I realise this was a long read and almost nobody read it, but I do feel like a career in cybersecurity is basically standing on a bridge watching it burn down, which feels like being quite a lonely voice.
The situation is not sustainable.
@HaifeiLi@GossiTheDog@EXPMON_ It seems that COM objects that present a propertybag all seem to be safe for initialization with persistent data.
However the ability for Word to use whatever CLSID it wants still doesn't sit well with me.
e.g. If you opened a doc and Windows said disk full, would you believe it?
While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers.
With that one above, you can use things other than RAR - e.g. do an RTF file and stick the WSF (Windows Scripting Host file) code at the end. WSF will open any file type and run it, negates need for an untrusted ActiveX control.
Here is the Autodiscover issue 5 years ago, which Microsoft now claim they were unaware. It was reported many, many times and has been through SSIRP process before, too.
Fix the problem for customers instead of failing them and blaming others.
This is why Microsoft response is completely unacceptable - LinkedIn is full of this crap. Press need to properly investigate Microsoft responses to security issues, to check they aren't deliberately misleading.
@Guardicore publishing Amit's article without using responsible disclosure caused you to loose credibility as a legitimate security research institution.
I'd pull your marketing team's publish rights, only post after C level or Director approval.