InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Aug 26 2021
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
Privileged Attack Vectors
Razer DeathAdder Essential Gaming Mouse
Aug 22 2021
Google disclosed the details of a Windows AppContainer vulnerability because Microsoft initially had no plans to fix it.
Google Project Zero experts disclosed the details of a Windows AppContainer flaw after Microsoft announced it had no plans to fix it.
The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.
Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.
“Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.” wrote Forshaw.
“I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn’t meet the bar for a security bulletin so it’s marked as WontFix.”
According to Google, Microsoft decided to label the issue as WontFix.
“The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.” reads the security advisory published by Microsoft. “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.”
Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP
DevOps and Containers Security
Aug 12 2021
The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.
How to Identify Cobalt Strike on Your Network
Aug 07 2021
This iteration of the RedMonk Programming Languages is brought to you by Microsoft. Developers build the future. Microsoft supports you in any language and Java is no exception; we love it. We offer the best Java dev tools, infrastructure, and modern framework support. Modernize your Java development with Microsoft.
While we generally try to have our rankings in July immediately after they are run, we generally operate these on a better late than never basis. On the assumption, then, that August is better than never, below are your RedMonk Q3 language rankings.
As always, these are a continuation of the work originally performed by Drew Conway and John Myles White late in 2010. While the specific means of collection has changed, the basic process remains the same: we extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends.
The data source used for the GitHub portion of the analysis is the GitHub Archive. We query languages by pull request in a manner similar to the one GitHub used to assemble the State of the Octoverse. Our query is designed to be as comparable as possible to the previous process.
For Stack Overflow, we simply collect the required metrics using their useful data explorer tool.
With that description out of the way, please keep in mind the other usual caveats.
Jul 31 2021
Researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore disclose details about a critical flaw in Microsoft Hyper-V, tracked as
The flaw resides in Microsoft Hyper-V’s network switch driver (vmswitch.sys), it affects Windows 10 and Windows Server 2012 through 2019.
The CVE-2021-28476 flaw has a critical severity score of 9.9 out of 10, it was addressed by Microsoft in May.
“This issue allows a guest VM to force the Hyper-V host’s kernel to read from an arbitrary, potentially invalid address. The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security.” reads the advisory published by the company.
vmswitch fails to validate the value of an OID (object identifier) request that is intended for a network adapter.
An attacker could exploit this vulnerability by sending a specially crafted packet from a guest virtual machine to the Hyper-V host.
“Some OID requests are destined to the external network adapter, or other network adapters connected to vmswitch. Such OID requests include, for example, hardware offloading, Internet Protocol security (IPsec) and single root I/O virtualization (SR-IOV) requests.” reads the post published by Guardicore.
“While processing OID requests, vmswitch traces their content for logging and debugging purposes; this also applies to OID_SWITCH_NIC_REQUEST. However, due to its encapsulated structure, vmswitch needs to have special handling of this request and dereference OidRequest to trace the inner request as well. The bug is that vmswitch never validates the value of OidRequest and can thus dereference an invalid pointer.”
Jul 22 2021
OWASP Top 10 vulnerabilities is a list of the 10 most common security vulnerabilities in applications. The Top 10 OWASP web application security vulnerabilities are updated every 3-4 years. Last updated in 2017, the vulnerabilities featuring on the list are:
OWASP Top 10 vulnerabilities help raise awareness of the latest threats facing websites and web applications. Organizations and developers can leverage this list to ensure secure coding, tune up security and keep their security posture fortified.
![OWASP A Complete Guide - 2021 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/515gPJ3zTgL.jpg)
![OWASP Testing Guide v4 by [OWASP OWASP]](https://m.media-amazon.com/images/I/419Ozw6vGtL.jpg)
Jun 24 2021
Google today announced it has extended its Open Source Vulnerabilities (OSV) database to incorporate data from additional open source projects, using a unified schema for “describing vulnerabilities precisely.”
The benefits of open source software are widely understood, but concerns around vulnerabilities frequently rear their head. The vast majority of codebases contain at least one known open source vulnerability, while a report this week concluded that more often that not, developers don’t update third-party libraries after including them in their software. That same report noted that 92% of open source library flaws could be easily fixed with a simple update.
Open source software impacts pretty much everyone, everywhere. From small startups to major enterprises, companies rely on community-driven components in most of their applications. So it’s in everyone’s interests to ensure open source software is properly maintained.
Are Password Protectors Safe in 2021?
Open Source Vulnerability Database:
May 05 2021
Researchers at SentinelLabs say that they found various exploitable bugs in one of Dell’s Windows kernel drivers, which they reported back in December 2020.
There were five related bugs, now collectively dubbed CVE-2021-21551.
Dell has now issued a patch for these vulnerabilities (the official update is dated 2021-05-04), noting that:
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
May 04 2021
Apple has released iOS 14.5.1, which provides a memory corruption bug fix and patches an arbitrary code execution (ACE) vulnerability in WebKit — a web browser engine. Arbitrary code execution refers to an attacker executing code that they should not be able to execute.
A malicious website could theoretically execute harmful code on your iPhone, or iPad if they exploited that vulnerability. Browsers are designed to limit the ability of websites to execute code that could be harmful to your device. However, hackers do sometimes find a way around that — and this is one such case.
Apple says that the vulnerability (CVE-2021-30663) may have been actively exploited and classifies it as important (which it is). The update (iOS 14.5.1) is now available, and you can look for it by going to Settings > General > Software Update.
The vulnerability also affects Macs, Apple Watches, and Apple TVs. There are updates for those as well.
Mar 29 2021
We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it.
OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its own.
Even on Windows and macOS, which do have encryption toolkits built into their distributions, you may have software installed that includes and uses OpenSSL instead of the operating system’s standard cryptographic libraries.
As its name suggests, OpenSSL is very commonly used for supporting network-based encryption using TLS, which is the contemporary name for what used to be called SSL.
TLS, or transport layer security, is what puts the padlock into your browser, and it’s probably what encrypts your email in transit these days, along with protecting many other online communications initiated by your computer.
So, when an OpenSSL security advisory reports exploitable vulnerabilities in the software…
…it’s worth paying attention, and upgrading as soon as you can.
Mar 18 2021
Google has demonstrated exploiting the Spectre CPU attack remotely over the web:
Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We have developed an interactive demonstration of the attack available at https://leaky.page/ ; the code and a more detailed writeup are published on Github here.
The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes.
Mar 11 2021
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.
This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.
“A Vietnamese security researcher has published today the first functional public proof-of-concept exploit for a group of vulnerabilities in Microsoft Exchange servers known as ProxyLogon, and which have been under heavy exploitation for the past week.” reads the post published by The Record. “The proof-of-concept code was published on GitHub earlier today. A technical write-up (in Vietnamese) is also available on blogging platform Medium.”
The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.
A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.
“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” the spokesperson said in an email sent to the Vice.. “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”
Expert publishes PoC exploit code for Microsoft Exchange flaws
Mar 09 2021
Apple has released out-of-band security patches to address a critical iOS, macOS, watchOS, and Safari web browser to address a security flaw tracked as CVE-2021-1844.
The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run arbitrary code on vulnerable devices by tricking users into visiting a malicious web content.
The vulnerability is caused by a memory corruption issue that could be triggered to cause arbitrary code execution when processing specially crafted web content.
“Processing maliciously crafted web content may lead to arbitrary code execution.” reads the advisory published by Apple. “Description: A memory corruption issue was addressed with improved validation.”
Apple has improved validation to address the vulnerability.
Apple has released an update for devices running iOS 14.4, iPadOS 14.4, macOS Big Sur, and watchOS 7.3.1 (Apple Watch Series 3 and later). Apple also released an update to Safari for MacBooks running macOS Catalina and macOS Mojave.
In March, Pwn20wnd, the author of the jailbreaking tool “unc0ver,” has updated their software to support iOS 14.3 and earlier releases. The last release of the jailbreaking tool, unc0ver v6.0.0, now includes the exploit code for the CVE-2021-1782 vulnerability that Apple in January claimed was actively exploited by threat actors. The CVE-2021-1782 flaw is a race condition issue that resides in the iOS operating system kernel.
Feb 15 2021
We know what you’re thinking: “I bet you this is what they call a supply chain attack.”
And you’d be right.
The “one man” in the headline is cybersecurity researcher Alex Birsan, and his paper Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, which came out last week, will tell you how his “attack” worked.
Of course, Birsan didn’t literally do it alone and unaided (see the end of his paper for the section of shout-outs to others who helped directly or inspired him indirectly during his research), and he didn’t really attack anyone in the way that a criminal hacker or cracker would.
His work was done in accordance with bug bounty rules or pre-arranged penetration testing agreements, and Birsan actually includes bug bounties in his credits:
Source: How one man silently infiltrated dozens of high-tech networks
Feb 08 2021
Google last week announced the OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects.
The database aims at helping both open source maintainers and consumers of open source projects.
The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about versions and commits impacted by the issues. Maintainers of open source software could benefit of OSV’s automation to reduce the burden of triage.
“We are excited to launch OSV (Open Source Vulnerabilities), our first step towards improving vulnerability triage for developers and consumers of open source software.” reads the post published by Google. “The goal of OSV is to provide precise data on where a vulnerability was introduced and where it got fixed, thereby helping consumers of open source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
At the time of the launch, the database only includes vulnerabilities from OSS-Fuzz (mostly C/C++), but Google plans to add more data sources soon (e.g. npm Registry and PyPI).
OSV already includes information on thousands of vulnerabilities from more than 380 critical open source projects integrated with Google’s OSS-Fuzz fuzzing service.
“OSV is a vulnerability database for open source projects. It exposes an API that lets users of these projects query whether or not their versions are impacted.” reads the description of the project.
“For each vulnerability, we perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges.”
The OSV database exposes a simple API to query for vulnerabilities, maintainers and users could provide a git commit hash or a version number to receive the list of vulnerabilities that are present for that version.
Feb 05 2021
Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees
Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”.
On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote chat and video app.
The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering.
As a result, it is possible to spoof links, file names, file sizes, and shared contacts on thick clients, web sessions, and on mobile.
According to the researcher, tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions.
When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient.
The researcher also accidentally uncovered a means to crash a conversation on thick and web clients. If “too many” tags are added to the content value, this will render a chat session unresponsive and “fully inaccessible” for both an attacker and victim.
Dec 04 2020
GitHub has analyzed over 45,000 active directories and found that open source vulnerabilities often go undetected for more than four years.
Source: Open source vulnerabilities go undetected for over four years – Help Net Security
The State of Open Source Security Vulnerabilities
httpv://www.youtube.com/watch?v=cphgicw6dZI
Resources for Searching and Analyzing Online Information
Advanced Sciences and Technologies for Security Applications
Aug 25 2020
A researcher disclosed technical details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from the targeted system.
Source: Expert discloses unpatched Safari flaw that allows stealing local files
Download a Security Risk Assessment Steps paper!
Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Subscribe to DISC InfoSec blog by Email
👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet
Aug 21 2020
Mozilla has expanded its bug bounty program including rewards for bypass methods for the exploit mitigations and security features in Firefox.
Source: Mozilla offers rewards for Bypassing Firefox Exploit Mitigations
Why Firefox is the best browser for privacy and how to configure things properly
httpv://www.youtube.com/watch?v=NH4DdXC0RFw
