Tag Archive for: bugs

Microsoft’s Patch Tuesday for April 2023 closes 97 security bugs, 1 zero-day flaw

/in


Recap: Every second Tuesday of the month, Microsoft rolls out its latest collection of security fixes. The unofficial ‘Patch Tuesday’ definition has been used by Microsoft in the last 20 years to describe the company’s release of security fixes for Windows and other products.

For April 2023, the company’s update focuses on closing multiple vulnerabilities as well as a nasty zero-day flaw.

According to Microsoft’s official security bulletin, patches released in April 2023 provide updates for many Windows components including the Kernel, Win32K API, .NET Core, the Azure cloud platform, Microsoft Office applications, Visual Studio, and Windows Active Directory. All things considered, the latest Patch Tuesday fixes 97 security flaws.

Seven vulnerabilities are classified with a “critical” risk level, as they could be abused to remotely execute potentially malicious code. The Patch Tuesday flaws are classified as follows: 20 elevation of privilege vulnerabilities, eight security feature bypass vulnerabilities, 45 remote code execution vulnerabilities, 10 information disclosure vulnerabilities, nine denial of service vulnerabilities, and six spoofing vulnerabilities.

The list doesn’t include 17 security flaws in Microsoft Edge that were fixed a week ago. A complete report on all the flaws and related advisories has been published by Bleeping Computer. Besides security fixes, on Patch Tuesday day Microsoft also rolled out cumulative, non-security updates for Windows 11 (KB5025239) and Windows 10 (KB5025221, KB5025229).

The single zero-day vulnerability is tracked as CVE-2023-28252, or ‘Windows Common Log File System Driver Elevation of Privilege Vulnerability.’ An attacker who successfully exploits this vulnerability could gain system privileges, Microsoft explains, meaning that they could achieve the highest access level available on a Windows OS.

According to security researchers, cyber-criminals are already trying to exploit the CVE-2023-28252 bug to spread the Nokoyawa ransomware to organizations belonging to wholesale, energy, manufacturing, and healthcare industries. The flaw is similar to another privilege escalation bug supposedly fixed by Microsoft in…

Source…

Apple fixes 2 zero-day bugs exploited to hack iPhones, Macs

/in


Apple has fixed two new zero-day security vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads, in its latest software update.

According to BleepingComputer, the two zero-day security vulnerabilities were addressed in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 with improved input validation and memory management.

The first security flaw is an IOSurfaceAccelerator that could lead to the corruption of data, a crash, or code execution.

Successful exploitation enables attackers to execute arbitrary code with kernel privileges on targeted devices by using a maliciously crafted app, said the report.

The second zero-day vulnerability is a WebKit that allows data corruption or arbitrary code execution when freed memory is reused.

An attacker can exploit this flaw by tricking targets into loading malicious web pages under their control, resulting in code execution on compromised systems.

Meanwhile, researchers have tracked 55 zero-day vulnerabilities that were exploited in 2022 by the hackers, mostly targeting Microsoft, Google and Apple products.

According to information security company Mandiant report, products of Microsoft, Google and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with the previous years, and the most exploited product types were operating systems (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (six).

Source…

Microsoft Zero-Day Bugs Allow Security Feature Bypass

/in


IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook’s authentication mechanism and another that’s a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.

In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild. 

In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 

Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft’s March update — likely because of differences in what they included in the count. Trend Micro’s Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft’s March update as critical, while Tenable and Action1 pegged the number at nine.

Privilege Escalation Zero-Day

One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.

“This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email,” said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim’s Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.

That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft’s March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets…

Source…

CISA urged to add 8 severe ransomware bugs to vulnerability catalog

/in


Researchers found that eight of the 131 vulnerabilities associated with ransomware not yet listed in a federal catalog meant to help the cybersecurity community are considered “most dangerous” because they could be easily exploited from initial access to exfiltration. 

A ransomware report from Cyber Security Works, Ivanti, Cyware, and Securin warned organizations not to ignore vulnerabilities that have yet to be added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (KEV), especially those with complete MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chains where each stage of an attack can be defined, described, and tracked by attackers.  

According to the report, researchers identified 57 extremely dangerous ransomware-associated vulnerabilities with complete kill chains, eight of which are excluded in the KEV. These eight bugs are found in over 30 products, including products by Microsoft, Oracle, Zyxel, and QNAP.

The Ivanti research team highlighted that bugs (CVE-2016-10401, CVE-2017-6884) in Zyxel, a subsidiary of a Taiwanese multinational broadband provider Unizyx Holding is particularly notable because of the nation-state and global threat actor focusing on Taiwan. Additionally, these are old vulnerabilities discovered in 2016 and 2017, yet do not have a patch. 

Srinivas Mukkamala, chief product officer at Ivanti, told SC Media that the research team has reached out to CISA to recommend including all of the severe vulnerabilities to its KEV catalog.  

CISA has yet to respond to SC Media’s inquiry on whether it will add them, or if they plan to do so.  

CISA published the KEV catalog in November 2021 to help organizations manage vulnerabilities and prioritize remediation for free. It started with 287 vulnerabilities and it is now a repository of 866 CVEs.  

Mukkamala said all researchers should actively collaborate with CISA and contribute to expanding the KEV catalog.  

“KEV is the authoritative source of exploited vulnerabilities. We benefit from this best service without having to pay for it. So as defenders, why don’t we give back by sharing our knowledge and information with CISA?” he…

Source…