Tag Archive for: patch

Google Releases Eighth Zero-Day Patch of 2023 for Chrome

/in


Google has issued an urgent update to address a recently discovered vulnerability in Chrome that has been under active exploitation in the wild, marking the eighth zero-day vulnerability identified for the browser in 2023.

Identified as CVE-2023-7024, Google said the vulnerability is a significant heap buffer overflow flaw within Chrome’s WebRTC module that allows remote code execution (RCE).

WebRTC is an open source initiative enabling real-time communication through APIs, and enjoys widespread support among the leading browser makers.

How CVE-2023-7024 Threatens Chrome Users

Lionel Litty, chief security architect at Menlo Security, explains that risk from exploitation is the ability to achieve RCE in the renderer process. This means a bad actor can run arbitrary binary code on the user’s machine, outside of the JavaScript sandbox.

However, real damage relies on using the bug as the first step in an exploit chain; it needs to be combined with a sandbox escape vulnerability in either Chrome itself or the OS to be truly dangerous.

“This code is still sandboxed due to the multiprocess architecture of Chrome though,” Litty says, “so with just this vulnerability an attacker cannot access the user’s files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.”

He points out Chrome’s Site Isolation feature will generally protect data from other sites, so an attacker can’t target the victim’s banking information, although he adds there are some subtle caveats here.

For example, this would expose a target origin to the malicious origin if they use the same site: In other words, a hypothetical malicious.shared.com can target victim.shared.com.

“While access to the microphone or camera requires user consent, access to WebRTC itself does not,” Litty explains. “It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant.”

Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, notes that the reach of the bug extends beyond Google Chrome.

“The exploitation of Chrome is tied to its ubiquity — even Microsoft…

Source…

Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now it’s paying the price

/in


A parked Comcast service van with the
Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020.

Getty Images | Smith Collection/Gado

Comcast waited 13 days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

The breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney general’s office. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division.

Citrix Bleed has emerged as one of the year’s most severe and widely exploited vulnerabilities, with a…

Source…

Second Android 14-based Galaxy A52s update brings December security patch

/in


It was merely two weeks back that the Galaxy A52s started receiving the Android 14/One UI 6 update, but Samsung is already releasing a follow-up update to the mid-range phone in some markets.

This is the second Android 14-based firmware for the Galaxy A52s and it is rolling out in India and a couple of other countries in the Indian subcontinent. The update sports firmware version A528BXXS5FWL4, and it comes bundled with the December 2023 security patch.

Security enhancements are all that this update brings to the Galaxy A52s. The December patch fixes a total of 75 security vulnerabilities, 54 of which affect all Android devices while the rest were found only in Samsung’s software. The patch also includes fixes for four vulnerabilities discovered in some Exynos chips, which aren’t applicable here thanks to the A52s being powered by a Snapdragon chip worldwide.

If you own a Galaxy A52s, you can check if the latest update is available by tapping the Download and install option in the phone’s Settings » Software update menu (it may take a few tries for the updates to start downloading). Full-sized firmware available in our archives can also be used to upgrade the phone, but this procedure requires a Windows PC and a USB cable.

Galaxy A52s next and final feature update will be One UI 6.1

The Galaxy A52s, like the Galaxy A52 and Galaxy A52 5G, is eligible for three generations of Android OS upgrades, so it will not be receiving future versions of Android. As for One UI updates, the Galaxy A52s is likely to get One UI 6.1 sometime next year. After it has been updated to One UI 6.1, the A52s will only remain eligible for security updates.

Source…

What Is Citrix Bleed? The Next Ransomware Patch You Need

/in


Citrix Bleed is a software vulnerability being increasingly connected to cyber attacks, and it now appears to be putting government and critical infrastructure at risk — but the good news is that a patch is available.

The vulnerability’s name has been popping up over the past couple months in reports on key sectors. According to a post from cybersecurity researcher Kevin Beaumont, this flaw may be behind the cyber attack that disrupted swathes of credit unions earlier this week. The credit unions’ technology vendor Ongoing Operations was hit with ransomware and had failed to patch the vulnerability, he wrote. Ongoing Operations declined to confirm to Government Technology whether Citrix Bleed had been exploited.

But the health-care sector is also raising warnings. Industry group the American Hospital Association urged its membership recently to patch and defend against the vulnerability. Its message amplified the federal Health Sector Cybersecurity Coordinating Center (HC3)’s own alert. Ransomware actors also exploited it in an attack on airplane giant Boeing.


The flaw, also known as CVE 2023-4966, impacts Citrix NetScaler web application delivery control and NetScaler Gateway appliances. Federal officials and partners turned a spotlight on the vulnerability and issued a joint advisory, giving advice and details, including indicators of compromise; observed tactics, techniques and procedures; and detection methods.

Advisory authors include the Cybersecurity and Infrastructure Security Agency, FBI, Multi-State Information Sharing and Analysis Center and Australia’s lead cybersecurity agency, the Australian Signals Directorate’s Australian Cyber Security Centre.

At least one group of threat actors has been identified exploiting Citrix Bleed: affiliates deploying LockBit 3.0 ransomware. LockBit affiliates have in the past targeted organizations in critical infrastructure sectors, including government and emergency services, health care, financial services, energy, education, food and agriculture, manufacturing and transportation, per the joint advisory.

Hackers exploiting Citrix Bleed can “bypass password…

Source…