Read Time:4 Second
In some cases, the threat actor’s intent was to ultimately provide SIM-swapping services
Monthly Archives: December 2022
Microsoft Patch Tuesday, December 2022 Edition
Read Time:3 Minute, 53 Second
Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.
The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.
The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.
“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,
said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.
Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.
Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.
Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.
“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”
Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.
“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”
Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.
Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.
Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.
Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.
For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
AgentTesla Remains Most Prolific Malware in November, Emotet and Qbot Grow
Read Time:5 Second
These are some of the key findings from the latest Check Point Research Most Wanted report
protobuf-3.19.6-1.fc36
Read Time:28 Second
FEDORA-2022-15729fa33d
Packages in this update:
protobuf-3.19.6-1.fc36
Update description:
Selected notes from packaging changes and improvements:
3.19.6 fixes CVE-2022-3171
3.19.5 fixes CVE-2022-1941
License updated to SPDX
Unnecessary dependency on python3-six removed
Python extension is now the compiled C++ version, improving performance
All subpackages now have the license file or depend on something that does
The -vim subpackage now depends on vim-filesystem, no longer on vim-enhanced
Added a man page for protoc
See PR for more details.
USN-5779-1: Linux kernel (Azure) vulnerabilities
Read Time:1 Minute, 45 Second
It was discovered that the NFSD implementation in the Linux kernel did not
properly handle some RPC messages, leading to a buffer overflow. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-43945)
Jann Horn discovered that the Linux kernel did not properly track memory
allocations for anonymous VMA mappings in some situations, leading to
potential data structure reuse. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-42703)
It was discovered that a memory leak existed in the IPv6 implementation of
the Linux kernel. A local attacker could use this to cause a denial of
service (memory exhaustion). (CVE-2022-3524)
It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-3564)
It was discovered that the ISDN implementation of the Linux kernel
contained a use-after-free vulnerability. A privileged user could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3565)
It was discovered that the TCP implementation in the Linux kernel contained
a data race condition. An attacker could possibly use this to cause
undesired behaviors. (CVE-2022-3566)
It was discovered that the IPv6 implementation in the Linux kernel
contained a data race condition. An attacker could possibly use this to
cause undesired behaviors. (CVE-2022-3567)
It was discovered that the Realtek RTL8152 USB Ethernet adapter driver in
the Linux kernel did not properly handle certain error conditions. A local
attacker with physical access could plug in a specially crafted USB device
to cause a denial of service (memory exhaustion). (CVE-2022-3594)
It was discovered that a null pointer dereference existed in the NILFS2
file system implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3621)
Apple Fixes Actively Exploited iPhone Zero-Day Vulnerability
Read Time:4 Second
The vulnerability could allow remote code execution (RCE) on a victim’s device
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Read Time:58 Second
Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.
iCloud for Windows allows access your photos, videos, calendar, files, and other important information on your Windows PC.
Safari is a graphical web browser developed by Apple.
macOS Ventura is the 19th and current major release of macOS
macOS Monterey is the 18th and release of macOS.
macOS Big Sur is the 17th release of macOS.
iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
tvOS is an operating system for fourth-generation Apple TV digital media player.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Lacework adds new capabilities to its CSPM solution
Read Time:30 Second
Lacework on Wednesday released new cloud security posture management (CSPM) capabilities, designed to help organizations create custom policies for AWS, Google Cloud, and Azure to secure their cloud infrastructure.
The new CSPM solution offers three key enhancements. First, it allows organizations to customize policies and ensure configurations align with an organization’s specific needs. Second, it helps organizations build custom cross-account reports to measure hygiene. Finally, the new CSPM will now be compliant with the latest CIS benchmarks, industry standards, and other additional controls written by the Lacework Labs team.
Wiz debuts PEACH tenant isolation framework for cloud applications
Read Time:49 Second
Cloud security vendor Wiz has announced PEACH, a tenant isolation framework for cloud applications designed to evaluate security posture and outline areas of improvement. The firm stated that the framework has been developed on the back of its cloud vulnerability research to tackle security challenges impacting tenant isolation.
Security boundaries, incohesion, transparency impacting tenant isolation in cloud applications
In a blog post, Wiz wrote that there have been several cross-tenant vulnerabilities in various multi-tenant cloud applications over the last 18 months. These include ExtraReplica and Hell’s Keychain. “Although these issues have been reported on extensively and were dealt with appropriately by the relevant vendors, we’ve seen little public discussion on how to mitigate such vulnerabilities across the entire industry,” Wiz stated. What’s more, the root cause of these vulnerabilities – improperly implemented security boundaries, usually compounded by otherwise harmless bugs in customer-facing interfaces – is significant, the firm added.
xorg-x11-server-Xwayland-22.1.6-1.fc36
Read Time:13 Second
FEDORA-2022-d165fda18e
Packages in this update:
xorg-x11-server-Xwayland-22.1.6-1.fc36
Update description:
xwayland 22.1.6
Security fixes for CVE-2022-46340, CVE-2022-46341, CVE-2022-46342,
CVE-2022-46343, CVE-2022-46344, CVE-2022-4283