May 10 2023

Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws

Category: Zero daydisc7 @ 10:15 am

Microsoft Patch Tuesday Security updates for May 2023 address a total of 40 vulnerabilities, including two zero-day actively exploited in attacks.

Microsoft’s May 2023 security updates address 40 vulnerabilities, including two zero-day flaws actively exploited in attacks. The flaws affect Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams.

Seven of the addressed vulnerabilities are rated Critical and 31 are rated Important in severity.

The two actively exploited zero-day vulnerabilities addressed with the relaese of Patch Tuesday Security updates for May 2023 are:

CVE-2023-29336 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability. This vulnerability is actively exploited in attacks. The flaw can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm, a circumstance that suggests it was used as part of an exploit chain to deliver malware.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory.

CVE-2023-24932 (CVSS 6.7) – Secure Boot Security Feature Bypass Vulnerability. An attacker with physical access or Administrative rights to a target device could install an affected boot policy and bypass Secure Boot. The flaw was reported by Martin Smolar from ESET and Tomer Sne-or from SentinelOne.

Threat actors were spotted exploiting this flaw to install the BlackLotus UEFI bootkit.

“To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.

The most severe vulnerabilities addressed by Microsoft are:

  • CVE-2023-24941 (CVSS 9.8) – Windows Network File System Remote Code Execution Vulnerability.
  • CVE-2023-24943 (CVSS 9.8) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.

Microsoft also addressed a remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955, that was demonstrated by the Star Labs team at the Pwn2Own Vancouver 2023 exploit contest. The flaw was part of an exploit chain used to obtain code execution on the target server.

 InfoSec tools | InfoSec services | InfoSec books

Apr 11 2023

Apple Fixes Zero Day Vulnerability in iOS And MacOS

Category: Zero dayDISC @ 9:46 am

Apple Fixes Zero Day vulnerabilities for iOS And MacOS devices.

Apple recently released a security update for its iOS and MacOS devices, and fixing zero-day vulnerabilities that could allow cyber attackers to access users’ devices.

The iOS and iPadOS, version 15.7.5, addresses a vulnerability in the iOSurfaceAccelerator and WebKit engine that could allow an app and website to execute arbitrary code with kernel privileges processing maliciously.

Apple notes that this vulnerability has been actively exploited in the wild, making it especially important for users to update their devices as soon as possible.

Meanwhile, the MacOS update, including macOS Big Sur 11.7.6 and macOS Monterey 12.6.5, addressed with improved input validation.

macOS Big Sur 11.7.6

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

iOS 15.7.5 and iPadOS 15.7.5

  • CVE-2023-28206


Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.


  • CVE-2023-28205

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 254797

macOS Monterey 12.6.5

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved input validation.

Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.

  • The latest version of iOS and iPadOS is 16.4.1.
  • The latest version of macOS is 13.3.1.
  • The latest version of tvOS is 16.4.
  • The latest version of watchOS is 9.4.

Note that after a software update is installed for iOS, iPadOS, tvOS, and watchOS, it cannot be downgraded to the previous version.

As always, Apple is urging all users to update their devices to the latest iOS and MacOS as soon as possible to ensure they are protected against these critical security vulnerabilities. Users can download the updates to the iOS device Settings app, and the Software Update section of the System Preferences app on their MacOS device.

Zero-Day Fixes macOS and iOS

The Art of Mac Malware: The Guide to Analyzing Malicious Software

InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: iOS, macOS Zero-Day

Feb 13 2023

Multiple 0-Day Attacks in The PyPI Packages Aimed to Steal Developer Credentials

Category: Python,Zero dayDISC @ 10:13 am

Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.

Here below we have mentioned the packages that are published by Core1337:-

  • 3m-promo-gen-api
  • Ai-Solver-gen
  • hypixel-coins
  • httpxrequesterv2
  • httpxrequester

Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description. 

However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks. 

Technical Analysis of the Packages

First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-

  • hxxps://discord[.]com/api/webhooks/1069214746395562004/sejnJnNA3lWgkWC4V86RaFzaiUQ3dIAG958qwAUkLCkYjJ7scZhoa-KkRgBOhQw8Ecqd

There is a similar code in each package’s file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware. 

This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”

Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.

Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function. 

According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.

In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.

The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.

As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:- 

  • https[:]//transfer[.]sh

All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.

Full Stack Python Security: Cryptography, TLS, and attack resistance

Tags: zero Day

Jan 17 2023


Category: Printer security,Security vulnerabilities,Zero dayDISC @ 10:27 am

The American corporation Lexmark International, Inc. is a privately owned business that specializes in the production of laser printers and other image goods.

The researcher found that the product is susceptible to two vulnerabilities, either of which can be exploited by an adversary to copy file data from a source path to a destination path or to induce the server-side application to make requests to an unintended location. Both of these vulnerabilities are possible due to the fact that the product is vulnerable to both of these vulnerabilities. According to the specialists, the printer has two vulnerabilities that enable an authorized hacker to upload arbitrary files and run code with elevated privileges. Both of these vulnerabilities may be exploited by a malicious user.

He published the code on Github that had a proof-of-concept (PoC) exploit for each of the four vulnerabilities. These vulnerabilities make it possible for an adversary to seize control of a vulnerable device.

According to the findings of the researcher, an attack may be carried out that compromises the device by exploiting all four of its vulnerabilities simultaneously.

The proof-of-concept attack has been successfully tested against a Lexmark MC3224adwe printer using the most recent version of the firmware, CXLBL.081.225; nevertheless, it is claimed to operate successfully against other printers and photocopiers as well.

The security flaw that was discovered in Lexmark’s printer devices has not been fixed.


Dec 13 2022

Multiple Zero-Day Vulnerabilities in Antivirus and Endpoint Let Attackers Install Data Wipers

Category: Antivirus,Information Security,Zero dayDISC @ 9:50 am

Next-Generation Wiper Tool

Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.

As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.

EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-

  • Time of threat identification
  • Time of threat deletion
Window Opportunity (Safebreach)

As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity. 

This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.

A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted. 

Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-

  • C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers

Qualities of the Aikido Wiper

Here below we have mentioned all the general qualities of the Aikido Wiper:-

  • Fully Undetectable
  • Makes the System Unbootable
  • Wipes Important Data
  • Runs as an Unprivileged User
  • Deletes the Quarantine Directory

Product analysis and response from the vendor 

It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.

Here below we have mentioned the vulnerable ones:-

  • Defender
  • Defender for Endpoint
  • SentinelOne EDR
  • TrendMicro Apex One
  • Avast Antivirus
  • AVG Antivirus

Here below we have mentioned the products that are not vulnerable:-

  • Palo Alto XDR
  • Cylance
  • CrowdStrike
  • McAfee
  • BitDefender

Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.

In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-

This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-

  • Microsoft Malware Protection Engine: 1.1.19700.2
  • TrendMicro Apex One: Hotfix 23573 & Patch_b11136
  • Avast & AVG Antivirus: 22.10

This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.

For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.

Multiple Zero-Day Vulnerabilities

Tags: Data Wipers

Dec 02 2022

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

Category: Spyware,Zero dayDISC @ 10:30 am

A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days
A manifest file in the source code provides a product description (Image: Google)

In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

7 Steps to Removing Spyware

Tags: Spyware Vendor Variston, Windows 0-days

Nov 01 2022

An Unofficial Patch Has Been Released for Actively Exploited Windows MoTW Zero-Day

Category: Information Security,Windows Security,Zero dayDISC @ 1:34 pm

There is an unofficial patch from 0patch for a Zero-Day flaw in Microsoft Windows that allows bypassing the MotW (Mark-of-the-Web) protections that are built into the operating system and at moment it’s actively exploited.

By utilizing files signed with malformed signatures, this zero-day flaw is able to bypass MotW protections. Various legacy Windows versions as well as all versions that are supported by Microsoft are affected by the issue.

It has been determined by cybersecurity analysts that the Magniber ransomware was being installed on victims’ devices with the help of stand-alone JavaScript files by threat actors.

Unofficial Patch

0patch released this unofficial security patch to fix this flaw since it’s a critical zero-day vulnerability and is exploited by threat actors vigorously in the wild.

Why this patch has been tagged as “Unofficial”?

This patch is tagged as unofficial due to its release source, in short, this patch has not been released by Microsoft itself. 

But, until the release of any official patch from Microsoft, users can use this security patch to keep their systems protected against threat actors exploiting this zero-day flaw.

Free Micropatch Availability

Due to this zero-day vulnerability, multiple Windows versions are affected and here below we have mentioned all the affected versions of Windows that are eligible for the free micropatches:-

  • Windows 11 v21H2
  • Windows 10 v21H2
  • Windows 10 v21H1
  • Windows 10 v20H2
  • Windows 10 v2004
  • Windows 10 v1909
  • Windows 10 v1903
  • Windows 10 v1809
  • Windows 10 v1803
  • Windows Server 2022
  • Windows Server 2019 

The installation process for this micropatch will require an account on the 0patch website, and it can be created for free. Once done, you’ll need to download its agent for your Windows device which will automatically install this patch.

Unofficial Windows Patch

Oct 19 2022

Over 900 Servers Hacked Using a Critical Zimbra Zero-day Flaw

Category: Hacking,Zero dayDISC @ 8:58 am

The cybersecurity company Kaspersky detected almost 900 servers being compromised by sophisticated attackers leveraging the critical Zimbra Collaboration Suite (ZCS), which at the time was a zero-day without a patch for nearly 1.5 months.

“We investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting all vulnerable servers in Central Asia”, Kaspersky

Zimbra Collaboration Suite (ZCS) Vulnerability

The vulnerability tracked as (CVE-2022-41352) is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.

Kaspersky researchers say that various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.

Reports say a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.

Patch Available for the Vulnerability

Zimbra released a patch for this vulnerability; With ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible. Hence, update your devices immediately.

Researchers say performing disinfection on Zimbra is extremely difficult, since the attacker had access to configuration files containing passwords used by various service accounts.

Therefore, these credentials can be used to regain access to the server if the administrative panel is accessible from the internet.

Volexity stated that they identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells.

Reports say the initial attacks started in September, targeting vulnerable Zimbra servers in India and some in Turkey. Therefore, it was probably a testing wave against low-interest targets to assess the effectiveness of the attack.

Notably, Kaspersky assessed that the threat actors compromised 44 servers during this initial wave. Later on the threat actors began to carry out mass targeting to compromise as many servers worldwide before admins patched the systems and close the door to intruders.

At present, the second wave had a greater impact, infecting 832 servers with malicious webshells. Hence, it is recommended to update your devices immediately.

Over 900 Servers Hacked


Tags: Zimbra

Oct 03 2022

State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

Category: Hacking,Zero dayDISC @ 8:44 am

In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world. 

There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.

Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.

As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.

0-Day Flaws Exploited

Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-

  • CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
  • CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.

The combination of these two zero-day vulnerabilities together has been named “ProxyNotShell.” The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.

In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.

It is suspected that these intrusions were carried out by a Chinese threat actor.


No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.

If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-

  • Enable cloud-based protection in Microsoft Defender Antivirus.
  • Protect security services from being interrupted by attackers by enabling tamper protection.
  • Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
  • Protect the Internet network from malicious domains and other malicious content by enabling network protection.
  • Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
  • Discovering your network’s devices will allow you to have greater visibility into what’s going on.

While as additional prevention measures they also recommended users to:-

  • Enable multi-factor authentication (MFA)
  • Legacy authentication must be disabled
  • Do not accept suspicious or unknown 2FA prompts
  • Make sure to use complex passwords

Tags: MS Exchange 0-Day, State-Sponsored Hackers

Oct 01 2022

New WhatsApp 0-Day Bug Let Hackers Execute a Code & Take Full App Control Remotely

Category: Security vulnerabilities,Zero dayDISC @ 11:23 am

WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.

Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.

Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.

Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.

CVE-2022-36934 –  Integer Overflow Bug

An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.

An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation. 

This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.

“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”

Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.

According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”

CVE-2022-27492 – Integer Underflow Bug

WhatsApp Bug

Tags: WhatsApp 0-Day

Sep 27 2022

New WhatsApp 0-Day Bug Let Hackers Execute a Code & Take Full App Control Remotely

Category: Hacking,Security vulnerabilities,Zero dayDISC @ 8:19 am

WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.

Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.

Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.

Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.

CVE-2022-36934 –  Integer Overflow Bug

An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.

An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation. 

This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.

“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”

Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.

According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”

CVE-2022-27492 – Integer Underflow Bug

WhatsApp Bug

Tags: WhatsApp 0-Day

Sep 06 2022

Chrome and Edge fix zero-day security hole – update now!

Category: Zero dayDISC @ 9:30 am

Just three days after Chrome’s previous update, which patched 24 security holes that were not in the wild…

…the Google programmers announced the release of Chrome 105.0.5195.102, where the last of the four numbers in the quadruplet jumps up from 52 on Mac and Linux and 54 on Windows.

The release notes confirm, in the clipped and frustrating “indirect statement made in the passive voice” bug-report style that Google seems to have borrowed from Apple:

  : Insufficient data validation in Mojo.

   Reported by Anonymous on 2022-08-30


   Google is aware of reportsrts [sic] that an exploit 
   for  exists in the wild.

Microsoft has put out an update, too, taking its browser, which is based on Chromium, to  Edge 105.0.1343.27.

Following Google’s super-brief style, Microsfoft wrote merely that:

  This update [Edge 105.0.1343.27] contains a fix for , 
   which has been reported by the Chromium team as having an exploit 
   in the wild
As always, our translation of security holes written up in this non-committal way is: “Crooks or spyware vendors found this vulnerability before we did, have figured out how to exploit it, and are already doing just that.”


What to do?

Patch early, patch often!

In Chrome, check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.

The Chrome version you are looking for (or Chromium version , if you’re using the non-proprietary, open source flavour) is: 105.0.5195.102 or later.

In Edge, it’s Three dots > Help and feedback > About Microsoft Edge.

The Edge version you’re after is: 105.0.1343.27 or later.

Google’s release notes also list an update to the Extended Stable Channel, which you might be using if you’re on a computer provided by work – like Mozilla’s Extended Support Release or ESR, it’s an official version that lags behind on features but keeps up with security patches, so you aren’t forced to adopt new features just to get patched.

The Extended Stable version you want is: 104.0.5112.114.

Google has also just announced a Chrome for iOS update, available (as always) via the App Store.

There’s no mention of whether the iOS version was affected by CVE-2022-3075, but the version you’re after, in any case, is 105.0.5195.100.

(We’re guessing that by iOS, Google means both iOS and iPadOS, now shipped as different variants of Apple’s underlying mobile operating system.)

Nothing in the release notes so far [2022-09-05T13:45Z] about Android – check in Google Play to see if you’re up to date.

Tags: Chrome, Edge

Sep 01 2022

URGENT! Apple slips out zero-day update for older iPhones and iPads

Category: Zero dayDISC @ 8:19 am

Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI (unintended dismount incident, also known as a bicycle prang, which smashed the screen but left the device working fine otherwise), hasn’t received any security updates from Apple for almost a year.

The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.

Every subsequent update for iOS and iPadOS 15 has understandably reinforced our assumption that Apple had dropped iOS 12 support for evermore, and so we relegated the old iPhone to background duty, solely as an emergency device for maps or phone calls while on the road.

(We figured that another crash would be unlikely to wreck the screen any further, so it seemed a useful compromise.)

But we’ve just noticed that Apple has decided to update iOS 12 again after all.

This new update applies to the following models: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation. (Before iOS 13.1 and iPadOS 13.1 came out, iPhones and iPads used the same operating system, referred to as iOS for both devices.)

We didn’t receive a Security Advisory email from Apple, but an alert Naked Security reader who knows we still have that old iPhone 6+ let us know about Apple Security Bulletin HT213428. (Thanks!)

Simply put, Apple has published a patch for 

, which is one of the two mysterious zero-day bugs that received emergency patches on most other Apple platforms earlier in August 2022:

Malware implantation

As you will see in the article just above, there was a WebKit remote code execution bug, CVE-2022-32893, by means of which a jailbreaker, a spyware peddler, or some devious cybercriminal could lure you to a booby-trapped website and implant malware on your device, even if all you did was glance at an otherwise innocent-looking page or document.

Then there was a second bug in the kernel, CVE-2022-32894, by which said malware could extend its tentacles beyond the app it just compromised (such as a browser or a document viewer), and get control over the innards of the operating system itself, thus allowing the malware to spy on, modify or even install other apps, bypassing Apple’s much vaunted and notoriously strict security controls.

So, here’s the good news: iOS 12 isn’t vulnerable to the kernel-level zero-day CVE-2022-32894, which almost certainly avoids the risk of total compromise of the operating system itself.

But here’s the bad news: iOS 12 is vulnerable to the WebKit bug CVE-2022-32893, so that individual apps on your phone definitely are at risk of compromise.

We’re guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution.

The danger of WebKit

Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple’s own Safari browser isn’t the only app at risk from this vulnerability.

All browsers on iOS, even Firefox, Edge, Chrome and so on, use WebKit (that’s an Apple requirement if you want your app to make it into the App Store).

And any app that displays web content for purposes other than general browsing, such as in its help pages, its About screen, or even in a built-in “minibrowser”, is also at risk because it will be using WebKit under the covers.

In other words, just “avoiding Safari” and sticking to a third-party browser is not a suitable workaround in this case.

What to do?

We now know that the absence of an update for iOS 12 when the latest emergency patches came out for more recent iPhones was not down to the fact that iOS was already safe.

It was simply down to the fact that an update wasn’t available yet.

So, given that we now know that iOS 12 is at risk, and that exploits against CVE-2022-32893 are being used in real life, and that there is a patch available…

…then it’s an urgent matter of Patch Early/Patch Often!

Go to Settings > General > Software Update, and check that you have iOS 12.5.6.

If you haven’t yet received the update automatically, tap Download and Install to begin the process right away:

Go to Settings > General > Software Update.
You’re looking for iOS 12.5.6.
Use Download and Install if needed.

Tags: Apple patches

Aug 17 2022

Chrome browser gets 11 security fixes with 1 zero-day – update now!

Category: Web Security,Zero dayDISC @ 8:37 am

The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows).

According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.

The name zero-day is a reminder that there were zero days on which even the most well-informed and proactive user or sysadmin could have been patched ahead of the Bad Guys.

Update details

Details about the updates are scant, given that Google, in common with many other vendors these days, restricts access to bug details “until a majority of users are updated with a fix”.

But Google’s release bulletin explicitly enumerates 10 of the 11 bugs, as follows:

  • CVE-2022-2852: Use after free in FedCM.
  • CVE-2022-2854: Use after free in SwiftShader.
  • CVE-2022-2855: Use after free in ANGLE.
  • CVE-2022-2857: Use after free in Blink.
  • CVE-2022-2858: Use after free in Sign-In Flow.
  • CVE-2022-2853: Heap buffer overflow in Downloads.
  • CVE-2022-2856: Insufficient validation of untrusted input in Intents. (Zero-day.)
  • CVE-2022-2859: Use after free in Chrome OS Shell.
  • CVE-2022-2860: Insufficient policy enforcement in Cookies.
  • CVE-2022-2861: Inappropriate implementation in Extensions API.

As you can see, seven of these bugs were caused by memory mismanagement.

use-after-free vulnerability means that one part of Chrome handed back a memory block that it wasn’t planning to use any more, so that it could be reallocated for use elsewhere in the software…

…only to carry on using that memory anyway, thus potentially causing one part of Chrome to rely on data it thought it could trust, without realising that another part of the software might still be tampering with that data.

Often, bugs of this sort will cause the software to crash completely, by messing up calculations or memory access in an unrecoverable way.

Sometimes, however, use-after-free bugs can be triggered deliberately in order to misdirect the software so that it misbehaves (for example by skipping a security check, or trusting the wrong block of input data) and provokes unauthorised behaviour.

heap buffer overflow means asking for a block of memory, but writing out more data than will fit safely into it.

This overflows the officially-allocated buffer and overwrites data in the next block of memory along, even though that memory might already be in use by some other part of the program.

Buffer overflows therefore typically produce similar side-effects to use-after-free bugs: mostly, the vulnerable program will crash; sometimes, however, the program can be tricked into running untrusted code without warning.

The zero-day hole

The zero-day bug CVE-2022-2856 is presented with no more detail than you see above: “Insufficient validation of untrusted input in Intents.”

A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that’s launched to process that data.

Google hasn’t provided any details of which apps, or what sort of data, could be maliciously manipulated by this bug…

…but the danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds.

What to do?

Chrome will probably update itself, but we always recommend checking anyway.

On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.

There’s a separate release bulletin for Chrome for iOS, which goes to version 104.0.5112.99, but no bulletin yet [2022-08-17T12:00Z] that mentions Chrome for Android.

On iOS, check that your App Store apps are up-to-date. (Use the App Store app itself to do this.)

You can watch for any forthcoming update announcement about Android on Google’s Chrome Releases blog

The open-source Chromium variant of the proprietary Chrome browser is also currently at version 104.0.5112.101.

Microsoft Edge security notes, however, currently [2022-08-17T12:00Z] say:

August 16, 2022

Microsoft is aware of the recent exploit existing in the wild. We are actively working on releasing a security patch as reported by the Chromium team.

You can keep your eye out for an Edge update on Microsoft’s official Edge Security Updates page.

Web Security for Developers: Real Threats, Practical Defense

Tags: Chrome browser

Aug 12 2022

Microsoft: We Don’t Want to Zero-Day Our Customers

Category: Zero dayDISC @ 8:30 am

The head of Microsoft’s Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.

Laptop screen showing Windows Update window
Source: CC Photo Labs via Shutterstock

Jai Vijayan

BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company’s vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.

In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft’s Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.

For most vulnerabilities, Microsoft’s current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. “If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers,” Gupta says.

Sparse Vulnerability Information?

Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.

However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft’s current practice of putting vulnerabilities into an “Exploitation More Likely” or an “Exploitation Less Likely” bucket does not provide enough information to make risk-based prioritization decisions.

More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable’s CEO Amit Yoran accused the company of “silently” patching a couple of Azure vulnerabilities that Tenable’s researchers had discovered and reported.

“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service,” Yoran wrote. “After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk,” and without notifying customers.

Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.

Consistent with MITRE’s CVE Policies

Gupta says Microsoft’s decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE’s CVE program.

“As per their policy, if there is no customer action needed, we are not required to issue a CVE,” she says. “The goal is to keep the noise level down for organizations and not burden them with information they can do little with.”

“You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis,” she notes.

Gupta points to last year’s disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft’s strategy was to directly contact organizations that are impacted.

“What we do is send one-to-one notifications to customers because we don’t want this info to get lost,” she says “We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly.”

Sometimes an organization might wonder why they were not notified of an issue — that’s likely because they are not impacted, Gupta says.

Source: We Don’t Want to Zero-Day Our Customers

Tags: Microsoft

Aug 10 2022

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Category: Malware,Zero dayDISC @ 12:28 pm
Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.

The tech giant patched CVE-2022-34713 – informally known as “DogWalk” – on Tuesday, noting in its advisory that it has already been exploited.

According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,” Microsoft explained. “An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

Later in the advisory, Microsoft said the type of exploit needed is called an “Arbitrary Code Execution,” or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer. 

A three-year wait

The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later. 

Microsoft initially told Rad that to make use of the attack he described, an attacker would need “to create what amounts to a virus, convince a user to download the virus, and then run it.” The company added that “as written this wouldn’t be considered a vulnerability.” 

“No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already,” Microsoft told Rad. 

But in June, as security researchers dug into the “Follina” vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again.  

Rad noted that on August 4, Microsoft contacted him and said they “reassessed the issue” and “determined that this issue meets our criteria for servicing with a security update” tagging it as CVE-2022–34713.

Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)

“Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft said this week. 

Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.

“We finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,” he said. 

Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would “be easily delivered using a phishing/rogue link campaign.”

When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers – making it an interesting tactic for an insider to leverage.

“The vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),” Barratt said. “The challenge for a lot of anti-malware is that the file leveraged doesn’t look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. It’s an interesting technique but not one that is going to affect the masses. I’d expect this to be leveraged more by someone meeting the profile of an insider threat.”

Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022–34713 because today’s bad actors are growing more sophisticated and creative in their exploits.

Jogi noted that Follina has been recently used by threat actors — like China-linked APT TA413 — in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider

Source: Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited

Countdown to Zero Day

Tags: Countdown to Zero Day, DogWalk zero-day

Jul 22 2022

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

Category: Web Security,Zero dayDISC @ 9:13 am

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.

Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.

The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.

Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.

In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.

The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).

Candiru spyware

This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.

Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”

The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.

After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise. 

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

Tags: Candiru surveillance spyware, Chrome zero-day

Jul 21 2022

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Category: Web Security,Zero dayDISC @ 2:53 pm

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

The relevant security bulletins, update numbers, and where to find them online are as follows:

  • APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
  • APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
  • APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
  • APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
  • APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
  • APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
  • APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.

But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.

Zero Days - Season 1

DISC InfoSec

#InfoSecTools and #InfoSectraining



Ask DISC an InfoSec & compliance related question

Tags: 0-day, browser bug, zero-day

Jun 23 2022

Seven zero-days in 2021 developed commercially and sold to governments

Category: Zero dayDISC @ 2:42 pm
Google: Seven zero-days in 2021 developed commercially and sold to governments

Google: Seven zero-days in 2021 developed commercially and sold to governments

Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan.

The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed by spyware vendor RCS Labs and telecoms company Tykelab Srl.

The Google report examined the spyware from RCS Labs, noting that the Italian vendor “uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”

Google TAG researchers Benoit Sevens and Clement Lecigne also touch on the wider commercial spyware industry, noting that Google continues to track the activities of vendors and recently testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work they’re doing “to monitor and disrupt this thriving industry.”

“Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Sevens and Lecigne explained. 

“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”

iOS and Android versions

Zero Days

Tags: Zero Days

May 31 2022

Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina

Category: Zero dayDISC @ 8:21 am

Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite.

Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as 

 (CVSS score 7.8), in the Microsoft Office productivity suite.

“On Monday May 30, 2022, Microsoft issued 

 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Microsoft has now published a “Guidance for 

 Microsoft Support Diagnostic Tool Vulnerability.”

Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg import filename” 

Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.

Microsoft Office CVE-2022-30190 zero-day

Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Microsoft, Microsoft Office zero-day

Next Page »