Story image

Google fixes vulnerability in Apps Script - but SaaS is still at risk

15 Jan 18

Google has fixed a major risk in its Apps script that allowed automatic downloads of arbitrary malware to a user’s computer, through content hosted in Google Drive.

Security firm Proofpoint recently discovered a vulnerability that allows attackers to take advantage of Google Apps Script.

This vulnerability, in combination with social engineering scams that encourage victims to run the malware, is also able to be triggered without any type of user interaction.

“Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem,” the company says in a statement.

It says that the exploit begins through the upload of malicious files and malware executables on Google Drive. Attackers can set these to be made available through a public link.

“Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” the company says.

Because people often share legitimate links inviting them to edit Google documents, Proofpoint warns that email hygiene is critical.

As part of its fix for the vulnerability, Google has included restrictions that block phishing and malware attacks triggered by opening documents and through certains Apps Script events.

Google blocks installable triggers (customisable events that trigger automatic events) and simple triggers such as onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session, Proofpoint explains.

The company warns that users should be cautious about clicking doc links unless they know or can verify the sender.

“Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible,” the company says.

While SaaS platforms are providing additional user functionality and new forms of attack methods for threat actors, Proofpoint says that there aren’t many tools that can detect threats that are generated or distributed through legitimate SaaS platforms, resulting in an environment in which threat actors can abuse the platforms for malicious purposes.

“With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads,” the company says.

“The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organisations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.