Willy R. Vasquez, a security researcher at the University of Texas in Austin, uncovered the vulnerability, known as CVE-2024-27793. This vulnerability affects the CoreMedia framework, which processes media samples and manages media data queues in iTunes.
A major security flaw in the iTunes app for Windows 10 and Windows 11 users could have allowed malicious attackers to execute code remotely, Apple said in a support article published on May 8.
Willy R. Vasquez, a Ph.D. scholar and security expert at The University of Texas at Austin, discovered CVE-2024-27793 and contributed sandboxing code to the Firefox 117 web browser. The vulnerability, rated critical by the Common Vulnerability Scoring System v3, affects the CoreMedia framework, which provides the media pipeline used to process media samples and handle batches of media information, says Apple.
The flaw allows an attacker to execute arbitrary code by sending a maliciously crafted request during the file processing. It is critical to highlight that the attacker does not need physical access to the Windows PC, as the exploitation can be carried out remotely.
The CVSS v3 critical grade of 9.1 out of 10 is mostly due to the potential for remote code execution. The basic root of the flaw was found as inadequate checks inside the CoreMedia framework component, which Apple fixed with enhanced checks in the most recent release.
Based on the Vulnerability Database resource, CVE-2024-27793 can be leveraged remotely without authentication, although successful exploitation requires human involvement. This interaction could include clicking a link or visiting a website where CoreMedia processes the malicious file.
The ease of exploitation and potential impact of arbitrary code execution emphasize the seriousness of this issue. Users should upgrade their iTunes programs to the most recent version to protect themselves from any attacks exploiting this security weakness.
Here are some steps you can take to safeguard your system:
A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.
Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.
Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.
Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.
The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.
Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:
The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.
Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.
The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.
Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware.
CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault.
According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA
Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."
He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.
Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.
According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.
The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.
Atlassian has confirmed that malicious actors are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134, designed to install web shells with no fix available at this time.