefRIXX-c3{font-style:italic}.dnwkefRIXX-c1{height:11pt}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

Posted by James Forshaw, Google Project Zero

This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. The updates were recently presented at the Microsoft Bluehat conference in Redmond under the name "DCOM Research for Everyone!". This blog expands on the topics discussed to give a bit more background and detail that couldn't be fit within the 45-minute timeslot. This post assumes a knowledge of COM as I'm only going to describe a limited number of terms.

Using the OleView.NET Tooling

Before we start the discussion it's important to understand how you can get hold of the OleView.NET tool and some basic usage. The simplest way to get the tooling is to install it from the PowerShell gallery with the Install-Module OleViewDotNet command. This installs both the PowerShell module and the GUI.

Next you need to parse the COM registration artifacts into an internal database. You can do this by running the Get-ComDatabase command. Once it's finished you're ready to go. You will notice that it can take a long time to complete, so it'd be annoying to have to do this every time you want to start researching. For that reason you can use the command Set-ComDatabase -Default to write out the database to a default storage location. Now the next time you start PowerShell you can just run an inspection command, such as Get-ComClass and the default database will be automatically loaded.

This default database is also shared with the GUI, which you can start by running the Show-ComDatabase command. For general research I find the GUI to be easier to use and you can click around and look at the COM registration information. For analysis, the ability to script through PowerShell is more important.

Researching COM Services

Performing security research in COM usually involves the following steps::

  • Enumerate potential COM classes of interest. These might be classes which are accessible outside of a sandbox, running at high privilege or designed to be remotely exposed.
  • Validate whether the COM classes are truly accessible from the attack position. COM has various security controls which determine what users can launch, activate and access an object. Understanding these security controls allows the list of COM classes of interest to be limited to only those that are actually part of the attack surface.
  • Enumerate exposed interfaces, determine what they do and call methods on them to test for security vulnerabilities.

The last step is the focus of the updates to the tooling, making it easier to determine what an exposed interface does and call methods to test the behavior. The goal is to minimize the amount of reverse engineering needed (although generally some is still required) as well as avoid needing to write code outside of the tooling to interact with the COM service under test.

To achieve this goal, OleView.NET will pull together any sources of interface information it has, then provide a mechanism to inspect and invoke methods on the interface through the UI or via PowerShell. The sources of information that it currently pulls together are:

  1. Known interfaces, either defined in the base .NET framework class libraries or inside OleView.NET.
  2. COM interface definitions present in the Global Assembly Cache.
  3. Registered type libraries.
  4. Windows Runtime interfaces.
  5. Extracted proxy class marshaling information.

One useful benefit of gathering this information, is that the tool formats the interface as "source code" so you can manually inspect it.

Formatting Interfaces Definitions

The OleView.NET tool uses a database object to represent all the artifacts it has analyzed on your system. The latest released version defines some of these objects to be convertible to "source code". For example the following can be converted if the tool can determine some meta data that to represent the artifact:

  • COM interfaces
  • COM proxies
  • COM Windows Runtime classes.
  • Type libraries, interfaces and classes.

How you get to this conversion depends on whether you're using the PowerShell or the UI. The simplest approach is PowerShell, using the ConvertTo-ComSourceCode command. For example, the following will convert an interface object into source code:

PS> Get-ComInterface -Name IMyInterface | ConvertTo-ComSourceCode -Parse

Note that we also need to pass a -Parse option to the command. Some metadata such as type libraries and proxies can be expensive to parse so it won't do that automatically. However, once they're been parsed in the current session the metadata is cached for further use, so for example if you formatted a single interface in a type library, all other interfaces are now also parsed and can be formatted.

The output of this command is the converted "source code" as text. The format depends on metadata source. For example the following is the output from a Windows Runtime type:

[Guid("155eb23b-242a-45e0-a2e9-3171fc6a7fdd")]

interface IUserStatics

{

    /* Methods */

    UserWatcher CreateWatcher();

    IAsyncOperation<IReadOnlyList<User>> FindAllAsync();

    IAsyncOperation<IReadOnlyList<User>> FindAllAsync(UserType type);

    IAsyncOperation<IReadOnlyList<User>> FindAllAsync(UserType type, 

                                       UserAuthenticationStatus status);

    User GetFromId(string nonRoamableId);

}

As Windows Runtime types are defined using metadata similar to .NET then the output is a pseudo C# format. In contrast for type library or proxy it's look more like the following:

[

    odl,

    uuid(00000512-0000-0010-8000-00AA006D2EA4),

    dual,

    oleautomation,

    nonextensible

]

interface _Collection : IDispatch {

    [id(1), propget]

    HRESULT Count([out, retval] int* c);

    [id(0xFFFFFFFC), restricted]

    HRESULT _NewEnum([out, retval] IUnknown** ppvObject);

    [id(2)]

    HRESULT Refresh();

};

This is in the Microsoft Interface Definition Language (MIDL) format, the type library version should be pretty accurate and could even be recompiled by the MIDL compiler. For proxies some of the information is lost and so the MIDL generated isn't completely accurate, but as we'll see later there's limited reasons to take the output and recompile.

Another thing to note is that proxies lose name information when compiled from MIDL to their C marshaled representation. Therefore the tool just generates placeholder names, for example, method names are of the form "ProcN". If the proxy is for a type that has a known definition, such as from a Windows Runtime type or a type library then the tool will try and automatically apply the names. If not, you'll need to manually change them if you want them to be anything other than the default.

You can change the names from PowerShell by modifying the proxy object directly. For example the "IBitsTest1" interface looks like the following before doing anything:

[

  object,

  uuid(51A183DB-67E0-4472-8602-3DBC730B7EF5),

]

interface IBitsTest1 : IUnknown {

    HRESULT Proc3([out, string] wchar_t** p0);

}

You can modify "Proc3" with the following script:

PS> $proxy = Get-ComProxy -Iid 51A183DB-67E0-4472-8602-3DBC730B7EF5

PS> $proxy.Procedures[0].Name = "GetBitsDllPath"

PS> $proxy.Procedures[0].Parameters[0].Name = "DllPath"

Now the formatted output looks like the following:

[

  object,

  uuid(51A183DB-67E0-4472-8602-3DBC730B7EF5),

]

interface IBitsTest1 : IUnknown {

    HRESULT GetBitsDllPath([out, string] wchar_t** DllPath);

}

This renaming will also be important when we come back to calling proxied methods. Obviously it'd be annoying to run this script every time, so you can cache the names using the following command:

PS> Export-ComProxyName -Proxy $p -ToCache

This will write out a file describing the names to a local cache file. When the proxy is loaded again in another session this cache file will be automatically applied. The Export-ComProxyName and corresponding Import-ComProxyName commands allow you to read and write XML or JSON files representing the proxy names which you can modify in a text editor if that's easier.

One of the quickest wins is to enumerate the interfaces for a COM object, then pass the output of that through the ConvertTo-ComSource code command. For example:

PS> $obj = New-ComObject -Clsid 4575438f-a6c8-4976-b0fe-2f26b80d959e

PS> Get-ComInterface -Object $obj | ConvertTo-ComSourceCode -Parse

This creates a new COM object based on its CLSID, enumerates the interfaces it supports and then passes them through the conversion process to get out a "source code" representation of the interfaces.

To view the source code in the GUI you first need to open one of the database views from the Registry menu. In the resulting window, there will be a tree view of artifacts. You need to open the source code viewer window by right clicking the tree and selecting the Show Source Code option in the context menu. This will result in a view similar to the following:

You can also automatically enable the source code view from the View→Registry View Options menu. In that menu you can also enable automatically parsing the interface information, which is off by default.

You might notice in the screenshot that there's some text which is underlined. This indicates names which can be changed, and it is only used for proxies. You can right click the name and choose Edit Name from the context menu to bring up a text entry dialog. You can then change the name to suit. If you want to persist the names between sessions then set the Save Proxy Names on Exit option in the registry view options. Then when you exit any modified proxies will be written to the cache.

If you want to edit a proxy from PowerShell in a similar GUI you can use following command:

PS> Edit-ComSourceCode $proxy

This will show a dialog similar to the following where you can do edits to the proxy name information:

Genering Interfaces from a Proxy Definition

Now on to the more important side of these updates, the ability to invoke methods on the interfaces exposed by an object you want to research. The tool has always given you some ability to invoke methods as long as the object has a .NET interface to call through reflection. This could either be through a known interface type, such as a built-in one or the Windows Runtime interfaces or by converting a type library into a .NET assembly on demand.

What's new is the ability to generate an interface based on a proxy definition and then use that to invoke methods. Initially I tried to implement this by generating an .NET interface dynamically which would then use the existing .NET interop to call the proxy methods. This worked fine for simple proxies but quickly hit problems when doing anything more complex:

  • Some types are hard to represent in easy to use .NET types, such as pointers to structures. This is "handled" in the type library converter by just exporting them as IntPtr parameters which means the caller has to manually marshal the data. Get this wrong and the tool crashes.
  • Any structures need to be accurately laid out so the native marshaler can read and write to the correct field locations. Get this wrong and the tool crashes.
  • Did I mention that if you get this wrong the tool crashes?

Fortunately I already had a solution, my sandbox library already had the ability to dynamically generate a .NET class from parsed NDR data, in fact I was already using the library to parse the NDR data for proxies so I realized could I repurpose the existing client builder for COM proxy clients. I needed to do some simple refactoring of the code to make it build from a COM proxy instance rather than an RPC server, but I quickly had an RPC client. This RPC client doesn't directly interact with any native marshaling code, so it's unlikely to crash. Also any complex structures are built in a way which makes it easy to modify from .NET removing the problems around pointers. One issue with using the RPC client method is the same interface could be used for both in-process and out-of-process objects. Due to the way COM is designed a client usually doesn't need to care about where the object is, but in this case it must be accessible via a proxy. This isn't that big an issue, there's no security boundary between in-process COM objects and so being able to call methods on them isn't that interesting.

The next problem was the RPC transport. COM calls have an additional input and output parameter, the ORPTHIS and ORPCTHAT structures, that need to be added to the call. These parameters could have been added to the RPC client, but it would seem best to make the clients agnostic of the transport. Instead as my RPC code has pluggable RPC transport I was able to reimplement a custom version over the top of the existing ALPC and TCP transports which added the additional parameters to any call. That wasn't the end of it though, ALPC needs an additional pair of parameters, LocalThis and LocalThat, which are potentially different depending on versions of Windows. Also you need to add support for additional services such as the OXID resolver and communication with the local DCOM activator. While I implemented all this it wasn't as reliable as I'd like, however it's still present in the source code if you want to play with it.

As an aside, I should point out that Clement Rouault, one of the original researchers into ALPC RPC protocol of which parts of my own implementation is inspired, recently released a very similar project for their Python tooling which implements the ALPC DCOM protocol.

I decided that I'd need a different approach, in the COM runtime the RPC channel used by a proxy instance is represented by the IRpcChannelBuffer interface. An object implementing this interface is connected to the proxy during initialization, it is then used to send and receive NDR formatted data from the client to the server. The implementation handles all the idiosyncrasies such as the additional parameters, handling OXID resolving and reference counting. If we could get hold of a proxy object's instance of the IRpcChannelBuffer object, we could use that instead of implementing our own protocol, the challenge was how to get it.

After a bit of research I found that we can use the documented NdrProxyInitialize function to get hold of the interface from its MIDL_STUB_MESSAGE structure by passing in the interface pointer to a proxy. While it wouldn't be as flexible as a fully custom implementation this gave me an easy way to handle the transport without worrying about platform or protocol differences. It could also work from an existing COM object, just query the appropriate interface, extract the buffer and make calls to the remote server.

Of course nothing is that simple, I discovered that while the IRpcChannelBuffer object is a COM object it has a broken implementation of IMarshal. As .NET's COM interop tries to query for IMarshal when generating a Runtime Callable Wrapper, it will immediately crash the process. I had to manually dispatch the calls to the method through native delegates, but at least it works.

Calling Interface Methods

Okay, so how do you use the tool to call arbitrary methods? For the GUI it works like it always has, when you create an instance of a COM object, usually by right clicking an entry in a view and selecting Create Instance you'll get a new object information window similar to the following:

At the bottom of the window is a list of supported interfaces. In the right column is an indicator if there's a viewer for that interface. If it's set to Yes, then you can double click it to bring up an invocation window like the following:

From this window you can double click a method to bring up a new dialog where you can specify the arguments and invoke the method as shown below.

Once invoked it'll show the resulting output parameters and if the return value is an integer will assume it's a HRESULT error code. These windows are the same for "reflected" interfaces such as type libraries and Windows Runtime interfaces as well as proxy clients. The names of proxy methods won't be automatically updated if you change them when the interface window is open. You'll need to go back to the object information window and double click the interface again to get it to recreate the client.

For PowerShell you can specify an Iid argument when using the New-ComObject command or use the Get-ComObjectInterface command to query an existing COM object for a new interface. The tooling will pick the best option for calling the interface from the options available to it, including generating the RPC client dynamically.

PS> $obj = New-ComObject -Clsid 4991D34B-80A1-4291-83B6-3328366B9097

PS> $test = Get-ComObjectInterface $o -Iid 51A183DB-67E0-4472-8602-3DBC730B7EF5

PS> $test.GetBitsDllPath()

DllPath                      retval

-------                      ------

c:\windows\system32\qmgr.dll      0

To make it easier to call interface methods from PowerShell the exposed methods on the object will be modified to wrap output parameters in a single return value. You can see this in the listing above, the DllPath parameter was originally an output only parameter. Rather than deal with  that in the script a return structure was automatically created containing the DllPath as well as the HRESULT return value. If the parameter is an input and output then the method signature accepts the input value and the return value contains the output value.

If the definitions for your interface don't already exist you can import them into the tool to be used by the automatic interface selection. To do this you'll need to define the interfaces as .NET types and compile them into an assembly. Then in the GUI use the File→Import Interop Assembly menu option or for PowerShell use the Add-ComObjectInterface command. Both of these options allow you to specify the assembly will be automatically loaded the next time you start the tool. This will make a copy of the DLL to a central location so that it can be accessed even if you delete the library later.

If all you have is an IDL file for a set of COM interfaces you can import them into the tool indirectly with help from the Windows SDK. First compile the IDL file using the MIDL compiler to generate a type library, then use the TLBIMP command to generate an Assembly file from the type library. Finally you can import it using the previous paragraph's methods.

There's plenty to discover in OleView.NET which I've not covered here. I'd encourage you to play around, or check out the source code on github.

Kategorie: Hacking & Security

New stealthy Pumakit Linux rootkit malware spotted in the wild

Bleeping Computer - 12 Prosinec, 2024 - 23:35
A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems. [...]
Kategorie: Hacking & Security

Police shuts down Rydox cybercrime market, arrests 3 admins

Bleeping Computer - 12 Prosinec, 2024 - 23:11
International law enforcement operation seizes the Rydox cybercrime marketplace and arrests three administrators. [...]
Kategorie: Hacking & Security

New IOCONTROL malware used in critical infrastructure attacks

Bleeping Computer - 12 Prosinec, 2024 - 21:46
Iranian threat actors are utilizing a new malware named IOCONTROL to compromise Internet of Things (IoT) devices and OT/SCADA systems used by critical infrastructure in Israel and the United States. [...]
Kategorie: Hacking & Security

US offers $5 million for info on North Korean IT worker farms

Bleeping Computer - 12 Prosinec, 2024 - 21:24
​The U.S. State Department is offering a reward of up to $5 million for information that could help disrupt the activities of North Korean front companies and employees who generated over $88 million via illegal remote IT work schemes in six years. [...]
Kategorie: Hacking & Security

Microsoft: No support or updates for Windows 11 PCs without minimum hardware requirements

Computerworld.com [Hacking News] - 12 Prosinec, 2024 - 21:18

Microsoft has offered a miniscule concession to users determined to install Windows 11 on PCs that don’t meet its minimum hardware requirements: you will be able to do it, but on your own head be it should things go wrong.

The apparent moderation of its previously hardline upgrade policy appeared on a support page update which lists the numerous disadvantages of pressing ahead with a Windows 11 on an unsupported system.

These include unspecified compatibility problems, and a watermark noting a PC’s non-compliant status that will appear on the Windows 11 desktop. More significantly, it states:

“If you proceed with installing Windows 11, your PC will no longer be supported and won’t be entitled to receive updates.”

This is unambiguous – no security updates. And that’s in addition to the rather alarming warning that any “damages to your PC due to a lack of compatibility aren’t covered under the manufacturer warranty.”

Those are serious gotchas, the same ones Microsoft has been warning about for some time. Only a week ago, a blog by Microsoft senior program manager Steven Hosking described the most important element of the Windows 11 requirements, support for Trusted Platform Module (TPM) 2.0, as “non-negotiable.” That remains the case.

Not sugarcoating it

What has changed? Despite some optimistic news reporting on this issue, nothing. Microsoft doesn’t want users to upgrade to Windows 11 on unsupported hardware, but is now acknowledging that some people will push ahead regardless. That being so, it wants to tell them what might happen, so they can’t say they weren’t warned.

The date Windows 10 is due to stop receiving updates, Oct. 14, 2025, remains the same. Upgrading to Windows 11 without meeting the hardware requirements won’t change the negative consequences of this. Nor does the update explain how users can bypass the minimum requirements, should they choose to do so.

Importantly, users who regret upgrading will only have ten days to revert to Windows 10. After that, the files enabling this function will be deleted to save disk space, and the “go back” button in Recovery options will disappear.

Microsoft also doesn’t elaborate on what it means by Windows 11 “compatibility issues,” so this is a matter of guesswork. However, it’s possible to imagine that new features that assume a TPM is available could cause instability on a machine lacking this facility. It could also affect drivers for older hardware no longer supported in Windows 11, although this would be likely to be an issue over the longer term.

Meet the TPM

Microsoft’s minimum requirements for Windows 11 cover several hardware components, including having enough RAM and a powerful enough microprocessor. But the most contentious issue is whether a PC contains or supports a Trusted Platform Module (TPM), specifically version 2.0, released in 2014.

A TPM is a secure enclave for storing data such as cryptographic keys, certificates, and biometric information fundamental for the security of a PC, including those required for low level PC checks such as Secure Boot, or for the use of Microsoft’s BitLocker in its more secure mode. Having one is somewhere between a good idea and essential, as more and more software systems going forward assume one will be there at the root of trust. For a summary of the arguments in favor of upgrading to a system with TPM 2.0, Hosking’s blog is a good place to start.

When it comes to TPMs and Windows, PCs divide into three categories, the first of which supports the functionality using a TPM 2.0 chip installed on the motherboard. The second doesn’t have a TPM chip, but can either have one installed using a chip upgrade kit from the motherboard vendor or can have TPM enabled through firmware at UEFI level. The third are PCs that don’t support either option, which means they can’t be upgraded to Windows 11 without a registry hack.

Intel and AMD PCs from about 2017 onwards should support a hardware or software TPM 2.0, while earlier ones going back to Intel’s Skylake 6th generation in 2015 might do so, depending on the specific processor and support at motherboard and UEFI level.

Extended support

For anyone who doesn’t want the risk of a Windows 11 upgrade on unsupported hardware, or just prefers Windows 10, after October 2025 the most secure option will be to pay for an Extended Security Updates (ESU) subscription at an unconfirmed cost of $30 per annum for individuals. That way, updates won’t disappear abruptly, putting the PC in peril as vulnerabilities pile up over time.

Not surprisingly, a lot of users are happy with the status quo and don’t feel they should be forced to upgrade to Windows 11 or to pay to remain on Windows 10. This, arguably, is Microsoft’s fault. It hasn’t always clearly explained the benefits of its minimum requirement. That, unfortunately, includes explaining why TPM 2.0 is a good idea, and how its software increasingly depends on it for security.

Kategorie: Hacking & Security

Apple updates MDM tools for new Apple Intelligence features

Computerworld.com [Hacking News] - 12 Prosinec, 2024 - 20:10

Apple has introduced significant improvements for enterprise IT admins in the newly-released iOS 18.2, including the power to manage the latest salvo of additional Apple Intelligence features and more.  Here’s a swift look at what’s new.

Giving you control of Apple Intelligence

Apple’s approach to generative AI (genAI) is all about combining convenience with privacy. That means it has built large language models (LLMs) that work on the device, supplemented by highly secure cloud-based models that use highly secure Apple servers in data centers, and partnerships with third-party services to handle tasks the company’s own models can’t accommodate.

That last thing — use of third-party services — is where some Apple customers might need reassurance. That’s because people might at times share what should be confidential data with these services, which could place companies or individuals at risk of running afoul of data protection laws. Apple has only one genAI partner at this time, OpenAI, and to help mitigate such issues the ChatGPT developer says it does not keep private information pertaining to a request. With cloud queries heavily encrypted, Apple keeps no information at all, which is part of the attraction of using its own LLM models, and users can choose not to work with ChatGPT at all, if they prefer.

But what about unauthorized use of ChatGPT? Or even Apple’s own genAI models? Is there any way a data security-conscious company can try to protect its data against unauthorized sharing?

Now, there is. Starting in iOS 18.2, Apple has, as promised, introduced tools that let Mobile Device Management (MDM) services manage all the latest Apple Intelligence integrations, including ChatGPT, which itself includes search.

What this means is that IT admins can permit use of some, none, or all of the available Apple Intelligence tools, including the capacity to generate images in Image Playground. How this control is made available will likely differ between MDM providers, but you should see tools to manage iOS 18.2’s newly-added Apple Intelligence features arrive in your management console soon. Apple introduced MDM controls for Writing tools, Mail summarization, phone call recoding, and hiding apps in iOS 18.1.

Setting a default browser

While it took time to be convinced, Apple is beginning to allow people to use more browsers than before, potentially opening up competition in the browser industry. The thing is, not all browsers are created equal and it’s possible that some companies might require employees to use a specific browser on a managed device. This has now been made possible with an MDM tool that lets admins set a default browser and prevent users from modifying that browser, or choosing an alternative. (This should help companies maintain specified browser security policies, for example.)

What else is new?

These additions supplement an earlier wave of enterprise-focused admin enhancements introduced with iOS 18.1. 

  • Hardware-based MFA in Safari is now more reliable when used with security keys.
  • You can disable RCS messages on managed devices — essential, given the standard doesn’t yet support encryption.
  • It is possible to prevent users from deactivating VPN use on a per-app basis.
  • Admins can prevent apps from being locked or hidden by users.
  • Service discovery in enrollment can request well-known resources from alternative locations specified by MDM 
Tell it from the rooftops

Each time Apple makes one of these iterative enhancements for enterprise deployments of its devices, it shows the extent to which it now deeply supports enterprise markets. If I’m honest, the company should try to make more out of this, particularly as its approach toward building an ecosystem for trusted AI marries so well and so deeply with its existing reputation around security, ease-of-use, customer satisfaction, employee loyalty and TCO advantages in contrast to other platforms. 

But for most admins, the critical piece in the company’s most recent MDM updates will likely be the control it gives them over Apple Intelligence, which should reassure business users that limited deployment of these tools can be accomplished in a deliberate and responsible manner.

You can follow me on social media! Join me on BlueSky,  LinkedInMastodon, and MeWe

Kategorie: Hacking & Security

Cleo patches critical zero-day exploited in data theft attacks

Bleeping Computer - 12 Prosinec, 2024 - 18:03
Cleo has released security updates for a zero-day flaw in its LexiCom, VLTransfer, and Harmony software, currently exploited in data theft attacks. [...]
Kategorie: Hacking & Security

Spain busts voice phishing ring for defrauding 10,000 bank customers

Bleeping Computer - 12 Prosinec, 2024 - 17:44
The Spanish police, working with colleagues in Peru, conducted a simultaneous crackdown on a large-scale voice phishing (vishing) scam ring in the two countries, arresting 83 individuals. [...]
Kategorie: Hacking & Security

Bitcoin ATM firm Byte Federal hacked via GitLab flaw, 58K users exposed

Bleeping Computer - 12 Prosinec, 2024 - 17:02
US Bitcoin ATM operator Byte Federal has disclosed a data breach that exposed the data of 58,000 customers after its systems were breached using a GitLab vulnerability. [...]
Kategorie: Hacking & Security

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online

The Hacker News - 12 Prosinec, 2024 - 15:24
Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks. "Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and APIRavie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

The Hacker News - 12 Prosinec, 2024 - 14:35
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS

The Hacker News - 12 Prosinec, 2024 - 13:35
Details have emerged about a now-patched security vulnerability in Apple's iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information. The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

SaaS Budget Planning Guide for IT Professionals

The Hacker News - 12 Prosinec, 2024 - 12:30
SaaS services are one of the biggest drivers of OpEx (operating expenses) for modern businesses. With Gartner projecting $247.2 billion in global SaaS spending this year, it’s no wonder SaaS budgets are a big deal in the world of finance and IT. Efficient SaaS utilization can significantly affect both the bottom line and employee productivity.  In this article, we’ll break down this topic [email protected]
Kategorie: Hacking & Security

Kazakhstan’s Carpet CCTV: Pioneering the future of AI-powered public safety

Computerworld.com [Hacking News] - 12 Prosinec, 2024 - 12:02

In a world where technology increasingly shapes how cities manage safety and security, Kazakhstan’s Ministry of Internal Affairs is leading the way with its groundbreaking “Carpet CCTV” project. This ambitious initiative has revolutionized public safety by combining a massive surveillance network with advanced analytics and artificial intelligence, creating a system that shifts the focus from reactive responses to proactive prevention.

Over the past four years, the scope of Kazakhstan’s surveillance infrastructure has expanded dramatically. The number of cameras has grown from just 40,500 to an impressive 1.3 million, with 313,000 cameras now directly accessible to police. These cameras are strategically positioned to monitor key areas, enhancing law enforcement’s ability to detect, prevent, and respond to incidents in real time. The system has already shown its effectiveness: since early 2024, it has detected over 8,200 criminal offenses and recorded 7.1 million traffic violations, resulting in significant improvements in public safety and road management.

At the heart of this transformation is the use of artificial intelligence. By integrating cutting-edge technologies such as facial recognition, license plate detection, and crowd monitoring, the system provides actionable insights that allow authorities to address risks before they escalate. For example, facial recognition capabilities enable real-time identification of persons of interest, while AI-powered traffic monitoring contributes to improved road safety and generates public revenue through fines. These features highlight the system’s ability to go beyond passive recording, transforming it into a dynamic tool for crime prevention and urban management.

The implementation of the Carpet CCTV project, however, was not without challenges. Managing the enormous volume of data generated by over a million high-definition cameras required significant upgrades in communication networks and data storage infrastructure. The integration of public and private camera networks demanded a unified approach to data sharing and management, while privacy concerns necessitated robust regulatory frameworks to ensure citizen trust. Through a combination of strategic planning, public-private partnerships, and transparent communication, the Ministry successfully addressed these obstacles, setting a model for other nations to follow.

One of the project’s most significant achievements lies in its deterrent effect. Administrative offenses, such as public disturbances, have decreased sharply, indicating that the visible presence of surveillance cameras is influencing behavior. This demonstrates the power of technology not just to react to incidents, but to prevent them altogether. Furthermore, the use of video evidence has increased case resolution rates, further solidifying the system’s impact on law enforcement effectiveness.

Looking ahead, Kazakhstan plans to build on the success of Carpet CCTV by expanding its geographic coverage and enhancing its analytical capabilities. New developments will focus on leveraging advanced AI to improve the accuracy and scope of surveillance, while also incorporating adaptive privacy measures to protect civil liberties. This forward-thinking approach ensures the system remains at the forefront of public safety technology, balancing innovation with accountability.

Kazakhstan’s Carpet CCTV project represents more than just an investment in technology—it’s a vision for smarter, safer cities. By blending state-of-the-art solutions with thoughtful governance, the Ministry of Internal Affairs has created a system that not only addresses today’s challenges but also lays the groundwork for a secure and sustainable future.

Kategorie: Hacking & Security

Enterprise buyer’s guide: How to choose videoconferencing software

Computerworld.com [Hacking News] - 12 Prosinec, 2024 - 12:00

When most businesspeople think of videoconferencing software, the first thing that comes to mind is probably Microsoft Teams or Zoom, but there are many other choices, each with its own strengths. Sometimes the choice of what tool to use comes down to what’s standard corporate issue — more often than not, that’s Teams — but it’s not uncommon for businesses to use a mix of tools.

“Some organizations don’t want to be reliant on Microsoft for everything, or sometimes an executive likes another tool better,” says Will McKeon-White, senior analyst for unified communications and conversational AI at Forrester Research.

In this buyer’s guide
  • Videoconferencing software: What it is, why enterprises need it
  • Current trends in videoconferencing software
  • What to look for in videoconferencing software
  • Before you shop: Key questions to ask yourself and your stakeholders
  • Key questions to ask videoconferencing vendors
  • 14 videoconferencing tools to consider
Videoconferencing software: What it is, why enterprises need it

Videoconferencing services enable users to conduct online video meetings with one or more people who may join the call from their computers, phones, tablets, and room conferencing systems. They integrate with calendaring software for scheduling purposes, and usually include an audio call-in option, screen-sharing capabilities, and nonverbal communication features such as text chat, whiteboarding, and the ability to add reaction emojis.

Business-grade tools also allow for administrative controls that restrict who can join and what can be shared, and offer enhanced security features such as multifactor authentication (MFA), bring your own key (BYOK) end-to-end encryption, and single sign-on (SSO). Many videoconferencing systems integrate with conference room video hardware from the same vendor and/or third-party vendors.

Videoconferencing software has long been a useful tool for remote employees who needed to engage with their teams, and it was a nice-to-have for communicating with customers and partners when face-to-face meetings were impractical. Then, in 2020, everything changed. Videoconferencing rose to critical infrastructure status when, during the COVID-19 pandemic, nearly all office employees suddenly found themselves working from home. Licensing of videoconferencing software and services soared — Zoom nearly doubled its revenue in 2021 — and innovation increased as vendors competed for a piece of a much larger pie. The software saw rapid improvements as vendors raced to add new features, including better audio and video quality and enhanced security.

Nearly five years later, large numbers of employees have returned to the office, but many still telecommute one or more days per week. Videoconferencing software remains an essential part of business communications.

Current trends in videoconferencing software

Nowadays, videoconferencing software may seem like a well-defined, mature product space, but change is still afoot. “The weird thing about the videoconferencing software market is that it’s being subsumed into unified communications [UC],” says McKeon-White.

IDC’s term for this software category is unified communications and collaboration (UC&C), which the research firm describes as “an advanced telephony solution integrated with messaging (i.e., email, voice, and fax), instant messaging (IM) or chat, presence, and conferencing platforms for web conferencing, audioconferencing, and/or videoconferencing.” Many UC&C suites include additional collaboration features such as file sharing and virtual whiteboards. And while chat sessions in traditional, standalone videoconferencing systems typically end when the call terminates, vendor-hosted UC as a service (UCaaS) systems often include persistent chat functions that continue even after a videoconferencing session ends.

Like Forrester, IDC says most standalone videoconferencing software is being folded into larger UC&C suites. Videoconferencing apps are also found in productivity app suites such as Microsoft 365 and Google Workspace, which is one reason why Microsoft Teams has dominated the space. It has a 44.7% share of the $69 billion UC&C software market, according to IDC, while Zoom, its nearest competitor, sits at 6.4%.

That domination was also driven by the fact that, until this year, Microsoft bundled Teams with most Microsoft 365 licenses. “That got pushback from regulators,” Forrester’s McKeon-White says, so now new enterprise customers must pay $5.25 per user per month for Teams as an add-on. “But most companies already have Teams now and can purchase it through existing licenses,” he adds.

Innovative AI-based features such as real-time transcription, text insertion, and multiparty translation have also changed the user experience, according to McKeon-White. With some products, “each user can see a translation of what’s said in their native language through captioning. That’s happening now,” he says.

Another feature, image upscaling, sends lower-resolution audio and video to other participants’ devices, which can then “upscale” the quality. “It’s much easier now to have a smooth experience over poor connections,” McKeon-White says.

Finally, emerging AI features are “closing the loop between what users say in a videoconferencing session and action items,” he says. For example, if a participant needs to look up an account record in the CRM system to determine its status, “a bot says, ‘Would you like me to do that for you?’ or it identifies that it needs to be done and pulls the record right into the conversation.” It can do so by rendering the CRM interface right into a chat window or by extracting the information and presenting it.

Early experiments with AI didn’t go well because the AI didn’t comprehend exactly what people were asking in conversation, but the technology has seen “massive improvements” of late, McKeon-White says. While vendors are still experimenting with this function, you can expect to see more and better capabilities like this going forward, he says.

What to look for in videoconferencing software

Every vendor offers similar features, but the user experience can vary significantly. Consider both user familiarity with a given tool and whether the user experience is “good enough.” If it doesn’t meet expectations, some users may turn to more familiar, easy-to-use options such as Zoom.

“I see standardization on Teams,” McKeon-White says, but sometimes an exception is better for the business, such as when communicating with people in external organizations who use different software.

While a company standard is good to have, there’s no reason to force everyone to use one videoconferencing service exclusively, says Jitesh Gera, research manager for UC&C at IDC. It’s OK to opt for different tool choices that meet the needs of each kind of user, such as for sales, customer service, developers, or IT.

Consider whether a given tool is the dominant one in your industry. For example, Zoom has a big footprint in healthcare and financial services, for Cisco it’s government, GoTo is the preference for IT teams because of its advanced screen-share capabilities, and Microsoft is virtually everywhere, says McKeon-White. And some tools offer Slack integration that lets users keep an audio or video line open while working on their own screens. That “more Discord-like experience” is a plus for software development teams, he says.

Also, consider how well a product fits in with your UC&C suite, and what new and innovative AI-based features may be available or planned.

Finally, the videoconferencing software you choose needs to integrate well with your existing meeting room conferencing systems. “Companies have started to prioritize AI meeting room videoconferencing capabilities such as adaptive speaker framing [which zooms in on the participant who’s talking], multiple camera layouts, and virtual meeting zones,” which are the top three factors when choosing a UC&C system, says Gera.

Before you shop: Key questions to ask yourself and your stakeholders
  • Do you already have software that you can use for videoconferencing? For example, is there a videoconferencing component in your UC&C suite?
  • Are there needs that aren’t being met by your current solution? Is the tool currently in use easy to use, or do users dislike the user experience so much that they turn to other videoconferencing options?
  • What types of communication needs does your organization have? Do they include internal only or also internal-to-external partners and customers? Are there specific needs for certain groups, such as sales, finance, IT, or software engineering?
  • What types of room conferencing system hardware do you have and what are the compatibility options for videoconferencing software?
  • What’s your budget?
Key questions to ask videoconferencing vendors
  • How effective is the videoconferencing software at enhancing productivity and collaboration? Do you have any metrics?
  • In what ways is the experience better than the product(s) my organization already has?
  • Is the software easy to use? How many clicks does it take to start a meeting?
  • Does it support screen sharing?
  • Is there a whiteboard function?
  • Are there browser, desktop, and mobile app options?
  • Does it integrate with my organization’s calendaring system and other key systems, such as our project management software?
  • Does it integrate seamlessly with our room conferencing system hardware?
  • How do you secure it for enterprise use? Does it support SSO MFA? LDAP? Watermarking for shared documents? What type of encryption is offered? Does it support BYOK encryption?
  • What administrative and data access controls does the software offer? For example, does it offer data sensitivity labeling, and can we restrict user or group access to specific documents?
  • What regulatory compliance standards does it meet?
  • What session quality enhancements does it support (image blurring, noise suppression, image upscaling, etc.)?
  • Does it support session recording and retention policies?
  • What is the vendor’s feature road map and plan for AI evolution? “Are they too dependent on external providers for AI? If so, they may not be very innovative,” says Gera.
  • Does the software have features specifically tailored to my industry vertical?
  • Where is data associated with videoconferencing sessions routed and hosted geographically? “We’ve seen instances where traffic was routed through countries that were less than desirable,” says McKeon-White.
  • What are the uptime and reliability guarantees?
  • Does the software support hybrid on-premises/cloud deployments for high availability? For example, Microsoft offers the Survivability Branch Appliance for Teams that can keep sessions going when the cloud-based service is unavailable.
  • What are my pricing options?
14 videoconferencing tools to consider

The top four videoconferencing software products by market share are Microsoft Teams, Zoom, Cisco Webex, and Google Meet, according to IDC and Forrester. Some tools are available only as part of broader UC&C offerings. Here’s a brief summary of products from 14 vendors, listed alphabetically, that have offerings in the videoconferencing services space.

8×8 Communications Platform

8×8’s videoconferencing software is just one feature of its 8×8 Communications Platform, a UC&C offering tailored to the needs of contact centers. It includes a 99.999% service level agreement with 24×7 technical support; can live stream meetings on YouTube; includes its own mobile, desktop, and web apps; and integrates with Teams as well as major CRM and service and support applications. The 8×8 Communications Platform supports polls and virtual break-out rooms for meetings; includes an intelligent assistant; and offers administrative controls, analytics, and reporting.

Alcatel-Lucent Enterprise Rainbow

Alcatel-Lucent Enterprise, the French telecommunications hardware and software company, describes its Rainbow offering as “a secure ‘à-la-carte’ cloud-based communications and collaboration platform.” It supports meetings of up to 120 participants and 12 simultaneous video streams; is compliant with ISO 27001, GDPR, and CCPA; and can be deployed in on-premises or hybrid configurations. It offers integrations for Microsoft Teams as well as on-premises telephone systems. Other options include a system designed for use in conference rooms and another designed for virtual classrooms.

Avaya Spaces

Avaya Spaces, Avaya’s UC&C platform, includes “one-click” voice and videoconference calling as well as text chat, and supports meetings with up to 1,000 people. It’s compatible with Google, Microsoft 365, Teams, Salesforce, and Slack and offers an API for custom integrations. Spaces can record meetings, has retention policy controls, is HIPAA and GDPR compliant, and offers single sign-on and encryption for data in transit and at rest.

AI-driven features include background noise cancellation, meeting transcription, and closed captioning. Users can connect via browser, desktop, or mobile app, with user interface versions available in 26 languages.

Cisco Webex Meetings

Webex Meetings is part of Cisco’s comprehensive UC&C suite that also includes calling, event management, whiteboards, polling, messaging, webinar support, and other features. The software integrates with a wide array of general-business and vertical-specific enterprise apps.

A free version supports meeting durations of up to 40 minutes. The entry-level paid version includes an AI assistant that can translate conversations through closed captions, write messages, and summarize meetings and messages. All versions offer end-to-end encryption and HIPAA/BAA compliance; the enterprise version is FedRAMP authorized and offers bring your own key end-to-end encryption and watermarking. Cisco also sells several Webex-compatible desktop and meeting room video hardware devices.

Dialpad

Dialpad’s videoconferencing service includes enterprise, small business, and free versions, with UC&C editions designed for general business, sales, and contact centers. “Dialpad is strong in chat intelligence…business analytics…international support and real-time user insights,” according to Forrester. It integrates with Google Workspace, Microsoft 365, Microsoft Teams, and several CRM tools, and includes AI-driven meeting and call transcription, screen and meeting recording, data retention policies, and analytics and reporting functions.

Dialpad adjusts video resolution to available bandwidth for each connection to reduce video freeze-ups. It can support up to 150 participants through browser, desktop, and mobile apps. A meeting room version is also available. Session encryption and single sign-on are supported, and Dialpad is HIPAA compliant.

Google Meet

Google’s cloud-based Google Meet videoconferencing software includes a free version that supports meetings up to one hour long. The Google One Premium version includes call recording, noise cancellation, and the ability to live stream meetings on YouTube. Chat is a separate app.

The business version, bundled into the Google Workspace collaboration suite, supports longer meetings, offers higher-quality video and includes meeting recording with transcripts. It works with Google’s Gemini AI assistant (which requires a separate subscription) for real-time translation and generating meeting summaries. The enterprise version of Meet includes more advanced security features such as bring your own key end-to-end encryption.

GoTo Meeting

GoTo Meeting (formerly LogMeIn), available in business and enterprise editions, is one element in a collaboration suite of UC&C offerings that also includes GoTo Webinars and GoTo Training. The GoTo UC&C offerings fall into three categories: business communications, contact centers, and IT management and support. The vendor promotes its security and privacy features (single sign-on, end-to-end encryption, HIPAA compliance, one-time meeting passwords, meeting locking) and 99.9999% uptime SLA.

Key features include recordings and transcriptions for meetings with up to 250 participants, background noise suppression, screen sharing, drawing tools, and virtual breakout rooms. GoTo Meeting also works with H.323-enabled room conferencing systems. A14-day free trial version of GoTo Meeting Business is available.

Microsoft Teams

Microsoft’s Teams dominates in the enterprise videoconferencing space because it’s tightly integrated with Microsoft 365, the office productivity suite that many large organizations already use. Teams offers VoIP calling, webinar hosting, a whiteboard, and integration with PowerPoint, and it’s compatible with a wide range of room conferencing systems. Calls, meetings, chat sessions, and files can be encrypted.

Another element, Microsoft Mesh, creates “immersive 3D spaces” where participant avatars can interact in a virtual meeting room. The optional Microsoft 365 Copilot AI assistant can summarize, suggest action items, and provide real-time translation for videoconference and chat sessions.

Microsoft is “increasingly dictating the direction of the UCaaS market,” with many other vendors offering Teams integration, Forrester reports, although it adds that “licensing is needlessly complicated.” A basic version of Teams is available for free.

Mitel MiCollab

Videoconferencing is one element of the Mitel MiCollab UC&C suite, which includes voice, video, chat messaging, SMS messaging, web conferencing, and team collaboration tools. It can run on-site or over virtualized public or private cloud infrastructure. It integrates with the company’s business phone system offerings as well as Microsoft 365, Teams, and the Zoom Workplace Platform. MiCollab apps are available for Windows, macOS, and mobile devices.

Ooma Meetings

VoIP phone system provider Ooma offers Ooma Meetings as part of its Ooma Office Pro and Ooma Office Pro Plus collaboration and small business phone system services. It offers client software for macOS and Windows desktops as well as browser-based access. Features include a dashboard for scheduling meetings with up to 100 meeting participants, background noise cancellation, screen sharing, whiteboarding, chat, meeting recording (stored for three months), and integration with Microsoft and Google calendars.

RingCentral Video

UC&C platform vendor RingCentral offers a standalone enterprise edition of its videoconferencing offering, RingCentral Video Pro+, as well as a more limited, free version. Video Pro+ supports meetings of up to 200 participants for up to 24 hours’ duration. Features include a whiteboard, content sharing, meeting recording, a collaborative notes space, and background noise cancellation.

An AI assistant creates real-time closed captions, transcriptions, and meeting summaries. Security and administration features include end-to-end encryption, single sign-on, data retention policy controls, and usage and performance analytics. Versions for conference rooms and webinars are available as add-ons.

Vonage Meetings

Part of the Vonage Business Communications (VBC) software suite, Vonage Meetings supports meetings with up to 200 participants; includes chat, whiteboard, and recording features; integrates with both Google and Outlook calendars; and has desktop and mobile clients for macOS, Windows, iOS, and Android. Security and privacy features include support for SSO, MFA, and encryption. VBC is HIPAA and GDPR compliant.

Zoho Meeting

Zoho Meeting supports both videoconference meetings with up to 250 participants and webinars with up to 5,000 attendees for Windows, macOS, Android, and iOS devices. It integrates with the Zoho Workplace calendar and offers chat, digital whiteboards, screen sharing, session recording, virtual breakout rooms, live polls, and AI-generated meeting transcriptions and summaries.

Sessions can be streamed live on YouTube, and a version for meeting rooms is available as an add-on. It also offers session encryption and analytics for administrators. A feature-limited, free version supports up to 100 users per session for up to 60 minutes.

Zoom

Zoom, which rose to fame during the pandemic for its easy-to-use interface, remains a major player in the videoconferencing software space — Forrester says it offers a “best-in-class video experience.” Like its competitors, Zoom has expanded beyond video meetings, now offering a UC&C suite called Zoom Workplace that includes include chat, a whiteboard, meeting recording, email, a calendaring system for scheduling, and Zoom Docs, a built-in document creation tool.

While consumers may gravitate to the basic, free version, the business versions allow for longer meetings and provide an AI assistant, Zoom AI Companion, that can summarize meetings (including a catch-up summary if a user comes into a meeting late), draft messages, and provide real-time translation. Zoom Phone, the company’s VoIP telephony offering, is included with enterprise Zoom Workplace subscriptions and available as an add-on for small-business plans.

A one-year subscription to Essential Apps, a set of third-party add-ons with functions ranging from meeting summarization to gamification to virtual breakout rooms, is also included with enterprise licenses, except for organizations in government, education, and healthcare. Bring-your-own-key end-to-end encryption is a standard feature.

Related:

Kategorie: Hacking & Security

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

The Hacker News - 12 Prosinec, 2024 - 10:18
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested

The Hacker News - 12 Prosinec, 2024 - 07:15
A global law enforcement operation has failed 27 stresser services that were used to conduct distributed denial-of-service (DDoS) attacks and took them offline as part of a multi-year international exercise called PowerOFF. The effort, coordinated by Europol and involving 15 countries, dismantled several booter and stresser websites, including zdstresser.net, orbitalstress.net, and Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Hunk Companion WordPress plugin exploited to install vulnerable plugins

Bleeping Computer - 12 Prosinec, 2024 - 00:28
Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. [...]
Kategorie: Hacking & Security

Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Evaluation

Bleeping Computer - 11 Prosinec, 2024 - 23:43
The 2024 MITRE ATT&CK Evaluation results are now available with Cynet achieving 100% Visibility and 100% Protection in the 2024 evaluation. Learn more from Cynet about what these results mean. [...]
Kategorie: Hacking & Security
Syndikovat obsah