Google Chrome Vulnerability Exploited in the Wild

The bug with heap buffer, that made the CVE-2023-4863 possible, is related to the way Chrome handles WebP images. By default, Windows assigns the browser as a way to display images of that format, and it remains unchanged in the vast majority of cases. Thus, the potential audience of exploitation is humongous – Chrome retains its monopoly on the browser market. WebP, at the same time, steadily substitutes “classic” image formats.

Originally, the flaw became known on September 6, 2023, after the corresponding research by Apple SEAR and Citizen Lab at The University of Toronto was sent to Google. The company, however, hesitates with publishing more extensive information upon the case. All that is known now is that the buffer overflow bug that happens during the WebP image reading can allow for arbitrary code execution. Alternatively, the browser may simply crash – which is to be expected with buffer overflow bugs. On the CVE MITRE resource, the exploit is listed though lacks any details besides the basics I’ve already mentioned.

How Critical CVE-2023-4863 is?

Arbitrary/remote code execution bugs are quite common to receive highest marks on exploit severity ratings. And when combined with eased in-the-wild usage and large selection of targets, the threat becomes truly massive. Millions of people use Chrome on a daily basis, and facing WebP images is common as well. Hackers can try to do whatever they want to millions of users, by simply sending the specifically crafted image.

Protect Yourself Against Chrome Exploits

Despite Google being sluggish with publishing the way the exploit works, they are fast on updates. The updates 116.0.5845.187/.188 for Windows (Stable/Extended) and 116.0.5845.187 for Mac have the vulnerability fixed. Updating the browser is plain and simple – go to Settings, and get down to the About Chrome button. Clicking it will initiate the browser update checkup, and if there is a newer version available – you’ll receive it.

But what can you do to avoid falling victim to exploits that were not uncovered and/or patched? Zero-trust is the only option that gives you reliable protection against such exploits. Its name is self-explanatory – solutions with such a policy treat any program as potentially dangerous. However, solutions with such a policy are mostly oriented towards corporate clients. And overall, negatives of having a paranoiac security solution in your system overwhelm situational profits. For individual users, I’d recommend looking for other options.

Your own awareness gives you a great advantage. The vast majority of phishing attacks bear on a single supposement – the victim will be too ignorant and reckless to notice the incoming fraud. And what can be more pleasant than crushing fraudsters’ hopes? Sure, this requires knowledge of what exactly you should seek, but these tips will do you a great service even away from scam avoidance.

The post Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild appeared first on Gridinsoft Blog.

Ivanti EPMM Vulnerabilities Keep Going

On July 25, 2023 Ivanti released a note regarding the vulnerability in their EPMM device management software. They offered to install a patch to secure the software vulnerability (dubbed CVE-2023-35078) that allowed hackers to bypass authentication and access all the functionality of the app. Obviously, it received a top 10/10 CVSS rating. Bad news here is that the vulnerability was reportedly exploited since April 2023. The patch offered by the company allegedly closes the unauthorised access capabilities.

Soon after, another security loophole was discovered. CVE-2023-35081 is a path traversal vulnerability that allows for unauthorised access to the files stored on the server. Unfortunately, the scale of this breach exploitation is around the same as the previous one – hackers used them along to fulfil different targets within one attack.

Thing is, not everything is ideal for the patched 2023-35078 vulnerability. Researchers found a way to do pretty much the same trick to the patched version as hackers did earlier. The new breach is possible for older versions of the EPMM – 11.2 and below – and received an index of CVE-2023-35082. Even after the patch, applications were not able to provide a sustainable security level. Fortunately, no cases of exploitation of this vulnerability have been discovered yet. But as we know, once 0-day vulnerability becomes an n-day one, its usage becomes much more widespread.

How to protect against CVE-2023-35082?

The only – and the most effective advice there is updating Ivanti EPMM to any of the versions newer than 11.2. It may be troublesome to perform such an update simultaneously in a huge network of devices, though efforts there are much more preferable than efforts on fixing the outcome of a cyberattack. Though, there could be several other solutions – not preventive, but still effective.

Adopt cybersecurity solutions with zero-trust policy. The baddest modern cyberattacks are done through vulnerabilities in trusted software, the only solution is to not trust at all. EDR/XDR solutions that are built around such a conception have their downsides, apparently, but the effectiveness of their protection is undoubted. Either it is a hand-made utility or a program with over 1 million users – it will thoroughly check all the actions it does.

Use UBA and SIEM to improve visibility and response in the environment. The aforementioned zero-trust security systems will greatly appreciate additional sources of information. This is almost essential in large networks that consist of different types of devices. Being aware and being able to respond as quickly as possible is vital in modern cybersecurity, when the count can go on for minutes.

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

Analysts found new vulnerability in Ivanti EPMM

Currently, two vulnerabilities are being actively exploited by malicious cyber actors. It is making them a common attack vector that poses significant risks to the federal enterprise. EPMM users are strongly advised to apply the available patches as soon as possible to protect themselves. Last week, it was disclosed that one of the vulnerabilities, known as CVE-2023-35078 and with a maximum-possible CVSS v3 rating of 10, was used in an attack against twelve ministries in the Norwegian government.

Many IT departments worldwide, including several U.S. government agencies, use Ivanti’s EPMM software to manage mobile devices, apps, and content. However, a newly discovered bug (CVE-2023-35081) has been identified. This vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.

The company expressed gratitude towards cybersecurity firm Mnemonic for helping them identify a new vulnerability. Mnemonic warned in a blog post that remote file writing vulnerabilities can seriously compromise system security. Also, it is leading to various types of attacks, such as data breaches and system takeovers. Researchers from Mnemonic reported that the new EPMM vulnerability was exploited with CVE-2023-35078 to write Java server pages and Java .class files to disk.

Report from CISA

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging security teams to patch vulnerabilities recently reported by Ivanti. CISA specified that both CVE-2023-35081 and CVE-2023-35078 were being actively exploited. The patches newly released for CVE-2023-35081 also include patches for CVE-2023-35078.

CISA explained that if CVE-2023-35078 remains unpatched, attackers can gain EPMM administrator privileges, enabling them to write arbitrary files with the operating system privileges of the web application server. The agency warned that the attacker could execute the uploaded file, such as a web shell.

Last week, CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog and ordered all Federal Civilian Executive Branch government agencies to fix the issue by August 15. However, the agency has yet to take similar steps in regard to CVE-2023-35081.

How to avoid significant cyberattack?

Organizations that could potentially fall victim to cyberattacks should prioritize their defense. If a significant cyber attack does occur, it is recommended that the organization reset its cyber security approach and posture. After such an incident, every organization should reflect on its actions and decisions. This should serve as a lesson for not only government services but also companies.

• It’s crucial to implement strict access controls like strong passwords, multi-factor authentication (MFA), and role-based access control to prevent unauthorized access to sensitive data and systems.
• Keep your operating systems, software, and applications updated with the most delinquent security patches and updates to fix known vulnerabilities. Make sure to update these systems for optimal security regularly.
• One crucial responsibility for organizations is to adopt the Zero Trust principles, which can significantly enhance security measures by following the ‘trust-none, verify all’. Every user, device, and connection must be authenticated before access to your business network and its essential assets and sensitive data.
• It’s essential to stay up-to-date on the latest vulnerabilities and learn safe online practices to protect yourself and your team. Always be careful when sharing sensitive information online or with people you don’t know.

The post The Second Exploit in Ivanti EPMM in a Week appeared first on Gridinsoft Blog.

What is Ivanti Company?

Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security solutions. Many organizations use the company’s products, including businesses, government agencies, and educational institutions. For example, almost all Norwegian ministries use Ivanti Endpoint Manager Mobile except a couple of ones. Having such important clients is always a huge responsibility, and unfortunately not everyone is capable of mitigating all the risks.

Ivanti EPMM 0-day Vulnerability

ACSC has received reports of a vulnerability in Ivanti EPMM (Endpoint manager mobile), also known as MobileIron Core, affecting all versions below 11.8.1.0. In brief, the vulnerability is CVE-2023-35078 and allows remote access to the API without authentication. It has the maximum severity rating of the CVSS scale and is a 10 out of 10 possible. While Ivanti said it received the information from a reliable source, the company did not disclose any further details about the nature of the attacks or the attacker’s identity behind them. Nevertheless, the Norwegian National Security Authority (NSM) confirmed that unknown attackers exploited the vulnerability to attack the State Organization for Security and Services (DSS). Thus, attackers could likely access and steal sensitive data from the compromised platform.

However, on Sunday, the company released a security patch that users can install by upgrading to EPMM 11.8.1.1, 11.9.1.1.1, and 11.10.0.2. However, versions below 11.8.1.0 that are outdated and unsupported have also received the update.

CVE-2023-35078 Details

CVE-2023-35078 is a zero-day authentication bypass vulnerability. It provides remote API access without authentication to specific paths. That is, an attacker can access personally identifiable information such as usernames, phone numbers, and other mobile device information on the vulnerable system. An attacker can also make configuration changes, including creating an EPMM administrator account for additional changes to the vulnerable system. The vulnerability affects all supported versions of EPMM (v11.10, 11.9, and 11.8) and earlier unsupported releases. However, the vulnerability is patched in versions 11.10.0.2, 11.9.1.1, and 11.8.1.1.1. Since CVE-2023-35078 has a maximum CVSS severity level of 10.0 and is easily exploitable, experts strongly recommend updating all devices, even EOL devices. Otherwise, if you cannot update the appliance, it is recommended to switch off.

In addition, Ivanti has published a password-protected security advisory. However, only customers with login credentials can access it, which is perplexing. The company also clarified that the vulnerability is not used in a supply chain attack. IoT search engine Shodan found more than 2,900 MobileIron user portals are publicly available on the Internet, mainly in the US and Europe. About 30 of them are associated with local and state governments in the United States. The most vulnerable servers are in the US, Germany, the UK, and Hong Kong. The Norwegian National Cyber Security Center has notified all known system owners in the country that have MobileIron Core available on the Internet of a security update that has been issued.

How to secure against Ivanti 0-day vulnerability?

Well, the Norwegian government is not the only client of Ivanti. Companies from different corners of the world use their software, and appear to have a soft spot at the place no one expected. Here are some steps you can take to secure against the Ivanti 0-day vulnerability.

• Apply the latest security patches. It’s the first action you must take since Ivanti has released a patch to address the vulnerability. So, you should apply the patch as soon as possible to protect your organization.
• Use multi-factor authentication (MFA). It adds a layer of security to your organization’s IT systems. MFA requires users to use two or more pieces of identification to authenticate themselves. This way is making it more difficult for attackers to access your systems.
• Monitor your IT systems for suspicious activity. You should monitor them for suspicious activity, such as unauthorized access attempts or unusual traffic patterns. As we can see, it will help you to identify and respond to attacks.
• Educate your users about security best practices. Users are the first defense against cyberattacks. You should educate your users about safety best practices. For example, they must avoid clicking suspicious links or opening attachments from unknown senders.

By following these steps, you can help to protect your organization against the 0-day vulnerability and other cyberattacks.

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

What is PaperCut?

PaperCut is a print management solution, which allows fine-tuning printer usage. It provides features such as print job tracking, print quota management, cost allocation, and secure printing, among others. The latter is exceptionally needed to prevent possible data leaks within the company. The software supports a wide range of different printers, scanners, and other devices of that purpose. It is a pretty popular solution – the latest data says about 100+ million users around the world. It can be very, very unfortunate if something that popular is unsafe.

Two Vulnerabilities Found in PaperCut Software

Recent research shows that PaperCut has two vulnerabilities – one is bad, and the other is horrifying. Let’s start with the most worrying one. CVE-2023-27350 allows remote code execution (RCE) without any authentication. RCE/ACE vulnerabilities are extremely dangerous, and seeing a 9+ CVSS rate for them is a common thing. This one received 9.8 points – equalling the recently-discovered MSMQ vulnerability.

Even more unpleasant is the fact that crooks already succeeded in using this vulnerability for cyberattacks. TrendMicro reported about hackers using the RCE vulnerability to execute a PowerShell script. The latter have downloaded a ransomware payload, circumnavigating passive security solutions present in the network. Threat actors did this trick using Windows Network Shell (netsh) utility. Another interesting feature of that attack is the use of temporary data hosting for payload delivery. In 60 minutes, the file is removed automatically from the hosting, leaving 0 evidence.

CVE-2023-27351 is less severe, yet still unpleasant. It also allows unauthorised access, but this time users’ information is under attack. Hackers can extract things like full names of the users, usernames, emails and even card numbers. All this information is available from user profiles created in PaperCut MF servers. It can potentially allow attackers to extract credentials to the PaperCut accounts.

List of PaperCut software vulnerable to mentioned exploits:

How to Protect Against PaperCut Vulnerability?

Fortunately for all corporations that use the program, the developer already acknowledged that issue and released a security update. They recommend installing the latest updates available for vulnerable software as soon as possible. Such a rapid reaction is greatly appreciated, but companies generally tend to delay updates. This may be caused by numerous factors, some of which are hard to deal with. For that reason, preventive measures may be a more convenient option.

Most effective solution against exploitation is anti-malware software with a zero-trust policy. It supposes that no software is trusted, and each action must be checked. Modern EDR/XDR solutions generally opt for this exact policy, as it provides way higher protection rates against modern threats. Certainly, it has its downsides – but they are dim compared to the consequences of ransomware attack or APT activity.

Additional solution there is using active network protection. As I mentioned above, hackers used netsh to trick the firewall restrictions and reach the file hosting. More advanced network security solutions, like Network Detection and Response systems, are invulnerable to this. They will also make it much easier to analyse the cyberattacks (or their attempts), and implement urgent reactive measures.

The post PaperCut Vulnerability Allows RCE, Exploited in the Wild appeared first on Gridinsoft Blog.

What is Microsoft Message Queueing?

Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At the time of its release – 1997 – it provided a convenient way to communicate with all machines in a nonhomogeneous network. The very essence of that application is turning around the guarantee that the message will be delivered. Security features, as well as other useful elements that made it more convenient to use rendered MSMQ a pretty popular solution for networks. Later, however, it was pushed out from use by newer Microsoft products, like Azure Queues.

Despite being officially ceased from further development, it still receives security updates. Microsoft promises to support it unless the last Windows version it is present in will be supported with security patches. Networks that consist of older computers, are not compliant with modern software or are managed by conservative administrators, still use MSMQ. But the low usage and absence of functionality updates do not mean absence of vulnerabilities. The latter is especially true given that MSMQ is still present even in the latest Windows/Windows Server versions – 11 and 2022.

MSMQ Vulnerability Allows Remote Code Execution

The patch note for 2023 April Patch Tuesday contains information about almost a hundred different breaches that Microsoft managed to fix. A tiny CVE-2023-21554 is not noticeable unless you’re looking at its detailed explanation. As it turns out, the vulnerability supposes the ability to gain control over the reigning process of an entire MSMQ mechanism – mqsvc.exe. Analysts already coined it QueueJumper. Having their hands on that process, hackers can easily make it run any code. Such breaches are classified as remote or arbitrary code execution, and are often guests to the top of vulnerability charts.

Having such an ability is sour, but even more so is having it so easy to exploit. Sending a single packet, forged specifically for exploitation, through the TCP port 1801, gives hackers control over the aforementioned mqsvc.exe. This is pretty easy to do, as you may guess. And given that MSMQ is still present even in the most modern systems, it is feasible for hackers to use it for their dirty deeds. For sure, using it supposes that hackers should be able to reach the 1801 port, meaning it is open to network connections. But now it is a way less common peephole than the RDP’s port 443, and it is open by default.

How to Fix MSMQ Vulnerability? And should I?

After Microsoft published the breach with its detailed explanation in its patch note, nothing stops hackers from using the breach. So yes, it is worth fixing it as soon as possible. RCE/ACE vulnerabilities always bring advanced dangers, as they are commonly used for initial access and malware unfolding. Considering all I told you above about the ports and ease of its exploitation, it is just a matter of time when crooks will put it to use.

Fortunately, the patch that closes the breach is already available. The aforementioned Patch Tuesday fixes this, and numerous other vulnerabilities. Installing it is the easiest and the fastest way to forget about such a threat. However, updates are not that easy to install on all machines when we talk about large corporate networks. For these cases, Microsoft offered a pretty straightforward solution – closing port 1801 from external connections manually. It still does not fix the ability to take over the MSMQ process but makes the exploitation way more complicated and less efficient.

The post MSMQ Vulnerability Allows Remote Code Execution appeared first on Gridinsoft Blog.

What is Microsoft SmartScreen?

For those who are not familiar with the internal security mechanisms in Windows, Microsoft SmartScreen is a security utility that notifies the user whether the application it tries to run is dangerous. The key way it understands secureness is the application’s digital certificate. The latter should have a valid signature of a company or a developer. The certificate authority (CA) assures the one, so only legit ones will pass through.

Users may notice the SmartScreen work when they launch an app with no certificate, or when the one is outdated. A pop-up appears, warning the user that it may be dangerous to run that thing, and thus SmartScreen banned its immediate execution. Sure, it does not always work perfectly, blocking legit programs that have outdated certificates – that unfortunate occurrence may happen even with well-known developers. Nonetheless, hackers found a way to circumvent that mechanism and make the programs run regardless of the certificate.

New SmartScreen Exploitation Way

Threat actors never sleep, especially when companies whose products they used to exploit start putting spokes in the wheels. Recent changes in Microsoft policy regarding the execution of the files that arrived from the Internet made it troublesome to spread malware in the usual way. In particular, a huge volume of malware that cybercriminals generally delivered through vulnerable macros in MS Office ceased with this change. For that reason, they decided to approach hacking Windows security from a different angle.

The new breach is not having a whole lot of really new concepts. CVE-2023-24880 describes a way to seamlessly run the MSI file with a specifically smurfed signature. It does not feature a valid Authenticode signature, but the malformed one. Under that condition, the SmartScreen will return an error and allow the execution. But as it turns out, this exact spot crooks were exploiting earlier – but with the use of other file types. In November 2022, threat actors associated with Magniber ransomware were using JavaScript files with a signature spoofed in pretty much the same way. That vulnerability, in turn, received an index of CVE-2022-44698.

Explanation of SmartScreen Exploit

Under the cover, the mechanism of confusing the security mechanisms looks like the following. There are 3 elements in the system that are used to make sure if the program is legit and good to go without the SmartScreen warning. Those are shdocvw.dll, wintrust.dll – a library that helps the SmartScreen to make a decision, and the exact smartscreen.exe.

During the normal checkup, SmartScreen calls for wintrust.dll and requests it to parse the program signature. If everything is OK, the program starts without any warnings. When it’s not, a shdocvw.dll will display a warning window. While working with a specifically spoofed certificate, SmartScreen routinely asks wintrust.dll for verification. That request, however, returns a value that causes smartscreen.exe to send an error message to shdocvw.dll. The latter will fail to start in such conditions, making the program run with no restrictions.

The way they are spoofing certificates hides in the SignedData structure in the file sections. Among other things, it carries certificates that validate the signature and SignedInfo structure. All this info is required for the wintrust.dll to ensure the validity of the signature. To help it navigate through these sections, there is a CERT_CONTEXT structure pointer. Hackers force this pointer to gain a NULL value by giving it a signature that does not contain the SignerInfo serial number. The resulting E_INVALIDARG output goes to shdocvw.dll, making it fail as well. As we already mentioned, this mechanism is identical to the one used in CVE-2022-44698.

Is this vulnerability dangerous?

Obviously, this breach is the one to worry about. As crooks are looking for another way to run malware on the device without triggering alarms, it is obvious that such a thing will be put to use. And the same group of cyber burglars – Magniber – is already using it. They reportedly scored several victims in early spring 2023, using .msi files with a modified certificate. The group used to deploy ransomware to single-user systems since 2018, attacking mostly users from Thailand and South Korea. The signature thing of that ransomware is that a single sample will add a unique signature to the ciphered files. That being said, crooks generate a unique sample for each small group of victims, making the outbreaks hard to track. Another notable thing is the use of vulnerabilities to deploy malware – like the article subject.

Still, nothing stops other cybercriminals from using that breach. Microsoft already released a patch in their March 14 Patch Tuesday (KB5023706), but as it usually happens, users are not hastening to install it. Previous patches that fixed critical vulnerabilities, such as the infamous EternalBlue, for example, are still not installed massively enough to prevent this breach from successful exploitation. And the minor patch that closes not-that-widely-known vulnerability is even less likely to be installed in time.

How to stay secure?

Being secured against modern cyber threats should be a major concern for both home and corporate users. Some measures, especially in corporations, are about to be deployed globally and under the control of system administrators/cybersecurity teams. But there are enough places we can personally tie up the loose thing.

• Avoid launching the files from an untrustworthy source. Programs or files you got somewhere on the Internet, particularly from sites with pirated software or anonymous forums, should be treated with caution. If you cannot avoid interacting with it, try to check the downloaded item with anti-malware software, or using services like VirusTotal. But the best way to have less pain in the neck is to use only official sources.
• Be suspicious of any email you receive. One of the most popular sources of malicious files is spam emails. Sure enough, it may be challenging to distinguish the one, especially when hackers are doing their best to disguise it as legitimate. Still, checking some things, like the sender’s address, and appealing to common sense will make the task much easier.
• Update your software as often as possible. All the software vendors release minor updates not just to annoy you with the “update me” pop-up. Most often, such things contain bug fixes, and what is more important – vulnerability patches. There are several names which products should be taken care of especially well – Adobe, Microsoft, and Oracle. Yet other updates are not about to be ignored either.
• Use top-rated anti-malware software. It is always handy to have something that will solve certain problems for you. Instead of spending time and effort trying to figure out whether the file is malicious or not, you can ask a program to do it for you. Of course, not each one will fit to deal with the threats I was describing above. You need to pick the one which can boast of a multi-component scanning system and the ability to provide on-run protection. I’d recommend you to try out GridinSoft Anti-Malware – it can detect any threat, thanks to the neural network and perfect proactive detection system.

The post New Microsoft SmartScreen Bypass Technique Causes Concerns appeared first on Gridinsoft Blog.

The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows.

At the same time, the company did not disclose almost any technical details of the bug, it was only reported that attackers can use the vulnerability locally, in attacks of low complexity and without any user interaction.

It is worth recalling that last year, Microsoft fought for a long time (and not always successfully) with various bugs in Print Spooler, including a critical PrintNightmare vulnerability that allows remote arbitrary code execution. Then, after accidentally leaking the technical details of the bug and PoC exploit, CISA experts warned administrators that they urgently needed to disable the Print Spooler service on domain controllers and systems not used for printing in order to block potential attacks.

Now, the nature of the attacks on CVE-2022-22718 and the identities of the perpetrators behind them are almost unknown, as the authorities are apparently trying to prevent further exploitation of the problem by other hack groups.

In addition, this week two other issues were added to the CISA catalogue of known exploited vulnerabilities, although they date back to 2018 and 2019:

• CVE-2018-6882 (CVSS score 6.1) – XSS Vulnerability in Zimbra Collaboration Suite (ZCS)
• CVE-2019-3568 (CVSS score of 9.8) is a stack buffer overflow vulnerability in WhatsApp VOIP.

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.