Tag Archives: Office 365

Posted on Author Atlantic Computer Services Categories Blog

Security Flaw Found In Open Source Office Program LibreOffice

Do you use LibreOffice? It’s an open source clone that’s functionally similar to Microsoft Office that has grown quite popular over the years. It is available for Windows, macOS and Linux systems.

While open-source software solutions generally have the reputation of being safer and more secure, they’re not immune to vulnerabilities.

Recently, a pair of serious un-patched code execution vulnerability has been discovered that could result in malware being installed on your system if you’re not careful. In order to take advantage of the flaw, a hacker would need to create a special “poisoned” LibreOffice document and use social engineering tricks to convince you to open it.

While the company behind LibreOffice moved quickly to patch their software, independent security researcher Alex Infuhr has reported that the patch only corrected one of the two issues.  In addition, he was able to find a way around the company’s fix for the second.

The first vulnerability resides in LibreLogo, which is a programmable vector graphics script that ships by default with LibreOffice.  It allows users to specify pre-installed scripts in a document that can be executed on various events, such as a click or even a mouse hover.

The second issue could allow the inclusion of remote, arbitrary content within a document, even when “Stealth Mode” is enabled.  Note, however, that stealth mode is not enabled by default, but users can activate it to instruct documents to retrieve remote resources only from trusted locations. This is the issue that LibreOffice tried to fix but Infuhr found a way around.

If you want to protect your system from this issue, the best thing you can do would be to manually disable the LibreLogo component by opening the setup to begin the installation, then:

  • Select “Custom” installation
  • Expand “Optional Components”
  • Click on “LibreLogo” and select “This Feature Will Not Be Available.”
  • Then click “Next” and install the software.

That should take care of it!

 

0
Posted on Author Atlantic Computer Services Categories Blog

Undelivered Mail Notification Could Be A Phishing Scam

Hackers are always on the lookout for new ways to freshen up time-tested techniques. Where time-tested techniques are concerned, few are older than the humble phishing email.

In one form or another, it seeks to trick an unsuspecting user to innocently hand over sensitive information, like usernames and passwords that the hacker can then use later for any purpose.

The latest variant on this old chestnut is to send what appears to be a legitimate email, politely informing the user that they’ve received a number of confidential emails that are currently being held for them on a server.  They’re given the choice to either refuse these messages, accept them, or delete them.

This is a case, however, of all roads leading to the same destination.  Whichever linked option is chosen, the user will be routed to a mock-up of a Microsoft Outlook login screen where the user will be prompted to enter his or her credentials.  As you might suspect, there are no actual emails, and the only purpose this box serves is to capture the information for later use.

If there’s a silver lining to this attack, it is that all of the samples that have been collected so far have the faux login box hosted on a hacked domain.  Careful users will quickly note that they haven’t been taken to Microsoft’s domain and the game will be up.

Unfortunately, ‘careful’ does not describe the vast majority of internet users, and this ploy has already taken in its fair share of victims.

Make sure your IT staff is aware of this latest iteration in the ongoing evolution of the phishing email. It wouldn’t hurt to send a company-wide communication to all employees so that it’s at the forefront of everyone’s minds.  It only takes one person to slip up and a hacker could gain access to your company’s network. That’s never a good thing.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft Says Office 365 Users Should Use Spam Filter

Microsoft recently updated their support page and offered additional guidance to network admins as it relates to Office 365’s built-in spam filters.  The gist of the update is that they strongly advise against turning the auto-filters off.

They provided some additional guidelines if you decide to bypass them for one reason or another.

Here are the most relevant portions of the recent update:

“If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through.  Additionally, bypassing should be done only on a temporary basis.  This is because spam filters can evolve and verdicts could improve over time….”

If you decide you want or need to bypass anyway, the company offered the following additional suggestions:

  • Never put domains that you own onto the Allow and Block lists
  • Never put common domains, such as Microsoft.com and office.com onto the Allow and Block lists
  • Do not keep domains on the lists permanently, unless you disagree with the verdict of Microsoft

You and your IT staff are likely already aware of this. If not, Microsoft maintains a living document on their support website where they keep a comprehensive list of security best practices for Office 365.  If you haven’t seen it before, or if it’s been a while since you reviewed it, it pays to take some time to look it over.

On a related note, the company recently sent out a bulletin advising all Office 365 customers and admins to report junk email messages for analysis using the Microsoft Junk Email Reporting add-on. This is in order to help reduce the number and effect of future junk email messages.  If you and your team aren’t already in the habit of doing this, now is an excellent time to start.

 

 

0
Posted on Author Atlantic Computer Services Categories Blog

New Microsoft Excel Feature Could Be Useful For Some

In the earliest days of the smartphone, there were only a few apps that people could use to perform genuinely useful work.  Sure, they were handy for keeping your contacts all in one place and reminding you of appointments, but beyond that, your pickings were fairly slim. That changed quickly with the explosion of apps that brought the smartphone into the mainstream.

In what felt like the blink of an eye, suddenly people found themselves able leverage their phones to do a broad range of work from anywhere.  While laptops are obviously still better for some things, the lines are continuing to blur.

Earlier this year, Microsoft took another step in that direction, adding an ‘Insert Data from Picture’ to Android devices, which suddenly opened a world of new possibilities for using smartphone users.  Unfortunately, Apple users were left out of the equation.

That, however, has changed.  Microsoft just announced that it’s porting the ‘Insert Data from Picture’ feature to the iOS system as well.  In fact, the process has already begun.

Whatever type of smart device you have, if you haven’t heard of the feature before now, here’s a quick overview:

  • Open Excel on your phone or tablet and tap the ‘Insert Data from Picture’ button
  • Tweak the capture field, zooming in on the data until a red border appears around it, then tap it to capture.
  • Excel will process the image data and convert it into a table.
  • From there, the software will give you an opportunity to correct any issues it discovered during the conversion process. You can choose to either ignore, edit, or correct it.
  • Once you’ve decided, press ‘Insert’ and Excel will finalize the data.

If you’re like most people, the first time you use it, you’ll wonder how you ever got along without it.  It is simply a superb addition to the software.

0
Posted on Author Atlantic Computer Services Categories Blog

Email Providers Found To Have Signature Vulnerabilities

A team of security researchers have uncovered a serious flaw in several major email clients you need to be aware of.

The flaw allows hackers to fake verified signatures, which gives their phishing and other email-based attacks the appearance of legitimacy.

 

According to research conducted by the team, the following email clients are vulnerable to this exploit:

  • Thunderbird
  • Apple Mail with GPGTools
  • iOS Mail
  • Microsoft Outlook
  • Mailpile
  • Roundcube
  • K-9 Mail
  • Airmail
  • MailMate
  • Evolution
  • KMail
  • GpgOL

What The Risks Are

Ostensibly, an email signature is supposed to provide end-to-end authenticity, legitimacy, and integrity.  When you receive an email containing a verified signature, it’s a sign that it’s from a safe, trusted source. Unfortunately, now that several of the largest and most widely used email clients have been found to be vulnerable to signature spoofing attacks, that’s out the window.  If you’ve been in the habit of scanning for a verified signature and then, upon finding one, assuming the email is safe, it’s simply no longer safe to do that.

The research team described their research in part, by saying the following:

“In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates.  The goal of our attacker Eve is to create and send an email with arbitrary content to Bob, whose email client falsely indicates that the email has been digitally signed by Alice.

Our attack model does not include any form of social engineering.  The user opens and reads received emails as always, so awareness training does not help to mitigate the attacks.”

That’s dark news indeed, and even worse, a raft of CVE’s have been opened to account for and fix the vulnerabilities that make this type of signature spoofing possible. However, there are no easy fixes here, and there’s no timetable at this point from any of these email providers on when or if the issues will be resolved.

0
1 5 6 7 8