The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.

Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.

The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.

Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.

Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

• CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
• CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
• CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
• CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
• CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

The journalists write that they have already tried the exploit in action and were able to open the command line with SYSTEM privileges using an account with Standard privileges.

And posted a video demonstration:

This month, as part of Patch Tuesday, Microsoft patched the Windows Installer privilege escalation vulnerability CVE-2021-41379. This problem was discovered by cybersecurity researcher Abdelhamid Naceri, who has now reported that the patch can be bypassed, and the vulnerability then transforms into a more serious problem.

Naseri has already posted a PoC exploit for the new 0-day issue on GitHub, highlighting that the bug is dangerous for all supported OS versions. Naseri explains that while it is possible to configure Group Policy to prevent Standard users from performing MSI installer operations, a new vulnerability can bypass this policy.

When reporters asked Naseri why he publicly disclosed information about a serious 0-day vulnerability, he replied that he was disappointed with the decrease in the size of rewards in Microsoft’s bug bounty program.

Let me remind you that recently we also wrote about another vulnerability in Windows 10 that could allow gaining administrator privileges.

The post Cybersecurity researchers published an exploit for Windows that allows escalating privileges appeared first on Gridinsoft Blog.

Of the four 0-day vulnerabilities under attack, there was already a privilege escalation issue related to the operation of the Win32k kernel driver. The problem was identified as CVE-2021-40449 (7.8 on the CVSS scale) and was discovered by Kaspersky Lab specialists.

In a detailed report, the experts said that the vulnerability belongs to the use-after-free class and was found in the NtGdiResetDC function of the Win32k driver. It leaks the addresses of kernel modules in the computer’s memory, and as a result, attackers use it to elevate the privileges of another malicious process.

The bug was reportedly abused by Chinese hackers who downloaded and launched RAT MysterySnail with it. It is reported that MysterySnail is most often used in espionage operations against IT companies, diplomatic organizations and companies working for the defense industry.

The experts managed to find a number of similarities in the code and functions of MysterySnail and the malware used by the well-known IronHusky group. Also, some C&C addresses were already used in 2012 in attacks by an APT group using the Chinese language.

The exploit for CVE-2021-40449 supports a number of operating systems of the Microsoft Windows family: Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (build 14393), Server 2016 (build 14393 ), 10 (build 17763), and Server 2019 (build 17763). But, according to experts, it was written specifically to elevate privileges on server versions of the OS.

Also, as mentioned above, this month Microsoft fixed three other publicly disclosed vulnerabilities, which, however, were not used in hacker attacks:

• CVE-2021-40469 (CVSS 7,2) – vulnerability in Windows DNS Server, leading to remote code execution;
• CVE-2021-41335 (CVSS 7.8) – Windows kernel privilege escalation vulnerability;
• CVE-2021-41338 (CVSS 5.5) – A bypass vulnerability in the Windows AppContainer Firewall rules.

Let me remind you that I also reported that New feature in Exchange Server will apply fixes automatically.

The post Microsoft fixes 81 bugs, including vulnerability under attacks appeared first on Gridinsoft Blog.

Patches released this month: .NET Core and Visual Studio, ASP.NET Core and Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge, Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and so on.

This month, Microsoft released updates for two zero-day vulnerabilities that were previously reported. The first of these is the PrintNightmare problem, which we have written about more than once. This vulnerability allows an attacker to gain System-level privileges simply by connecting to a remote print server under their control.

Microsoft is now confident that it has finally fixed this problem by improving new variations. In addition, users now need administrator rights to install Point and Print drivers.

The second fixed 0-day vulnerability is PetitPotam, which uses the MS-EFSRPC API to force remote Windows servers to authenticate an attacker and share NTLM authentication data or authentication certificates with him.

Another zero-day vulnerability, which, according to the company, is already exploited by hackers, is CVE-2021-36948 (7.8 on the CVSS scale). The issue is local privilege escalation in Windows Update Medic. Who exactly and how exploited this bug has not yet been reported.

Also, a critical bug with a rating of 9.9 on the CVSS scale (affecting Windows 7-10, Windows Server 2008-2019) cannot be ignored, as this vulnerability is associated with Windows TCP / IP and leads to remote code execution (CVE-2021-26424 ); and also the problem of remote code execution in the Remote Desktop Client (CVE-2021-34535), which scored 8.8 points on the CVSS scale.

Let me remind you that last month Microsoft patched 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Microsoft releases patches for 44 vulnerabilities, including three 0-days appeared first on Gridinsoft Blog.

This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows kernel, Windows SMB, and so on.

44 vulnerabilities were associated with remote code execution, 32 with privilege escalation, 14 with information disclosure, 12 provoked denial of service, 8 allowed bypassing various security functions, and another 7 were associated with spoofing.

In addition, this month the company fixed nine zero-day vulnerabilities at once, four of which have already been used for attacks. The following 0-day issues have been fixed, but hackers haven’t used them yet:

• CVE-2021-34492: Certificate forgery vulnerability in Windows;
• CVE-2021-34523: Privilege escalation vulnerability in Microsoft Exchange Server;
• CVE-2021-34473: Remote Code Execution Vulnerability in Microsoft Exchange Server;
• CVE-2021-33779: Windows ADFS Bypass Vulnerability;
• CVE-2021-33781: Active Directory bypass vulnerability.

As for the bugs that hackers have already adopted, one of them is the PrintNightmare problem (CVE-2021-34527), which I described in detail earlier.

By the way, I also reported that Microsoft declares that Printnightmare patch works correctly.

And three other vulnerabilities under attack that were not previously known are:

• CVE-2021-33771: Windows Kernel Privilege Elevation Vulnerability;
• CVE-2021-34448: scripting engine vulnerability leading to information corruption in memory;
• CVE-2021-31979: A privilege escalation vulnerability in the Windows kernel.

Along with Microsoft, other companies have released updates to their products this week.

Patches released:

• Adobe;
• Apache Tomcat;
• Cisco;
• developers of SUSE, Oracle Linux and Red Hat;
• SAP;
• Schneider Electric;
• Siemens;
• VMware.

Let me remind you that a month ago Microsoft specialists also tried Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue.

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel.

Six zero-day vulnerabilities that were already under attack were also addressed, with one of these problems clearly using a commercial exploit. The hackers were reported to have exploited the following bugs:

• CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability;
• CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability;
• CVE-2021-31956: Windows NTFS Privilege Elevation Vulnerability;
• CVE-2021-31962: Kerberos AppContainer Bypass Vulnerability;
• CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability;
• CVE-2021-31201: Privilege escalation vulnerability in Microsoft Enhanced Cryptographic Provider.

Details of the vulnerabilities have not yet been disclosed to give users and administrators more time to install patches (before attackers could understand how these bugs can be exploited).

The fact that four of the six issues are privilege elevation vulnerabilities suggests that attackers may have exploited them as part of the infection chain to gain elevated permissions on target systems (to later execute malicious code or steal sensitive information).

However, a little more is known about the CVE-2021-33742 bug (an RCE vulnerability in the MSHTML component, which is part of the Internet Explorer browser). For example, Google analyst Shane Huntley writes on Twitter that this problem is not only used for attacks, but an exploit for it seems to have been developed by a professional commercial vulnerability broker. According to the expert, the exploit was used by government hackers to attack targets in Eastern Europe and in the Middle East.

Microsoft also writes that the patches for CVE-2021-31201 and CVE-2021-31199 are related to the RCE issue CVE-2021-28550, which was fixed by Adobe developers last month.

Traditionally, we note that “update Tuesday” affects not only Microsoft solutions. Other manufacturers have also released patches for their products this week.

Adobe: Announced updates for ten products, fixing 39 different bugs. First place went to After Effects with eight critical vulnerabilities that can be exploited to execute code (all rated 7.8 on the CVSS scale). Five critical issues have been fixed in Acrobat and Reader, all of which allow arbitrary code execution, and two critical flaws have been fixed in Photoshop.

Intel: Issued 29 security bulletins covering 79 different vulnerabilities. More than half of these problems were identified within the company, and another 40% were the result of the bug bounty program.

SAP: The company has submitted 17 security bulletins. Almost all of the bugs fixed were almost harmless, apart from a couple of major problems allowing remote code execution.

Android: Google has fixed over 50 vulnerabilities in its mobile OS, including several critical ones. The most serious of these, CVE-2021-0507, can be used for remote code execution. The bug affects Android 8.1, 9, 10 and 11, as well as another critical flaw, CVE-2021-0516, which can be used for privilege escalation.

Let me remind you that I talked about the fact that Hackers Bypass Firewalls Using Windows Feature.

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.

Last week, many researchers and information security companies wrote that this vulnerability is one of the most serious problems fixed this month (9.8 out of 10 on the CVSS v3 scale).

The vulnerability is related to corruption of information in the memory of the HTTP protocol stack, which is included in all recent versions of Windows. This stack is used by the Windows IIS server. If this server is active, an attacker can send it a specially prepared packet and execute malicious code at the OS kernel level.

Worse, Microsoft warned that the vulnerability has the potential of a worm, that is, it could be used to create malware that spreads itself from server to server.

An exploit for this problem was recently published in the public domain. Fortunately, the vulnerability affects only the newest versions of the OS: Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, which are not yet very widespread.

Security researcher Jim DeVries has now discovered that the vulnerability also affects devices running Windows 10 and Windows Server running the Windows Remote Management (WinRM) service, a Windows Hardware Management component that also exploits the vulnerable HTTP.sys.

And if ordinary users have to enable WinRM manually, then on corporate endpoints of Windows Server WinRM is enabled by default, which makes them vulnerable to attacks if they use Windows versions 2004 or 20H2.

DeVries’ findings have already been confirmed by CERT/CC analyst Will Dormann, who successfully compromised the system using a previously published DoS exploit.

Dormann also discovered that more than 2,000,000 systems with the WinRM service running can be found on the network, although not all of them are vulnerable to CVE-2021-31166, because, as mentioned above, the bug affects only Windows 10 and Windows Server versions 2004 and 20H2.

Let me remind you that I also wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.

The post IIS bug with worm potential poses a threat to WinRM servers appeared first on Gridinsoft Blog.

100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day vulnerability in Internet Explorer, which actively used attackers.

Overall, the total number of corrections issued by the company this year accounts 616, and this is almost the same as for the entire 2017.

“This time there were no 0-day vulnerabilities, which means that any of the fixed bugs was under attack”, – said Microsoft engineers.

Of all 129 vulnerabilities, only 11 received critical status (they affect Windows itself, the Edge and Internet Explorer browsers, as well as SharePoint).

Another 109 problems are rated as important (they affected Windows, company’s browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps and Android applications).

The most serious problems this month include:

• CVE-2020-1181 – remote code execution in Microsoft SharePoint
• CVE-2020-1225, CVE-2020-1226 – remote code execution in Microsoft Excel
• CVE-2020-1223 – remote code execution in Word for Android
• CVE-2020-1248 – remote code execution in the Windows Graphics Device Interface (GDI)
• CVE-2020-1281 – remote code execution in Windows OLE
• CVE-2020-1299 – remote code execution when processing .LNK files
• CVE-2020-1300 – remote code execution in the print spooler component
• CVE-2020-1301 – remote code execution in Windows SMB
• CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260 – remote code execution in the VBScript engine

However, not only Microsoft has prepared patches for their products this week. So, the Adobe developers also fixed a number of serious problems in the Flash Player, Framemaker and Experience Manager.

SAP developers released 17 security bulletins and prepared patches for Apache Tomcat (CVE-2020-1938), two bugs in SAP Commerce (CVE-2020-6265, CVE-2020-6264), vulnerabilities in SAP Success Factors (CVE-2020- 6279) as well as issues in NetWeaver (CVE-2020-6275).

Intel has fixed more than 20 different vulnerabilities, including bugs in the Innovation Engine (CVE-2020-8675) and Special Register Buffer (CVE-2020-0543). The latter problem is called CrossTalk, and it allows you to “merge” confidential data from SGX enclaves.

The post On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products appeared first on Gridinsoft Blog.