Windows-Security on HackingPassion.com : root@HackingPassion.com-[~]

Internet Explorer Can Still Take Over a Fully Patched Windows PC in 2026

Mon, 08 Jun 2026 14:14:52 +0200

Internet Explorer can still take over a fully patched Windows machine, years after Microsoft retired it in 2022. The code that ran it was never removed from Windows, and a researcher just turned it into working remote code execution.

The researcher behind it, Igor Sak-Sakovskiy, published the work with Microsoft’s permission. The piece he pulled apart is called the WebBrowser control, the same code that drew web pages in Internet Explorer for decades. It still runs inside programs written in Visual Basic, .NET and C#, the kind of older business software and legacy tools that quietly kept the component alive. One detail makes it stranger. No official Microsoft document says this component is retired or about to be. People treat it as gone, while it keeps running underneath.

A Critical Windows DNS Flaw Lets Attackers Run Code on Any Machine Without Logging In

Wed, 13 May 2026 11:35:57 +0200

Microsoft patched a critical heap buffer overflow in the Windows DNS Client. An attacker needs no account and no help from the person sitting at the machine to trigger it. Every Windows machine that performs DNS lookups is potentially in scope, and every Windows machine performs DNS lookups constantly.

The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It sits in a component called dnsapi.dll, the file that handles DNS lookups on every Windows machine. DNS, which stands for Domain Name System, is the system that translates domain names into IP addresses so computers know where to connect. Every time a browser loads a page, an application connects to a server, a VPN establishes, or Windows checks for updates, the system sends out a DNS query asking what IP address belongs to a given name. The DNS Client receives the answer, processes it, and passes it along.

GhostLock Delivers Ransomware Impact on Windows Without Touching a Single File

Mon, 11 May 2026 14:22:19 +0200

GhostLock locks every shared file on any Windows network in minutes using nothing but a standard login, and every security tool watching stays completely silent. This has been possible for over 30 years. Microsoft is not going to patch this.

Security researcher Kim Dvash published the proof of concept in May 2026, after discovering the technique during a prior authorized red team engagement.

SMB is the protocol Windows uses to share files across a network. When a program opens a file over SMB, it tells Windows how it wants to share that file with other programs at the same time. Set that sharing mode to zero using a parameter called dwShareMode in the CreateFileW API call, and Windows grants an exclusive deny-share handle. While that handle is held open, every other process, user, or system trying to open the same file gets back one thing:

Microsoft Edge Stores Every Saved Password in Cleartext Memory at Startup

Tue, 05 May 2026 10:56:56 +0200

Microsoft Edge loads every saved password into memory the moment the browser opens. They sit there in plain readable text for the entire session, even for sites that are never visited during that session. Microsoft’s official response: this is by design.

A security researcher who goes by @L1v1ng0ffTh3L4N decided to test every major Chromium-based browser to see how each one actually handles stored credentials while running. He went through them one by one. Edge was the only browser he found behaving this way. He took his findings to the BigBiteOfTech conference on April 29, presented them there with Palo Alto Networks Norway, and then posted a proof-of-concept video on May 4 that pulled in 5,900 responses within hours. He also put a small tool on GitHub called EdgeSavedPasswordsDumper so anyone could check this on their own machine.

PhantomRPC: Windows Has a Privilege Escalation Problem Microsoft Won't Fix

Tue, 28 Apr 2026 10:21:13 +0200

Last week at Black Hat Asia in Singapore, a Kaspersky researcher publicly demonstrated PhantomRPC: five separate ways to take any standard Windows service account straight to full SYSTEM access, confirmed working on fully patched Windows Server 2022 and Windows Server 2025. Microsoft already knew. They received the ten-page technical report months ago, called it moderate severity, assigned no CVE, and closed the case. There is no patch.

RPC stands for Remote Procedure Call, and it is the system that Windows services use to send requests to each other directly in the background. When one service needs something from another, it sends a request through RPC. This happens constantly, hundreds of times per minute, completely invisible to whoever is sitting at the machine.

MSBuild LOLBin: How Hackers Run Malware on Windows Without Leaving a Trace

Tue, 14 Apr 2026 12:06:26 +0200

MSBuild.exe is a LOLBin, a legitimate Windows tool being abused to run malware on fully patched machines without dropping a single file on disk, and Windows Defender does not raise an alert because MSBuild.exe carries Microsoft’s own digital signature and many security tools treat it as trusted by default. There is no patch coming because nothing here is broken. MSBuild.exe is doing exactly what Microsoft designed it to do. 😏

MSBuild.exe, the Microsoft Build Engine, has been part of the .NET Framework and Visual Studio for years. Software developers use it to compile and build applications from XML-based project files. Because Microsoft built it and signed it, Windows trusts it completely. AppLocker trusts it. Windows Defender Application Control trusts it. Most endpoint security solutions wave it through without a second look, because as far as they are concerned, it is a legitimate Microsoft tool doing its job.

DesckVB RAT Uses Windows' Own Tools to Stay Hidden and Leaves Almost Nothing Behind

Sat, 11 Apr 2026 12:52:30 +0200

A Remote Access Trojan called DesckVB has been actively hitting systems throughout 2026, running almost entirely inside memory with barely anything written to disk, hiding its final payload inside a process it names Microsoft.exe, and attempting to switch off the camera LED before streaming video back to the attacker. A cracked version of the builder is already circulating freely, meaning attackers with minimal skills can deploy this today without writing a single line of code. Forensics teams sweep these machines afterward and find very little. The system looks completely clean. 😏

GootLoader Tricks Security Tools Into Seeing a Safe File While Windows Runs Malware

Sun, 18 Jan 2026 11:28:38 +0100

GootLoader is back. This week, researchers discovered their newest trick: a way to make security tools completely blind. Your antivirus scans the ZIP file. Nothing found. WinRAR tries to open it. Fails. 7-Zip tries. Also fails. Corrupted file, right? But when you double-click it, Windows opens it just fine. And now you’re infected. 🧐

The trick is simple but brilliant. They take 500 to 1000 ZIP files and glue them together into one massive file. Most analysis tools read ZIP files from the beginning. They hit the first archive, see garbage, and crash. But here is the thing about ZIP files. They are actually read from the END. The “End of Central Directory” record tells the reader where to find the actual content. Windows knows this. It skips all the junk, finds the last valid archive, and happily extracts the malware.