Tag: flaws | Page 5

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

May 1, 2023/in Internet Security

Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.

Here’s everything you need to know about the patches released in April.

Apple

Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already being used in attacks. CVE-2023-28206 is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”

The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.

The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.

Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

Microsoft

Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in…

Source…

Week in review: PaperCut vulnerabilities, VMware fixes critical flaws, RSA Conference 2023

April 30, 2023/in Internet Security

The week in security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

RSA Conference 2023
RSA Conference 2023 took place at the Moscone Center in San Francisco. Check out our microsite for related news, photos, product releases, and more.

Overcoming industry obstacles for decentralized digital identities
In this Help Net Security interview, Eve Maler, CTO at ForgeRock, talks about how digital identities continue to play a critical role in how we access online services securely. Maler also highlights the challenges encountered by various industries in implementing decentralized digital identities.

PaperCut vulnerabilities leveraged by Clop, LockBit ransomware affiliates
Clop and LockBit ransomware affiliates are behind the recent attacks exploiting vulnerabilities in PaperCut application servers, according to Microsoft and Trend Micro researchers.

Common insecure configuration opens Apache Superset servers to compromise
An insecure default configuration issue (CVE-2023-27524) makes most internet-facing Apache Superset servers vulnerable to attackers, Horizon3.ai researchers have discovered.

3CX breach linked to previous supply chain compromise
Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we’re still far away from seeing the complete picture.

GitHub introduces private vulnerability reporting for open source repositories
GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners.

Google Authenticator updated, finally allows syncing of 2FA codes
Google has updated Google Authenticator, its mobile authenticator app for delivering time-based one-time authentication codes, and now allows users to sync (effectively: back up) their codes to their Google account.

VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
VMware has fixed one critical (CVE-2023-20869) and three important flaws (CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) in its VMware Workstation and Fusion virtual user session software.

Google adds new risk assessment tool for Chrome extensions
Google has made available a new tool for…

Source…

Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

April 12, 2023/in Internet Security

Apr 12, 2023Ravie LakshmananPatch Tuesday / Software Updates

It’s the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that’s come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

“CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block,” Larin said. “The vulnerability gets triggered by the manipulation of the base log file.”

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (

Source…

Apple releases emergency security updates to patch iPhone, iPad and Mac zero-day flaws

April 11, 2023/in Internet Security

Apple has once again released emergency security updates to fix zero-day vulnerabilities that are being used to attack compromised iPhones, iPads and Macs in the wild.

In a security advisory (opens in new tab) released on Friday (April 7), the Cupertino-based company revealed that it “is aware of a report that this issue may have been actively exploited”. Unlike with other recently discovered zero-day flaws, the ones Apple has patched have already been exploited by hackers in their attacks.

Of these new zero-days, the first flaw (tracked as CVE-2023-28206) is an IOSurfaceAccelearator out-of-bounds write that could lead to corruption of data, crashes or code execution according to BleepingComputer (opens in new tab). However, an attacker could exploit the flaw using a maliciously crafted app to run arbitrary code with kernel privileges on vulnerable devices.

The second zero-day (tracked as CVE-20-23-28205) is a WebKit use after free flaw that allows for data corruption or arbitrary code execution when reusing freed memory. To exploit it, a hacker would need to trick unsuspecting users into loading a malicious web page that could be used to execute code on their devices.

Why Apple is keeping quiet

Both of these zero-day vulnerabilities have now been fixed with the release of iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1. However, you will still need to download and install these updates yourself.

So far, the list of affected devices is quite long and includes all of the best iPhones from the iPhone 8 on, all models of the iPad Pro, the iPad Air 3rd generation and later, the iPad 5th generation and later, the iPad mini 5th generation and later and any of the best Macs running macOS Ventura.

While Apple is aware of reports about how these zero-days are being used in the wild, the company remains tight-lipped when it comes to details. This is typical of Apple and in its security advisory, it explains that: “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”

Another reason why Apple hasn’t said anything yet is that these security flaws are likely…

Source…

Tag Archive for: flaws