Search This Blog

Showing posts with label Patch Fix. Show all posts

Microsoft Announced the End of Support for Windows 7 & 8

Microsoft has published a warning over the imminent end of support for Windows 8.1, which would not receive any updates or patches after January 10th, 2023.

According to the research, over 100 million computers were still running Windows 7 as of 2021, giving their owners little time to update them before they face the security hazards associated with utilizing an antiquated browser and operating system.

Windows 8.1 is still the fourth most popular Microsoft operating system in the world, according to the Statcounter team, with 2.45% of all Windows users having it installed on their computers. Given the fact that it will affect millions of individuals and expose numerous PCs to attack, this end of support is quite concerning. 

PCs running Windows XP, 7, or 8 were more prevalent than those running Windows 11 according to a Lansweeper survey of 27 million Windows devices conducted in October.

For systems running Windows 10 2004 or 20H2, Windows 10 21H1 was a minor feature update that was designed to be simple to install. It contained improvements to Windows Defender Application Guard, Windows Management Instrumentation via Group Policy, and support for several Windows Hello-enabled cameras. 

Along with the release of a new Chrome version, Google also disclosed that it will discontinue support for Windows 7 and Windows 8.1 in early 2023. For users to continue receiving new Chrome updates, their device must be running Windows 10 or later.

It would be wise for anyone running an outdated version of Windows to inspect their computers and make some critical adjustments this week. Microsoft has issued the warning because Windows 8.1 will soon stop receiving security updates and patches after January 10, 2023.

Apple Claims "SIM not Supported" Bug Hits iPhone 14 Series

Apple's 14th-generation iPhone launch has not gone all too well as anticipated. In its most recent announcement, Apple acknowledged that iPhone 14 users are affected by the SIM problem in iOS 16.

Apple has confirmed a new iOS 16 bug that is causing owners of the iPhone 14 inconvenience. A  message is displayed on their device that reads 'SIM not supported.' The business acknowledged the flaw and declared it is looking into the matter.

Apple strongly advises against restoring the device if the notice remains. The tech giant prefers that customers seek technical support from authorized Apple service providers or visit the nearest Apple Store. According to reports, Apple is developing a patch for this flaw and may deliver it by the end of the month.

Apple confirms in the memo that it is looking into the issue and that it is not a hardware-related one even if a fix is still pending. Since a software repair is possible, the affected iPhone 14 units would not need to be recalled. Apple advises iPhone 14 customers to wait until a fix is available because, occasionally, the error message will go away and the phones will start working normally again.

The business advised customers to 'upgrade to the current version of iOS to address the issue' if they experienced problems with Messages or FaceTime after configuring their new iPhone.

Apple stated that updating to the most recent version of iOS would fix any issues with iMessage and FaceTime not fully activating on the iPhone 14 and iPhone 14 Pro. 

Therefore, experts recommend holding off on upgrading to an iPhone 14 model until Apple has fixed more of these problems. The iOS 16.1 update is currently being developed by Apple and is anticipated to go live by the end of the month. The upcoming version will most likely include numerous new features, adjustments, and changes. A recent iOS 16.0.3 update from Apple is expected to fix a number of problems.

Dex: ID Service Patches Bug that Allows Unauthorized Access to Client Applications

 

The renowned OpenID Connect (OIDC) identity service, Dex has detected and patched a critical vulnerability. The bug allows a threat actor access to the victim's ID tokens via intercepted authorization code, potentially accessing clients’ applications without authorization. The vulnerability was patched by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen', who initially reported the bug. 

The open-source sandbox project of Cloud Native Computing Foundation, Dex utilizes an identification layer on top of OAuth 2.0, providing authentication to other applications.  

Dex acts as a portal to other identity providers through certain ‘connectors’, ranging from authentication to LDAP servers, SAML providers, or identity providers like GitHub, Google, and Active Directory. As a result, Dex claims 35.6 million downloads to date. As stated in the Developer's notification, the bug affects “Dex instances with the public clients (and by extension, clients accepting tokens issued by those Dex instances.” 

As per the discovery made by security researchers, the threat actor can steal an OAuth authentication code by luring the victim to enter a malicious website and further, leading him into the OIDC flow. Thence the victim is tricked into exchanging the authorization code for a token, which allows access to applications that accept the token. As the exploit can be used multiple times, the threat actor can get a new token every time the old one expires.  

The bug thus comes into existence because the authentication process instigates a persistent “connector state parameter" as the request ID to look up the OAuth code. 

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated. The users are advised to update to version 2.35.0, as the vulnerability, having the CVSS rating of 9.3, affects versions 2.34.0 and older.  

The bug was fixed by introducing a hash-based message authentication (HMAC) code, that utilizes a randomly generated per-request secret, oblivious to the threat actor, and is persisted between the initial login and the approval request, making the server request unpredictable.

HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


Spyware Maker Candiru Associated to Chrome Zero-day Targeting Journalists

 

Candiru, an Israeli monitoring outfit, used the newly patched CVE-2022-2294 Chrome zero-day in assaults on journalists. Avast researchers claimed that the DevilsTongue malware, manufactured by Israeli surveillance business Candiru, was utilised in attacks on journalists in the Middle East and exploited the newly resolved CVE-2022-2294 Chrome zero-day vulnerability. 

The issue, which Google addressed on July 4, 2022, is a heap buffer overflow in the Web Real-Time Communications (WebRTC) component; it is Google's fourth zero-day patch in 2022. The majority of the assaults discovered by Avast researchers occurred in Lebanon, and threat actors employed various attack chains to target journalists. 

Since March 2022, further infections have been detected in Turkey, Yemen, and Palestine. In one case, threat actors carried out a watering hole assault by hacking a website frequented by news agency staff. The researchers discovered artefacts associated with exploitation attempts for an XSS flaw on the website. 

The sites contained calls to the Javascript function "alert" as well as terms like "test," implying that the attackers were testing the XSS vulnerability before abusing it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com). This injected code was used to send victims to the exploit server via a chain of domains controlled by the attacker. 

Once the victim arrives at the exploit server, the code written by Candiru collects further information about the target machine, and the exploit is utilised to distribute the spyware only if the obtained data satisfies the exploit server. 

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. 

“We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.” 

The zero-day was linked to a sandbox escape vulnerability, but specialists could not retrieve it owing to malware protection. After gaining access to the victim's computer, the DevilsTongue malware attempts to escalate its privileges by exploiting another zero-day vulnerability. 

In a BYOVD (Bring Your Own Vulnerable Driver) way, the malicious software attacks a valid signed kernel driver. To exploit the driver, it must first be dropped to the filesystem; experts noted that this may be exploited. 

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

A SQL Injection bug Hits the Django web Framework

 

A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.

Bugfixes 

Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.

HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.

Chrome 92 Update by Google Patches 10 High Severity Vulnerabilities

 

Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory. 

The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google. 

The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google. 

Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of. 

Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases. 

Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips. 

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.” 

CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.

It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws. 

Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.

Email Bug Permits Message Snooping, Credential Theft

 

Researchers warned that hackers may snoop on email communications by attacking a flaw in the underlying technology used by most of the email servers that run the Internet Message Access Protocol or known as IMAP. 

The flaw was initially reported in August 2020 and was fixed on 21st June 2021. According to the Open Email Survey, it is linked to the email server software Dovecot, which is used by nearly three-quarters of IMAP servers. 

According to a paper by researchers Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences in Germany, the vulnerability allows for a meddle-in-the-middle (MITM) attack. 

In accordance with research linked to a bug bounty page, dated August 2020, “the vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker.” 

Dovecot version v2.3.14.1, a patch for the vulnerability is rated -severity by the vendor and critical by the third-party security firm Tenable, is available for download. According to a technical analysis provided by Anubisnetworks, the flaw revolves around the execution of the START-TLS email instruction, which is a command issued between an email program and a server that is used to protect the delivery of email messages. 

“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers stated. 

According to an OWASP description, a session fixation attack permits an adversary to take over a client-server connection once the user logs in. As per researchers, due to a START-TLS implementation issue in Dovecot, the intruder can log in to the session and transfer the entire TSL traffic from the targeted victim's SMTP server as part of its own session. 

“The attacker obtains the full credentials from its own inbox. At no point was TLS broken or certificates compromised,” the researchers wrote. 

For Dovecot operating on Ubuntu, a Linux version based on Debian, a fix for the issue, dubbed CVE-2021-33515, is now available. Ising and Poddebniak have provided workaround fixes for the vulnerability. Disabling START-TLS and configuring Dovecot to accept only “pure TLS connections” on port 993/465/995 is one solution. 

The researchers stated, “Note that it is not sufficient to reconfigure a mail client to not use START-TLS. The attack must be mitigated on the server, as any TLS connection is equally affected.” 

SonicWall Urges Customers to 'immediately' Patch NSM On-Prem Bug

 

SonicWall urges customers to “immediately” patch a post-authentication vulnerability that impacts on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.

The CVE-2021-20026 vulnerability affects NSM 2.2.0-R10-H1 and previous versions, and it was patched by SonicWall in NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions. It has an 8.8/10 severity rating from SonicWall, and authenticated intruders can use it for OS command injection in low-complexity attacks that don't require user interaction. 

The SonicWall stated, "This critical vulnerability potentially allows a user to execute commands on a device's operating system with the highest system privileges (root). This vulnerability only impacts on-premises NSM deployments, SaaS versions of NSM are not affected." 

SonicWall is urging consumers to patch their devices instantaneously, despite the fact that the business did not mention an immediate threat of attackers exploiting this vulnerability or active in the wild exploitation. 

"SonicWall customers who are running the on-premises NSM versions listed below should upgrade to the patched version as soon as possible," the company advised. 

When requested for comment by Bleeping Computer, SonicWall refused to provide any specifics about the active exploitation of CVE-2021-20026, instead responded with the information in the security advisory. 

Several SonicWall appliance vulnerabilities have been targeted by threat actors this year. Many of them are zero-days that were actively exploited in the wild before the company released fixes. SonicWall fixed an actively exploited zero-day vulnerability affecting the SMA 100 series of SonicWall networking devices in February. 

A financially motivated threat actor, which was tracked down by Mandiant threat analysts  as UNC2447, took advantage of another zero-day in SonicWall SMA 100 Series VPN appliances to spread newly found FiveHands ransomware on the networks of North American and European targets. 

In January, the same zero-day bug was exploited in assaults targeting SonicWall's internal systems, and it was afterward exploited indiscriminately in the wild. SonicWall patched three more zero-day vulnerabilities discovered in the wild in March, impacting the company's on-premises and hosted Email Security (ES) products. 

These zero-days were abused by a group known as UNC2682 to backdoor systems via BEHINDER web shells, allowing the attackers to travel laterally through their victims' networks and access emails and files, as Mandiant discovered researching the attacks.

Chinese WeChat Users Targeted by Attackers Using Recent Chromium Bug

 

According to a local security firm, a Chrome exploit published online last week has been weaponized and exploited to target WeChat users in China. 

The malicious links were sent to WeChat users in the attacks. When users clicked the connection via a link, a piece of JavaScript code was launched, which loaded and executed shellcode on their operating systems. 

Threat actors used the recently revealed Chrome exploit to attack WeChat users in China, according to China-based firm Qingteng Cloud Security. The attacks, according to the researchers, were limited to users of the WeChat Windows app. The security firm didn't reveal which of the two proof-of-concept codes released last week were used in the attacks. 

This is because the attackers repurposed proof-of-concept code for two different bugs in the Chromium browser engine, which the WeChat Windows client uses to open and preview links without having to open a separate browser, which was published on Twitter and GitHub last week. The proof of concept code published last week —both of them— allowed attackers to run malicious code inside any Chromium-based browser. 

However, since most web browsers run Chromium in a "hardened mode" where the "sandbox" security protection function helps to prevent malicious code from escaping to the underlying operating system, due to which the exploit code was deemed useless on its own. 

As the security researchers informed The Record in interviews last week, their proof-of-concept code would work fine against apps that used the Chromium project as a foundation but forgot to allow sandbox defense. 

The WeChat client patched last week but Qingteng did not reveal that which of the two Chromium exploits revealed online last week was used in the wild in China; however, the security firm said it alerted Tencent, the creator of the WeChat app, and that Tencent had incorporated the latest Chromium security updates to patch the attack vector. 

Both vulnerabilities have been fixed by the Chromium team, but the patches are still finding their way downstream to all applications that use the browser engine. Only Microsoft Edge has patches for both exploits right now whereas the first bug has been fixed in Chrome.