{"id":3179,"date":"2024-04-19T04:38:23","date_gmt":"2024-04-19T09:38:23","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/magicdot-windows-weakness-unprivileged-rootkit"},"modified":"2024-04-19T04:38:23","modified_gmt":"2024-04-19T09:38:23","slug":"magicdot-windows-weakness-allows-unprivileged-rootkit-activity","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/19\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity\/","title":{"rendered":"&#8216;MagicDot&#8217; Windows Weakness Allows Unprivileged Rootkit Activity"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blt4cf9d67b28cf3eec\/662236db759dce51380f594e\/dots-Robert_Adrian_Hillman-Alamy_Stock_Vector.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses, by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">That&#8217;s according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session at Black Hat Asia 2024 in Singapore this week. He also detailed four different vulnerabilities related to the issue, which he <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/twitter.com\/oryair1999\/status\/1781199221741494280\" rel=\"noopener\">dubbed &#8220;MagicDot<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;&#8211;including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Dots &amp; Spaces in DOS-to-NT Path Conversion\">Dots &amp; Spaces in DOS-to-NT Path Conversion<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to BT paths.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that&#8217;s a DOS path that follows the &#8220;C:\\Users\\User\\Documents\\example.txt&#8221; format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file; and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">C:\\example\\example.&nbsp;&nbsp;&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">C:\\example\\example\u2026&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">C:\\example\\example&lt;space&gt;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">\u2026are all converted to &#8220;\\??\\C:\\example\\example&#8221; as an NT path.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice \u2013 which could then be used to either render files unusable, or to conceal malicious content and activities.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Simulating an Unprivileged Rootkit\">Simulating an Unprivileged Rootkit<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The MagicDot issues first and foremost create the opportunity for a number of post-exploitation techniques that help attackers on a machine maintain stealth.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">For instance, it&#8217;s possible to lock up malicious content and prevent users, even admins, from examining it. &#8220;By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and\/or spaces only, I could make all user-space programs that use the normal API inaccessible to them\u2026users would not be able to read, write, delete, or do anything else with them, Yair explained in the session.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it,&#8221; Yair said. &#8220;As a result, I was able to place a malicious file inside an innocent ZIP\u2014whoever used Explorer to view and extract the archive contents was unable to see that file existed inside.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">A third attack method involves masking malicious content by impersonating legitimate file paths.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;If there was a harmless file called &#8216;benign,&#8217; I was able to [use DOS-to-NT path conversion] to create a malicious file in the same directory [also named] benign,\u201d the researcher explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. &#8220;As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead,&#8221; leaving the victim none the wiser that they were actually opening malicious content.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Taken together, manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges, explained Yair, who published <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.safebreach.com\/blog\/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces\/\" rel=\"noopener\">detailed technical notes<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> on the attack methods in tandem with the session.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more,&#8221; he said\u2014all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;It\u2019s important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules,&#8221; he warned.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"A Series of 'MagicDot' Vulnerabilities\">A Series of &#8216;MagicDot&#8217; Vulnerabilities<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">During his research into the MagicDot paths, Yair also managed to uncover four different vulnerabilities related to the underlying issue, three of them since patched by Microsoft.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">One remote code execution (RCE) vulnerability (<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.recordedfuture.com\/vulnerability-database\/CVE-2023-36396\" rel=\"noopener\">CVE-2023-36396<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">, CVSS 7.8) in Windows\u2019s new extraction logic for all newly supported archive types allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;<\/span><br \/><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Basically, let&#8217;s say you upload an archive to your <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/application-security\/github-developers-hit-in-complex-supply-chain-cyberattack\" rel=\"noopener\">GitHub repository<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> advertising it as a cool tool available for download,&#8221; Yair tells Dark Reading. &#8220;And when the user downloads it, it&#8217;s not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">A second bug is an elevation of privilege (EoP) vulnerability (<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-32054\" rel=\"noopener\">CVE-2023-32054<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to &#8220;unexpected behavior,&#8221; but hasn&#8217;t yet issued a CVE or a fix for it.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;I create a folder inside the demo folder called \u2026&lt;space&gt; and inside, I write a file named c.txt,&#8221; explained Yair. &#8220;Then when an administrator attempts to delete the \u2026&lt;space&gt; folder, the entire demo folder is deleted instead.&#8221;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Potentially Wider 'MagicDot' Ramifications\">Potentially Wider &#8216;MagicDot&#8217; Ramifications<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">While Microsoft addressed Yair&#8217;s specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists \u2013 even though that&#8217;s the root cause of the vulnerabilities.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue,&#8221; the researcher warns. &#8220;This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">He adds that the problem has ramifications beyond Microsoft.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;We believe the implications are relevant not only to Microsoft Windows, which is the world\u2019s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software,&#8221; he warned.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;Most high-level API calls in Windows support NT paths,&#8221; Yair said. &#8220;Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">For businesses, security teams should create detections that look for rogue periods and spaces within file paths.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it&#8217;s not that easy to do,&#8221; Yair explains. &#8220;Normal users can&#8217;t just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cyber-risk\/api-security-is-the-new-black\" rel=\"noopener\">lower API<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> that is closer to the kernel, and will need some expertise to accomplish this.&#8221;<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/magicdot-windows-weakness-unprivileged-rootkit\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A known issue associated with the DOS-to-NT path conversion process<\/p>\n","protected":false},"author":12,"featured_media":3180,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=2560%2C1882&ssl=1",2560,1882,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=300%2C221&ssl=1",300,221,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=640%2C471&ssl=1",640,471,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=640%2C471&ssl=1",640,471,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=1536%2C1129&ssl=1",1536,1129,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=2048%2C1506&ssl=1",2048,1506,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=1024%2C753&ssl=1",1024,753,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/magicdot-windows-weakness-allows-unprivileged-rootkit-activity-scaled.jpg?fit=2560%2C1882&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3179"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3179\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3180"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}