Multiple Vulnerabilities in Mozilla Firefox and Firefox Extended Support Release (ESR) Could Allow for Arbitrary Code Execution

Read Time:36 Second

Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Microsoft Patch Tuesday, February 2022 Edition

Read Time:4 Minute, 9 Second

Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.

While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.

“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,’” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”

Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”

“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”

Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.

“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”

February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.

One important item to note this week is that Microsoft announced it will start blocking Internet macros by default in Office. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.

As Andrew Cunningham writes for Ars Technica, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.

“Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,” Cunningham wrote. “The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.”

January’s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February’s comparatively light burden should give system administrators some breathing room, it shouldn’t be viewed as an excuse to skip updates.

“But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen said.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Read More

[R1] Nessus Versions 8.15.3 and 10.1.1 Fix Multiple Third-Party Vulnerabilities

Read Time:24 Second
Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (Expat) was found to contain vulnerabilities, and an updated version has been made available by the provider.

Out of caution and in line with best practice, Tenable has opted to upgrade the Expat component to address the potential impact of the issue. Nessus 10.1.1 and Nessus 8.15.3 update Expat to version 2.4.4 to address the identified vulnerability.

Read More

Multiple Vulnerabilities in Adobe Products could allow for Arbitrary Code Execution.

Read Time:42 Second

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for Arbitrary Code Execution.

Premiere Rush is a video editor.
Illustrator is a vector graphics editor and design program.
Photoshop is a graphics editor.
Adobe After Effects is a digital visual effects, motion graphics, and compositing application.
Creative Cloud is a cloud service provided by Adobe where its software can be accessed all in one place.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Microsoft’s February 2022 Patch Tuesday Addresses 48 CVEs (CVE-2022-21989)

Read Time:4 Minute, 35 Second

Microsoft addresses 48 CVEs in its February 2022 Patch Tuesday release, including one zero-day vulnerability that was publicly disclosed, but not exploited in the wild.

0Critical
48Important
0Moderate
0Low

Microsoft patched 48 CVEs in the February 2022 Patch Tuesday release, with all 48 rated as important and none rated as critical.

This month’s update includes patches for:

Azure Data Explorer
Kestrel Web Server
Microsoft Dynamics
Microsoft Dynamics GP
Microsoft Edge (Chromium-based)
Microsoft Office
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft OneDrive
Microsoft Teams
Microsoft Windows Codecs Library
Power BI
Roaming Security Rights Management Services
Role: DNS Server
Role: Windows Hyper-V
SQL Server
Visual Studio Code
Windows Common Log File System Driver
Windows DWM Core Library
Windows Kernel
Windows Kernel-Mode Drivers
Windows Named Pipe File System
Windows Print Spooler Components
Windows Remote Access Connection Manager
Windows Remote Procedure Call Runtime
Windows User Account Profile
Windows Win32K

Remote code execution (RCE) vulnerabilities and elevation of privilege (EoP) both accounted for 33.3% of the vulnerabilities patched this month.

Important

CVE-2022-21989 | Windows Kernel Elevation of Privilege Vulnerability

CVE-2022-21989 is an EoP vulnerability in the Windows Kernel and the only zero-day vulnerability addressed this month. According to Microsoft’s Exploitability Index rating, this vulnerability is more likely to be exploited, however it has not been actively exploited at the time this blog was published. The advisory does note that an attacker needs to take additional actions prior to exploitation of this vulnerability, which is evident by the “High” rating for “Attack Complexity” in the CVSSv3 score of 7.8.

Important

CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2022-22005 is a RCE vulnerability in Microsoft SharePoint Server with a CVSSv3 score of 8.8. Microsoft rates this as “exploitation more likely,” however at this time no public proof-of-concept appears to exist. In order to exploit this vulnerability, an attacker would need to be authenticated and have the ability to create pages in SharePoint.

Important

CVE-2022-21999, CVE-2022-22718, CVE-2022-22717 and CVE-2022-21997 and | Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2022-21999, CVE-2022-22718, CVE-2022-22717 and CVE-2022-21997 are EoP vulnerabilities in Windows Print Spooler. CVE-2022-21999 and CVE-2022-22718 received CVSSv3 scores of 7.8 and were rated Exploitation More Likely. CVE-2022-22717 (CVSSv3 7.0) and CVE-2022-21997 (CVSSv3 7.1) were rated Less Likely. Discovery of CVE-2022-21999 was credited to Xuefeng Li and Zhiniang Peng of Sangfor at the Tianfu Cup. These are the same researchers who disclosed CVE-2021-34527, kicking off the PrintNightmare saga in June 2021. CVE-2022-21997 was disclosed by Bo Wu and CVE-2022-22717 was credited to Thibault Van Geluwe de Berlaere with Mandiant. As researchers continue to focus their time on discovering flaws in Print Spooler, it is likely that attackers are as well, therefore organizations should apply these updates urgently.

Important

CVE-2022-21996 | Win32k Elevation of Privilege Vulnerability

CVE-2022-21996 is an EoP vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8 and is more likely to be exploited according to Microsoft. This vulnerability is similar to another EoP flaw from January’s Patch Tuesday release, CVE-2022-21882. CVE-2022-21882 has been actively exploited in the wild by threat actors and the Cybersecurity and Infrastructure Security Agency has added the vulnerability to it’s Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate the vulnerability by February 18. Interestingly enough, CVE-2022-21882 is a patch bypass for another vulnerability, CVE-2021-1732 according to RyeLv, one of the researchers credited with reporting the vulnerability to Microsoft.

Important

CVE-2022-22715 | Named Pipe File System Elevation of Privilege Vulnerability

CVE-2022-22715 is an EoP vulnerability in the Named Pipe File System. It is rated as Exploitation More Likely. To exploit this flaw, an attacker would need to have established a presence on the vulnerable system in order to run a specially crafted application. Successful exploitation would allow an attacker to run processes with elevated privileges. The vulnerability is credited to researchers at Kunlun Lab, who participated in the Tianfu Cup, China’s biggest hacking competition.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains February 2022.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s February 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Microsoft’s February 2022 Security Updates
Tenable plugins for Microsoft February 2022 Patch Tuesday Security Updates

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More