Patch Tuesday Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 11 Jul 2024 10:37:00 +0000 en-US hourly 1 https://wordpress.org/?v=91210 200474804 Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited https://gridinsoft.com/blogs/microsoft-fixes-3-critical-vulnerabilities-patch-tuesday/ https://gridinsoft.com/blogs/microsoft-fixes-3-critical-vulnerabilities-patch-tuesday/#respond Thu, 11 Jul 2024 10:37:00 +0000 https://gridinsoft.com/blogs/?p=25660 Microsoft has released its monthly security update, addressing 142 vulnerabilities across its product suite and software. One of these vulnerabilities is already being exploited in the wild. The vulnerabilities were fixed as part of Microsoft’s monthly bug fix release, widely known as “Patch Tuesday”. Microsoft Fixed 3 Critical Flaws in Patch Tuesday In the most… Continue reading Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited

The post Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited appeared first on Gridinsoft Blog.

]]>
Microsoft has released its monthly security update, addressing 142 vulnerabilities across its product suite and software. One of these vulnerabilities is already being exploited in the wild. The vulnerabilities were fixed as part of Microsoft’s monthly bug fix release, widely known as “Patch Tuesday”.

Microsoft Fixed 3 Critical Flaws in Patch Tuesday

In the most recent Patch Tuesday, on July 10, 2024, Microsoft released fixes for 142 security issues in its product suite and software. Among them are 6 flaws of different severity – CVE-2024-38023, CVE-2024-38060, CVE-2024-38080 and RCE bugs CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077. The latter three have a CVSS score of 9.8 and allow an attacker to send specially crafted network packets that could trigger remote code execution in the Windows Remote Desktop Licensing service. Moreover, the last vulnerability does not require authentication, making it particularly dangerous.

Windows Updates menu screenshot
Windows Updates menu

Notably, this is the largest list of fixes in recent months, nearly matching the April patch release where Microsoft fixed 150 vulnerabilities. The patches address vulnerabilities affecting multiple segments of Microsoft products. These include Windows, Office, Azure, .NET, Visual Studio, SQL Server, and Windows Hyper-V. In particular, one of the vulnerabilities is already being actively exploited in real-world attacks.

CVE-2024-38074, 38076, and 38077 Details

Despite all of the RCE flaws being rated at CVSS 9.8, some of them require authenticated access or specific privileges to exploit. For instance, a vulnerability in Microsoft SharePoint Server requires site owner rights to execute arbitrary code. One of the most significant vulnerabilities is an issue in Windows Hyper-V, which allows attackers to gain system privileges. To understand the severity of these vulnerabilities, let’s delve into the details.

CVE-2024-38023 vulnerability allows attackers with site owner rights in Microsoft SharePoint Server to execute arbitrary code on the server. An attacker with the necessary privileges can use specially crafted commands to execute code in the context of SharePoint Server. This vulnerability is particularly dangerous because it can lead to complete control over the server and leakage of confidential information.

Another remote code execution vulnerability (CVE-2024-38060) stems from the flaw in Microsoft Windows codec library. It allows an attacker to upload a specially crafted TIFF file, which, when processed by the system, will trigger arbitrary code execution. However, to exploit this vulnerability, the attacker must have access to the system, making it less dangerous than remote attacks, but still posing a significant risk.

The third vulnerability, CVE-2024-38080, is already actively exploited in real-world attacks. Attackers can use this vulnerability to escalate privileges in Windows Hyper-V, gaining access to system-level privileges. This can lead to complete control over virtualized environments, posing a serious threat to the security and integrity of the systems.

How to Stay Safe?

Vulnerabilities are an inherent part of software — past, present, and future. The only effective method to mitigate their risks is timely patching. To minimize these risks, Microsoft strongly recommends promptly installing the latest updates that address these vulnerabilities. And, well, despite the fact that Redmond tries its best to fix all the known flaws in time, there may be slip-throughs, even ones that exist for over a year.

Another layer of protection against exploitation is a zero-trust anti-malware solution. Not much are available for home users, but vulnerability exploitation typically targets systems from corporate networks to begin with. A sturdy solution that will do a thorough check to every action from any software, which is the essence of zero trust policy, is what has the best efficiency against such attacks.

The post Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-fixes-3-critical-vulnerabilities-patch-tuesday/feed/ 0 25660
Critical vulnerability in Office fixed, but macOS update is delayed https://gridinsoft.com/blogs/critical-vulnerability-in-office/ https://gridinsoft.com/blogs/critical-vulnerability-in-office/#respond Wed, 12 Jan 2022 23:25:48 +0000 https://gridinsoft.com/blogs/?p=6906 As part of the January Patch Tuesday, Microsoft engineers fixed a critical vulnerability in Office that could allow attackers to remotely run malicious code on vulnerable systems. The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user… Continue reading Critical vulnerability in Office fixed, but macOS update is delayed

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

]]>
As part of the January Patch Tuesday, Microsoft engineers fixed a critical vulnerability in Office that could allow attackers to remotely run malicious code on vulnerable systems.

The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to a user and persuading the victim to open it. If we are talking about an attack scenario over the Internet, then an attacker can create a site (or use a compromised site that accepts or hosts user-generated content) containing a specially prepared file designed to exploit the vulnerability.explains Microsoft.

Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.

The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.

Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.

Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/critical-vulnerability-in-office/feed/ 0 6906
Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/ https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/#respond Wed, 15 Dec 2021 21:13:40 +0000 https://gridinsoft.com/blogs/?p=6669 The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread. Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft… Continue reading Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

An attacker could create a malicious attachment for use in phishing campaigns. The attacker would then have to convince the user to open that attachment. Users whose accounts are configured with fewer rights in the system may be affected to a lesser extent than users who work with administrator rights.the company warns.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

  • CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
  • CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
  • CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
  • CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
  • CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/feed/ 0 6669
Cybersecurity researchers published an exploit for Windows that allows escalating privileges https://gridinsoft.com/blogs/cybersecurity-researcher-published-an-exploit-for-windows/ https://gridinsoft.com/blogs/cybersecurity-researcher-published-an-exploit-for-windows/#respond Tue, 23 Nov 2021 18:11:21 +0000 https://blog.gridinsoft.com/?p=6154 Bleeping Computer reported that cybersecurity researcher has published an exploit for a new zero-day vulnerability that can be used to escalate local privileges in all supported versions of Windows, including Windows 10, Windows 11 and Windows Server 2022. The journalists write that they have already tried the exploit in action and were able to open… Continue reading Cybersecurity researchers published an exploit for Windows that allows escalating privileges

The post Cybersecurity researchers published an exploit for Windows that allows escalating privileges appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reported that cybersecurity researcher has published an exploit for a new zero-day vulnerability that can be used to escalate local privileges in all supported versions of Windows, including Windows 10, Windows 11 and Windows Server 2022.

The journalists write that they have already tried the exploit in action and were able to open the command line with SYSTEM privileges using an account with Standard privileges.

BleepingComputer tested Naceri’s ‘InstallerFileTakeOver’ exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with ‘Standard’ privileges, as demonstrated in the video below. The test was performed on a fully up-to-date Windows 10 21H1 build 19043.1348 installs.Bleeping Computer journalists reported.

And posted a video demonstration:

This month, as part of Patch Tuesday, Microsoft patched the Windows Installer privilege escalation vulnerability CVE-2021-41379. This problem was discovered by cybersecurity researcher Abdelhamid Naceri, who has now reported that the patch can be bypassed, and the vulnerability then transforms into a more serious problem.

Naseri has already posted a PoC exploit for the new 0-day issue on GitHub, highlighting that the bug is dangerous for all supported OS versions. Naseri explains that while it is possible to configure Group Policy to prevent Standard users from performing MSI installer operations, a new vulnerability can bypass this policy.

This variant [of the vulnerability] was discovered during the analysis of the patch for CVE-2021-4137: the bug was fixed incorrectly and, on the contrary, provided a workaround [fix]. Any attempt to patch the binary directly will break the windows installer. So, you better wait and see how Microsoft will screw the patch again.the expert writes.

When reporters asked Naseri why he publicly disclosed information about a serious 0-day vulnerability, he replied that he was disappointed with the decrease in the size of rewards in Microsoft’s bug bounty program.

Microsoft’s bug bounty went bad in April 2020. I really would not have done this if MSFT had not made the decision to lower payments.the specialist explained.

Let me remind you that recently we also wrote about another vulnerability in Windows 10 that could allow gaining administrator privileges.

The post Cybersecurity researchers published an exploit for Windows that allows escalating privileges appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cybersecurity-researcher-published-an-exploit-for-windows/feed/ 0 6154
Microsoft fixes 81 bugs, including vulnerability under attacks https://gridinsoft.com/blogs/microsoft-fixes-81-bugs-including-vulnerability-under-attacks/ https://gridinsoft.com/blogs/microsoft-fixes-81-bugs-including-vulnerability-under-attacks/#respond Tue, 12 Oct 2021 10:03:32 +0000 https://blog.gridinsoft.com/?p=6016 Microsoft has released updates for its products: in total, this month the company fixed 74 bugs (81 if to include vulnerabilities in Microsoft Edge), three of which are classified as critical, four have the status of zero-day vulnerabilities, and one problem has already been adopted by hackers. Of the four 0-day vulnerabilities under attack, there… Continue reading Microsoft fixes 81 bugs, including vulnerability under attacks

The post Microsoft fixes 81 bugs, including vulnerability under attacks appeared first on Gridinsoft Blog.

]]>
Microsoft has released updates for its products: in total, this month the company fixed 74 bugs (81 if to include vulnerabilities in Microsoft Edge), three of which are classified as critical, four have the status of zero-day vulnerabilities, and one problem has already been adopted by hackers.

Of the four 0-day vulnerabilities under attack, there was already a privilege escalation issue related to the operation of the Win32k kernel driver. The problem was identified as CVE-2021-40449 (7.8 on the CVSS scale) and was discovered by Kaspersky Lab specialists.

In a detailed report, the experts said that the vulnerability belongs to the use-after-free class and was found in the NtGdiResetDC function of the Win32k driver. It leaks the addresses of kernel modules in the computer’s memory, and as a result, attackers use it to elevate the privileges of another malicious process.

The bug was reportedly abused by Chinese hackers who downloaded and launched RAT MysterySnail with it. It is reported that MysterySnail is most often used in espionage operations against IT companies, diplomatic organizations and companies working for the defense industry.

The experts managed to find a number of similarities in the code and functions of MysterySnail and the malware used by the well-known IronHusky group. Also, some C&C addresses were already used in 2012 in attacks by an APT group using the Chinese language.

First of all, the Trojan collects information about the infected system and sends it to the C&C server. After that, through MysterySnail, attackers can issue a number of commands: for example, create, read, or delete a specific file, create or delete a process, download a directory list, open a proxy channel and send data through it.

In addition, quite interesting functions were implemented in the Trojan. So, Trojan not only knows how to view the list of connected drives, but can also monitor the connection of external drives in the background. In addition, the Trojan can launch the interactive shell cmd.exe, having previously copied the cmd.exe file itself to a temporary folder under a different name.the Kaspersky Lab said.

The exploit for CVE-2021-40449 supports a number of operating systems of the Microsoft Windows family: Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (build 14393), Server 2016 (build 14393 ), 10 (build 17763), and Server 2019 (build 17763). But, according to experts, it was written specifically to elevate privileges on server versions of the OS.

Also, as mentioned above, this month Microsoft fixed three other publicly disclosed vulnerabilities, which, however, were not used in hacker attacks:

  • CVE-2021-40469 (CVSS 7,2) – vulnerability in Windows DNS Server, leading to remote code execution;
  • CVE-2021-41335 (CVSS 7.8) – Windows kernel privilege escalation vulnerability;
  • CVE-2021-41338 (CVSS 5.5) – A bypass vulnerability in the Windows AppContainer Firewall rules.

Let me remind you that I also reported that New feature in Exchange Server will apply fixes automatically.

The post Microsoft fixes 81 bugs, including vulnerability under attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-fixes-81-bugs-including-vulnerability-under-attacks/feed/ 0 6016
Microsoft releases patches for 44 vulnerabilities, including three 0-days https://gridinsoft.com/blogs/microsoft-releases-patches-for-44-vulnerabilities/ https://gridinsoft.com/blogs/microsoft-releases-patches-for-44-vulnerabilities/#respond Thu, 12 Aug 2021 16:33:20 +0000 https://blog.gridinsoft.com/?p=5815 As part of Patch Tuesday this week, Microsoft released patches for 44 vulnerabilities (51 including bugs in Microsoft Edge), seven of which were classified as critical, three were 0-day, and one was already under attack. Patches released this month: .NET Core and Visual Studio, ASP.NET Core and Visual Studio, Azure, Windows Update, Windows Print Spooler… Continue reading Microsoft releases patches for 44 vulnerabilities, including three 0-days

The post Microsoft releases patches for 44 vulnerabilities, including three 0-days appeared first on Gridinsoft Blog.

]]>
As part of Patch Tuesday this week, Microsoft released patches for 44 vulnerabilities (51 including bugs in Microsoft Edge), seven of which were classified as critical, three were 0-day, and one was already under attack.

Patches released this month: .NET Core and Visual Studio, ASP.NET Core and Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge, Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and so on.

Of the 44 vulnerabilities, 13 were related to remote code execution, eight were related to information disclosure, two were related to denial of service, and another four were related to various spoofing.Microsoft tells.

This month, Microsoft released updates for two zero-day vulnerabilities that were previously reported. The first of these is the PrintNightmare problem, which we have written about more than once. This vulnerability allows an attacker to gain System-level privileges simply by connecting to a remote print server under their control.

Microsoft is now confident that it has finally fixed this problem by improving new variations. In addition, users now need administrator rights to install Point and Print drivers.

The second fixed 0-day vulnerability is PetitPotam, which uses the MS-EFSRPC API to force remote Windows servers to authenticate an attacker and share NTLM authentication data or authentication certificates with him.

Another zero-day vulnerability, which, according to the company, is already exploited by hackers, is CVE-2021-36948 (7.8 on the CVSS scale). The issue is local privilege escalation in Windows Update Medic. Who exactly and how exploited this bug has not yet been reported.

Also, a critical bug with a rating of 9.9 on the CVSS scale (affecting Windows 7-10, Windows Server 2008-2019) cannot be ignored, as this vulnerability is associated with Windows TCP / IP and leads to remote code execution (CVE-2021-26424 ); and also the problem of remote code execution in the Remote Desktop Client (CVE-2021-34535), which scored 8.8 points on the CVSS scale.

Let me remind you that last month Microsoft patched 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Microsoft releases patches for 44 vulnerabilities, including three 0-days appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-releases-patches-for-44-vulnerabilities/feed/ 0 5815
Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/ https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/#respond Wed, 14 Jul 2021 13:54:04 +0000 https://blog.gridinsoft.com/?p=5704 As part of July Patch Tuesday, Microsoft fixed (released patches) for 117 vulnerabilities, of which 13 were classified as critical. That is, the July set of patches is twice as large as the May and June “Patch Tuesday” combined. This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server,… Continue reading Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

]]>
As part of July Patch Tuesday, Microsoft fixed (released patches) for 117 vulnerabilities, of which 13 were classified as critical. That is, the July set of patches is twice as large as the May and June “Patch Tuesday” combined.

This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows kernel, Windows SMB, and so on.

44 vulnerabilities were associated with remote code execution, 32 with privilege escalation, 14 with information disclosure, 12 provoked denial of service, 8 allowed bypassing various security functions, and another 7 were associated with spoofing.

In addition, this month the company fixed nine zero-day vulnerabilities at once, four of which have already been used for attacks. The following 0-day issues have been fixed, but hackers haven’t used them yet:

  • CVE-2021-34492: Certificate forgery vulnerability in Windows;
  • CVE-2021-34523: Privilege escalation vulnerability in Microsoft Exchange Server;
  • CVE-2021-34473: Remote Code Execution Vulnerability in Microsoft Exchange Server;
  • CVE-2021-33779: Windows ADFS Bypass Vulnerability;
  • CVE-2021-33781: Active Directory bypass vulnerability.

As for the bugs that hackers have already adopted, one of them is the PrintNightmare problem (CVE-2021-34527), which I described in detail earlier.

By the way, I also reported that Microsoft declares that Printnightmare patch works correctly.

And three other vulnerabilities under attack that were not previously known are:

  • CVE-2021-33771: Windows Kernel Privilege Elevation Vulnerability;
  • CVE-2021-34448: scripting engine vulnerability leading to information corruption in memory;
  • CVE-2021-31979: A privilege escalation vulnerability in the Windows kernel.

Along with Microsoft, other companies have released updates to their products this week.

Patches released:

Let me remind you that a month ago Microsoft specialists also tried Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue.

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/feed/ 0 5704
Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/ https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/#respond Wed, 09 Jun 2021 19:12:23 +0000 https://blog.gridinsoft.com/?p=5573 As part of June Patch Tuesday, 50 vulnerabilities in Microsoft products were fixed, including six 0-day vulnerabilities in Windows. Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel. Six zero-day vulnerabilities that were already under attack were also addressed, with… Continue reading Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.

]]>
As part of June Patch Tuesday, 50 vulnerabilities in Microsoft products were fixed, including six 0-day vulnerabilities in Windows.

Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel.

Six zero-day vulnerabilities that were already under attack were also addressed, with one of these problems clearly using a commercial exploit. The hackers were reported to have exploited the following bugs:

  • CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability;
  • CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability;
  • CVE-2021-31956: Windows NTFS Privilege Elevation Vulnerability;
  • CVE-2021-31962: Kerberos AppContainer Bypass Vulnerability;
  • CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability;
  • CVE-2021-31201: Privilege escalation vulnerability in Microsoft Enhanced Cryptographic Provider.

Details of the vulnerabilities have not yet been disclosed to give users and administrators more time to install patches (before attackers could understand how these bugs can be exploited).

The fact that four of the six issues are privilege elevation vulnerabilities suggests that attackers may have exploited them as part of the infection chain to gain elevated permissions on target systems (to later execute malicious code or steal sensitive information).

However, a little more is known about the CVE-2021-33742 bug (an RCE vulnerability in the MSHTML component, which is part of the Internet Explorer browser). For example, Google analyst Shane Huntley writes on Twitter that this problem is not only used for attacks, but an exploit for it seems to have been developed by a professional commercial vulnerability broker. According to the expert, the exploit was used by government hackers to attack targets in Eastern Europe and in the Middle East.

Microsoft also writes that the patches for CVE-2021-31201 and CVE-2021-31199 are related to the RCE issue CVE-2021-28550, which was fixed by Adobe developers last month.

Traditionally, we note that “update Tuesday” affects not only Microsoft solutions. Other manufacturers have also released patches for their products this week.

Adobe: Announced updates for ten products, fixing 39 different bugs. First place went to After Effects with eight critical vulnerabilities that can be exploited to execute code (all rated 7.8 on the CVSS scale). Five critical issues have been fixed in Acrobat and Reader, all of which allow arbitrary code execution, and two critical flaws have been fixed in Photoshop.

Intel: Issued 29 security bulletins covering 79 different vulnerabilities. More than half of these problems were identified within the company, and another 40% were the result of the bug bounty program.

SAP: The company has submitted 17 security bulletins. Almost all of the bugs fixed were almost harmless, apart from a couple of major problems allowing remote code execution.

Android: Google has fixed over 50 vulnerabilities in its mobile OS, including several critical ones. The most serious of these, CVE-2021-0507, can be used for remote code execution. The bug affects Android 8.1, 9, 10 and 11, as well as another critical flaw, CVE-2021-0516, which can be used for privilege escalation.

Let me remind you that I talked about the fact that Hackers Bypass Firewalls Using Windows Feature.

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/feed/ 0 5573
IIS bug with worm potential poses a threat to WinRM servers https://gridinsoft.com/blogs/iis-bug-with-worm-potential/ https://gridinsoft.com/blogs/iis-bug-with-worm-potential/#respond Mon, 24 May 2021 21:39:48 +0000 https://blog.gridinsoft.com/?p=5502 As part of the May “Patch Tuesday” Microsoft has fixed a dangerous bug with worm potential in Internet Information Services (IIS), which received the identifier CVE-2021-31166. Last week, many researchers and information security companies wrote that this vulnerability is one of the most serious problems fixed this month (9.8 out of 10 on the CVSS… Continue reading IIS bug with worm potential poses a threat to WinRM servers

The post IIS bug with worm potential poses a threat to WinRM servers appeared first on Gridinsoft Blog.

]]>
As part of the May “Patch Tuesday” Microsoft has fixed a dangerous bug with worm potential in Internet Information Services (IIS), which received the identifier CVE-2021-31166.

Last week, many researchers and information security companies wrote that this vulnerability is one of the most serious problems fixed this month (9.8 out of 10 on the CVSS v3 scale).

The vulnerability is related to corruption of information in the memory of the HTTP protocol stack, which is included in all recent versions of Windows. This stack is used by the Windows IIS server. If this server is active, an attacker can send it a specially prepared packet and execute malicious code at the OS kernel level.

Worse, Microsoft warned that the vulnerability has the potential of a worm, that is, it could be used to create malware that spreads itself from server to server.

An exploit for this problem was recently published in the public domain. Fortunately, the vulnerability affects only the newest versions of the OS: Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, which are not yet very widespread.

Security researcher Jim DeVries has now discovered that the vulnerability also affects devices running Windows 10 and Windows Server running the Windows Remote Management (WinRM) service, a Windows Hardware Management component that also exploits the vulnerable HTTP.sys.

I haven’t seen it discussed anywhere, do you think think this vuln could be exploited thru WinRM on 5985? The system process on my non-IIS Win10 pc appears to load http.says. I finally found time to answer my own question. WinRM *IS* vulnerable. This really expands the number of vulnerable systems, although no one would intentionally put that service on the internet.Jim DeVries wrote.

And if ordinary users have to enable WinRM manually, then on corporate endpoints of Windows Server WinRM is enabled by default, which makes them vulnerable to attacks if they use Windows versions 2004 or 20H2.

I don’t think this is a big risk for home PCs, but if someone crosses [a vulnerability] with a worm and ransomware, it can all grow wildly in the corporate environment.the expert warns.

DeVries’ findings have already been confirmed by CERT/CC analyst Will Dormann, who successfully compromised the system using a previously published DoS exploit.

Dormann also discovered that more than 2,000,000 systems with the WinRM service running can be found on the network, although not all of them are vulnerable to CVE-2021-31166, because, as mentioned above, the bug affects only Windows 10 and Windows Server versions 2004 and 20H2.

Let me remind you that I also wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.

The post IIS bug with worm potential poses a threat to WinRM servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/iis-bug-with-worm-potential/feed/ 0 5502
On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products https://gridinsoft.com/blogs/on-june-patch-tuesday-microsoft-fixed-129-vulnerabilities-in-its-products/ https://gridinsoft.com/blogs/on-june-patch-tuesday-microsoft-fixed-129-vulnerabilities-in-its-products/#respond Wed, 10 Jun 2020 16:13:05 +0000 https://blog.gridinsoft.com/?p=3910 “Patch Tuesday” this month became the largest in the history of Microsoft: were fixed at once 129 vulnerabilities. March 2020 with 115 corrections is in second place, and 113 corrections in April 2020 arein a third place. 100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day… Continue reading On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products

The post On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products appeared first on Gridinsoft Blog.

]]>
“Patch Tuesday” this month became the largest in the history of Microsoft: were fixed at once 129 vulnerabilities. March 2020 with 115 corrections is in second place, and 113 corrections in April 2020 arein a third place.

100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day vulnerability in Internet Explorer, which actively used attackers.

Overall, the total number of corrections issued by the company this year accounts 616, and this is almost the same as for the entire 2017.

“This time there were no 0-day vulnerabilities, which means that any of the fixed bugs was under attack”, – said Microsoft engineers.

Of all 129 vulnerabilities, only 11 received critical status (they affect Windows itself, the Edge and Internet Explorer browsers, as well as SharePoint).

Another 109 problems are rated as important (they affected Windows, company’s browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps and Android applications).

The most serious problems this month include:

  • CVE-2020-1181 – remote code execution in Microsoft SharePoint
  • CVE-2020-1225, CVE-2020-1226 – remote code execution in Microsoft Excel
  • CVE-2020-1223 – remote code execution in Word for Android
  • CVE-2020-1248 – remote code execution in the Windows Graphics Device Interface (GDI)
  • CVE-2020-1281 – remote code execution in Windows OLE
  • CVE-2020-1299 – remote code execution when processing .LNK files
  • CVE-2020-1300 – remote code execution in the print spooler component
  • CVE-2020-1301 – remote code execution in Windows SMB
  • CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260 – remote code execution in the VBScript engine

However, not only Microsoft has prepared patches for their products this week. So, the Adobe developers also fixed a number of serious problems in the Flash Player, Framemaker and Experience Manager.

SAP developers released 17 security bulletins and prepared patches for Apache Tomcat (CVE-2020-1938), two bugs in SAP Commerce (CVE-2020-6265, CVE-2020-6264), vulnerabilities in SAP Success Factors (CVE-2020- 6279) as well as issues in NetWeaver (CVE-2020-6275).

Intel has fixed more than 20 different vulnerabilities, including bugs in the Innovation Engine (CVE-2020-8675) and Special Register Buffer (CVE-2020-0543). The latter problem is called CrossTalk, and it allows you to “merge” confidential data from SGX enclaves.

The post On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/on-june-patch-tuesday-microsoft-fixed-129-vulnerabilities-in-its-products/feed/ 0 3910