Bug Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 19 Jul 2024 10:11:50 +0000 en-US hourly 1 https://wordpress.org/?v=81923 200474804 CrowdStrike Falcon Bug Causes Windows Outages Around the Globe https://gridinsoft.com/blogs/crowdstrike-falcon-bug-windows-outages/ https://gridinsoft.com/blogs/crowdstrike-falcon-bug-windows-outages/#respond Fri, 19 Jul 2024 10:11:50 +0000 https://gridinsoft.com/blogs/?p=25783 Bug in the recent update of the CrowdStrike Falcon caused thousands of systems across the world to crash with BSOD. The worst part about it is that Windows refuses to boot correctly afterwards, displaying the same error message. CrowdStrike apologizes for the mess and is due to release the hotfix that should allegedly get the… Continue reading CrowdStrike Falcon Bug Causes Windows Outages Around the Globe

The post CrowdStrike Falcon Bug Causes Windows Outages Around the Globe appeared first on Gridinsoft Blog.

]]>
Bug in the recent update of the CrowdStrike Falcon caused thousands of systems across the world to crash with BSOD. The worst part about it is that Windows refuses to boot correctly afterwards, displaying the same error message. CrowdStrike apologizes for the mess and is due to release the hotfix that should allegedly get the systems back to normal.

Bug in CrowdStrike Falcon Causes Blue Screens of Death Across the Globe

On July 18, 2024 CrowdStrike pushed out a minor update to their MDR system called Falcon. Shortly after it made its way to the systems, computers started crashing for no apparent reason. As it turned out, there is a critical bug in the driver that the update has introduced; Windows cannot handle it properly and consequently crashes. At first, customers along with some of the analysts were thinking of a cyberattack, but it then became apparent that it is just a software bug. Well, not “just”, considering the scale.

What is the worst in all this story is the fact that Falcon is a rather popular solution, used in quite a lot of organizations across the world. And, you guessed it right, a faulty update have jammed all the customers’ systems, with no apparent way to fix the issue. Among companies that have reported issues related to the CrowdStrike Falcon bug are numerous airlines and airports, telecommunications companies, railways, and more. At the moment, companies that reported the issues are as follows:

  • Sky TV
  • CBBC (BBC Children)
  • Delhi Airport
  • London Gatwick
  • Telstra Group
  • United Airlines
  • Ryanair
  • Edinburgh Airport
  • Delta Airlines
  • American Airlines
  • Olympic Games systems
  • London Stock Exchange
  • Singapore Stock Exchange
  • Virgin Australia
  • SpiceJet
  • Turkish Airlines

This list is, of course, incomplete, as there are many smaller companies that experience problems, but are not that noticeable to the public. Some of the mentioned organizations managed to switch to manual operations, while others had no other option but to idle.

CrowdStrike Publishes a Workaround

Considering the massiveness of the problems, CrowdStrike developers immediately went to work, reverting the update. Thing is – it would not really be possible to install the update as the affected computers won’t even boot into Windows. To let the companies access their systems for now, and consequently install the fix when it is here, the developers shared a workaround solution.

CrowdStrike bug fix guide
Screenshot from internal CrowdStrike forum, with proposed mitigation steps

To temporarily fix up the mess, customers should boot into Windows Safe Mode or the Recovery Environment. These modes allow for accessing actual Windows systems or at least its partitions, which is what further steps require. There, users should find the C:\Windows\System32\drivers\CrowdStrike with the C-00000291*.sys file in it, and delete this file. This is the faulty driver that causes all the issues. After that, the system should be able to boot up normally.

Potential Impact

The massiveness of the bug is, obviously, impossible to ignore; this situation will barely be forgiven and forgotten. All the huge companies that were forced to just idle, losing money and time, will likely ask for some kind of compensation. And this, together with yet another stain on the reputation, is what pushes CrowdStrike shares price down at the moment. As of 5:30 ET, $CRWD is down almost 20% from yesterday’s close price, losing $70 of its share price.

Crowdstrike shares price

One more thing such a massive outage should push up is the availability of a quick remedy for such a situation. What should allow them to skip the BSODs quickly and get back to normal is backups. Applying them will take some time, too, but that’s nothing compared to the manual intrusion into every single machine that the remedy requires.

The post CrowdStrike Falcon Bug Causes Windows Outages Around the Globe appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/crowdstrike-falcon-bug-windows-outages/feed/ 0 25783
0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/ https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/#respond Tue, 01 Feb 2022 21:33:45 +0000 https://gridinsoft.com/blogs/?p=7017 As part of January Patch Tuesday, Microsoft fixed a dangerous 0-day privilege escalation vulnerability for which a PoC exploit is available online. The vulnerability is already being exploited in attacks by highly skilled hacker groups. The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago. Daba… Continue reading 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues

The post 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues appeared first on Gridinsoft Blog.

]]>
As part of January Patch Tuesday, Microsoft fixed a dangerous 0-day privilege escalation vulnerability for which a PoC exploit is available online.

The vulnerability is already being exploited in attacks by highly skilled hacker groups.

The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago.

Daba said he chose not to report his discovery to Microsoft because it was very difficult to get money through its vulnerability bounty program.

Found it two years ago. Not recently. That’s the point. The reason I didn’t reveal it is because I waited a very long time for Microsoft to pay me for another find. By the time they finally paid, the fee had dwindled to almost nothing. I was already busy with my startup, and the vulnerability remained unpatched.the researcher said

The vulnerability, identified as CVE-2022-21882, could allow aт attacker to elevate his privileges on the local system.

A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Microsoft explained in it’s advisory, part of January’s Patch Tuesday updates.

Microsoft mentioned RyeLv as the researcher who discovered the vulnerability. The researcher submitted his description of the input type mismatch vulnerability in Win32k.sys on January 13, 2022.

An attacker could tell the corresponding GUI API in user mode to make a kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will cause xxxClientAllocWindowClassExtraBytes to be returned. An attacker can intercept this return by capturing xxxClientAllocWindowClassExtraBytes in the KernelCallbackTable and using the NtUserConsoleControl method to set the ConsoleWindow flag on the tagWND object, which will modify the window type.RyeLv explained.

Investment in the program was also the top recommendation of RyeLv’s technical analysis for Microsoft. He told how to “kill the bug class”:

Improve the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.

Let me remind you that we also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook, and also that Google recruits a team of experts to find bugs in Android applications.

The post 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/feed/ 0 7017
Microsoft warned of a critical vulnerability in Cosmos DB https://gridinsoft.com/blogs/critical-vulnerability-in-cosmos-db/ https://gridinsoft.com/blogs/critical-vulnerability-in-cosmos-db/#respond Mon, 30 Aug 2021 16:48:53 +0000 https://blog.gridinsoft.com/?p=5869 Microsoft has warned thousands of Azure customers of a critical Cosmos DB vulnerability. The bug allows any user remote database management, and grants administrator rights without the need for authorization. The problem was discovered by the research team of the cloud security company Wiz. Experts named the vulnerability ChaosDB and reported it to Microsoft on… Continue reading Microsoft warned of a critical vulnerability in Cosmos DB

The post Microsoft warned of a critical vulnerability in Cosmos DB appeared first on Gridinsoft Blog.

]]>
Microsoft has warned thousands of Azure customers of a critical Cosmos DB vulnerability. The bug allows any user remote database management, and grants administrator rights without the need for authorization.

The problem was discovered by the research team of the cloud security company Wiz. Experts named the vulnerability ChaosDB and reported it to Microsoft on August 12, 2021. At the same time, according to the researchers, the vulnerability was hidden in the code “for at least several months, and possibly years.” Microsoft paid Wiz a $40,000 fee for this bug.

The bug allowed attackers to exploit a chain of bugs associated with the work of the open source Jupyter Notebook functionality, which is enabled by default and is designed to help clients visualize data.

Critical vulnerability in Cosmos DB

The successful operation allowed access to the credentials of other Cosmos DB users, including the primary key that enables full and unrestricted remote access to databases and Microsoft Azure customer accounts.

There is a trivial exploit for this vulnerability that does not require prior access to the target environment and affects thousands of organizations, including many Fortune 500 companies.the researchers said.

Microsoft ultimately disabled the feature within 48 hours of receiving the report and notified over 30% of Cosmos DB customers of a potential security breach.

It is worth noting that since February 2021, since all new Cosmos DB instances are created with Jupyter Notebook features enabled, Cosmos DB will automatically disable Notebook functionality if it has not been used within the first three days. This is why the number of affected Cosmos DB clients is so small, it is estimated that about 70% of clients either disabled Jupyter Notebook manually or automated it. However, according to Wiz, the actual number of affected users is likely much higher given the vulnerability has been around for a very long time.

At Microsoft’s request, researchers will have publish technical information about ChaosDB, as it could help attackers develop their own exploits, but experts promise to release a detailed white paper soon.

To mitigate risk and block potential attacks, Microsoft recommends Azure customers to recreate Cosmos DB primary keys that may have been stolen before the affected feature was disabled.

According to Microsoft, there is no evidence that attackers discovered and exploited the Chaos DB vulnerability before the Wiz experts.

Let me remind you that I also talked about the fact that Microsoft Warns of New Print Spooler Vulnerability.

The post Microsoft warned of a critical vulnerability in Cosmos DB appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/critical-vulnerability-in-cosmos-db/feed/ 0 5869
Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/ https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/#respond Fri, 06 Aug 2021 16:45:13 +0000 https://blog.gridinsoft.com/?p=5790 Check Point researchers reported that in April of this year, IT giant Amazon eliminated critical vulnerabilities in the Amazon Kindle. The problems could be used to gain full control over the device, allowed them to steal the Amazon device token and other confidential data stored on it. For a successful attack on a Kindle, just… Continue reading Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

]]>
Check Point researchers reported that in April of this year, IT giant Amazon eliminated critical vulnerabilities in the Amazon Kindle. The problems could be used to gain full control over the device, allowed them to steal the Amazon device token and other confidential data stored on it.

For a successful attack on a Kindle, just one book with malicious code is enough.

The potential attack began by sending a malicious e-book to the user’s mail. After receiving such an attachment, the victim only had to open it, and this launched the exploit. No additional user permission or action was required.

E-books could be used as Kindle malware with various consequences. For example, a hacker could delete all of the user’s e-books, as well as turn the Kindle into a bot and use it to attack other devices on the victim’s local network.experts write.

Even worse, the discovered vulnerabilities allowed attackers to target a specific category of users. For example, to hack a specific group of people or demographic group, a hacker simply had to inject malicious code into a popular e-book in the corresponding language or dialect. As a result, attacks became highly targeted.

The root of the problem lay in the structure of the parsing framework, namely the implementation associated with PDF documents. The attacks were possible thanks to a heap overflow associated with the PDF rendering feature (CVE-2021-30354), which allowed arbitrary write permissions on the device, and a local privilege escalation vulnerability in the Kindle App Manager service (CVE-2021-30355), which allowed combine two vulnerabilities into a chain to run malicious code with root privileges.

The researchers reported their findings to Amazon in February 2021, and already the April update of the Kindle firmware to version 5.13.5 contained a patch (the firmware is automatically installed on devices connected to the network).

We found vulnerabilities in the Kindle, and if hackers took advantage of them, they could take full control of the device. By sending an e-book with a malicious code to a Kindle user, a cybercriminal would be able to steal any information from the reader, from Amazon account details to payment information. Like other smart devices, the Kindle is often perceived as a harmless gadget that is not subject to security risks. However, our research shows that any device with network connectivity is, in fact, not much different from a computer. IoT devices are susceptible to the same types of attacks as smartphones. Any device connected to a PC, especially the popular Kindle, presents a cybersecurity risk, and users should be aware of this.said Yaniv Balmas, head of cybersecurity research at Check Point Software Technologies.

Let me remind you that Researcher Found Three Bugs Allowing Hacking Amazon Kindle also this February.

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/feed/ 0 5790
Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/ https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/#respond Fri, 23 Jul 2021 16:01:22 +0000 https://blog.gridinsoft.com/?p=5736 In February of this year, SentinelOne experts found a 16-year-old vulnerability in the driver of HP, Xerox and Samsung printers. The problem allows attackers to gain administrator rights on systems that use vulnerable software. The vulnerability received the identifier CVE-2021-3438 and has been present in the driver code since 2005, that is, it poses a… Continue reading Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers

The post Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers appeared first on Gridinsoft Blog.

]]>
In February of this year, SentinelOne experts found a 16-year-old vulnerability in the driver of HP, Xerox and Samsung printers. The problem allows attackers to gain administrator rights on systems that use vulnerable software.

The vulnerability received the identifier CVE-2021-3438 and has been present in the driver code since 2005, that is, it poses a threat to hundreds of millions of devices manufactured and sold over the past 16 years.

This vulnerability affects a very long list of devices: more than 380 models of HP and Samsung printers, as well as at least a dozen of different Xerox products.the researchers write.

The vulnerability is described as a buffer overflow in the SSPORT.SYS driver file.

The bug can be used to elevate privileges, that is, it can help locally installed malware to gain access at the administrator level (of course, only if a vulnerable driver is used on the system).

Successful exploitation of this driver vulnerability would allow attackers to install programs, view, modify, encrypt, or delete data, and create new accounts with full user rights. Among the obvious options for the abuse of such vulnerabilities is the fact that they can be used to bypass security solutions.says the SentinelOne report.

Experts note that on some Windows systems, the vulnerable printer driver could be installed even without the user’s awareness. This could happen if users connected one of the vulnerable printers to their PCs and the driver was downloaded via Windows Update.

Just by running the printer software, the driver gets installed and activated on the machine regardless of whether you complete the installation or cancel. Thus, in effect, this driver gets installed and loaded without even asking or notifying the user. Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot.write the researchers.

Experts advise users to check lists of problem devices and, if necessary, look for updates on the manufacturer’s website.

Let me remind you that I also talked about the fact that New Issues Found with Windows Print Spooler.

The post Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/feed/ 0 5736
Exploit for dangerous PrintNightmare problem in Windows has been published online https://gridinsoft.com/blogs/printnightmare-problem-in-windows/ https://gridinsoft.com/blogs/printnightmare-problem-in-windows/#respond Wed, 30 Jun 2021 16:24:13 +0000 https://blog.gridinsoft.com/?p=5657 A PoC exploit for the dangerous PrintNightmare vulnerability in Windows Print Spooler (spoolsv.exe) has been published online. This bug has ID CVE-2021-1675 and was patched by Microsoft just a couple of weeks ago, as part of June’s Patch Tuesday. Windows Print Spooler Service is a universal interface between OS, applications, and local or network printers,… Continue reading Exploit for dangerous PrintNightmare problem in Windows has been published online

The post Exploit for dangerous PrintNightmare problem in Windows has been published online appeared first on Gridinsoft Blog.

]]>
A PoC exploit for the dangerous PrintNightmare vulnerability in Windows Print Spooler (spoolsv.exe) has been published online. This bug has ID CVE-2021-1675 and was patched by Microsoft just a couple of weeks ago, as part of June’s Patch Tuesday.

Windows Print Spooler Service is a universal interface between OS, applications, and local or network printers, allowing application developers to submit print jobs. This service has been included with Windows since the 90s and is notorious for its myriad of problems.

In particular, vulnerabilities such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337 and even a number of 0-day bugs were associated with Windows Print Spooler, which were used in Stuxnet attacks.

The newest problem CVE-2021-1675 was discovered by experts from Tencent Security, AFINE and NSFOCUS earlier this year.

The bug was originally classified as a low-level privilege escalation vulnerability that could allow attackers to gain administrator rights.Microsoft engineers say.

However, Microsoft updated the bug description last week to report that the issue can cause remote arbitrary code execution.

Previously, almost nothing was known about CVE-2021-1675, since experts did not publish technical descriptions of the problem or exploits for it. But last week, the Chinese company QiAnXin showed a GIF file where it demonstrated the operation of its exploit for CVE-2021-1675. At the same time, the company did not publish any technical details and the exploit itself, in order to give users more time to install patches.

However, a detailed report with a technical description of the problem has now been posted on GitHub, as well as a working PoC exploit. It looks like it was due to someone else’s error and the repository was shut down after a few hours. However, even in this short time, several other users managed to clone it.

This leaked document, written by three analysts of the Chinese company Sangfor, provides details how the experts discovered the error independently of the aforementioned experts.

We also found this vulnerability and hoped to keep it a secret in order to participate in the Tianfu Cup (a hacking competition held in China)wrote the Sangfor experts.

Additionally, the experts explained that after QiAnXin published a demo of their exploit, they thought it was time to publish their report and PoC.

However, a few hours after this statement, the team retracted their words (it seems that the experts decided not to disclose all the details of their speech, scheduled at the Black Hat USA 2021 conference) and deleted the repository from GitHub. But it was too late, the PoC exploit became public.

Since CVE-2021-1675, which Sangfor calls PrintNightmare, affects all versions of Windows and can even affect XP and Vista when used for remote code execution, companies are strongly encouraged to update their fleet of Windows machines as soon as possible.

Let me remind you that I also talked about Microsoft fixes a bug that corrupted FLAC files.

The post Exploit for dangerous PrintNightmare problem in Windows has been published online appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/printnightmare-problem-in-windows/feed/ 0 5657
Microsoft fixes a bug that corrupted FLAC files https://gridinsoft.com/blogs/microsoft-fixes-a-bug-that-corrupted-flac-files/ https://gridinsoft.com/blogs/microsoft-fixes-a-bug-that-corrupted-flac-files/#respond Thu, 27 May 2021 22:06:39 +0000 https://blog.gridinsoft.com/?p=5520 Microsoft has fixed a bug in Windows 10 that changed the name, artist, or other metadata in FLAC files, therefore corrupting them. The bug affected several editions of Windows 10 (Home, Pro, Enterprise, Education, Pro Education and Pro for Workstations), as well as several versions (2004 and 20H2). The problem could arise when editing the… Continue reading Microsoft fixes a bug that corrupted FLAC files

The post Microsoft fixes a bug that corrupted FLAC files appeared first on Gridinsoft Blog.

]]>
Microsoft has fixed a bug in Windows 10 that changed the name, artist, or other metadata in FLAC files, therefore corrupting them.

The bug affected several editions of Windows 10 (Home, Pro, Enterprise, Education, Pro Education and Pro for Workstations), as well as several versions (2004 and 20H2). The problem could arise when editing the metadata of FLAC files containing an ID3 frame with title and artist information before the audio file header.

The FLAC property handler assumed that all FLAC files started with 4 bytes of fLaC start code, and did not take into account the ID3 frame at the beginning of the file. Consequently, the ID3 frame was overwritten without the initial fLaC code, which made the file unplayable.Microsoft explains.

The developers fixed this bug in the KB5003214 preview update released for all supported versions of Windows 10, including Windows 10 21H1, Windows 10 20H2, and Windows 10 2004.

The company also published a special PowerShell script to fix files already damaged due to this bug. Although the script will not help recover the lost metadata stored in the ID3 frame, the file will play again.

Bleeping Computer explains that in order to “fix” files, you need to do the following.

  • Download the ZIP-archive with the script and extract its contents.
  • Find the file FixFlacFiles.ps1, right-click on it and select the item: “Run with PowerShell”.
  • When prompted, enter the name of the FLAC file that cannot be played and press Enter.

In addition, the company is investigating another issue related to audio: after the release of cumulative updates this month, Windows 10 users began to complain about high-frequency noise when using some 5.1 configurations.

After installing KB5000842 and later updates, 5.1 Dolby Digital sound playback may be accompanied by high-frequency noise or squeak in certain applications when using certain audio devices and Windows settings.the developers write.

A fix for this bug should appear in the near future, but for now the company recommends using the following workarounds: use a browser or another application for video and audio (instead of applications affected by the problem); temporarily disable Spatial sound in sound settings.

Let me remind you that I wrote that Windows 10 bug causes BSOD when opening a specific path.

The post Microsoft fixes a bug that corrupted FLAC files appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-fixes-a-bug-that-corrupted-flac-files/feed/ 0 5520