WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 – Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 – Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”
Just three days after Chrome’s previous update, which patched 24 security holes that were not in the wild…
…the Google programmers announced the release of Chrome 105.0.5195.102, where the last of the four numbers in the quadruplet jumps up from 52 on Mac and Linux and 54 on Windows.
The release notes confirm, in the clipped and frustrating “indirect statement made in the passive voice” bug-report style that Google seems to have borrowed from Apple:
CVE-2022-3075
:Insufficient data validation in Mojo.
Reported by Anonymous on 2022-08-30
[...]
Google is aware of reportsrts [sic] that an exploit
for
CVE-2022-3075
exists in the wild.
Microsoft has put out an update, too, taking its browser, which is based on Chromium, to Edge 105.0.1343.27.
Following Google’s super-brief style, Microsfoft wrote merely that:
This update [Edge 105.0.1343.27] contains a fix for
CVE-2022-3075
,
which has been reported by the Chromium team as having an exploit
in the wild
As always, our translation of security holes written up in this non-committal way is: “Crooks or spyware vendors found this vulnerability before we did, have figured out how to exploit it, and are already doing just that.”
…………..
What to do?
Patch early, patch often!
In Chrome, check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.
The Chrome version you are looking for (or Chromium version , if you’re using the non-proprietary, open source flavour) is: 105.0.5195.102 or later.
In Edge, it’s Three dots > Help and feedback > About Microsoft Edge.
The Edge version you’re after is: 105.0.1343.27 or later.
Google’s release notes also list an update to the Extended Stable Channel, which you might be using if you’re on a computer provided by work – like Mozilla’s Extended Support Release or ESR, it’s an official version that lags behind on features but keeps up with security patches, so you aren’t forced to adopt new features just to get patched.
The Extended Stable version you want is: 104.0.5112.114.
Google has also just announced a Chrome for iOS update, available (as always) via the App Store.
There’s no mention of whether the iOS version was affected by CVE-2022-3075, but the version you’re after, in any case, is 105.0.5195.100.
(We’re guessing that by iOS, Google means both iOS and iPadOS, now shipped as different variants of Apple’s underlying mobile operating system.)
Nothing in the release notes so far [2022-09-05T13:45Z] about Android – check in Google Play to see if you’re up to date.
Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI (unintended dismount incident, also known as a bicycle prang, which smashed the screen but left the device working fine otherwise), hasn’t received any security updates from Apple for almost a year.
The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.
Every subsequent update for iOS and iPadOS 15 has understandably reinforced our assumption that Apple had dropped iOS 12 support for evermore, and so we relegated the old iPhone to background duty, solely as an emergency device for maps or phone calls while on the road.
(We figured that another crash would be unlikely to wreck the screen any further, so it seemed a useful compromise.)
But we’ve just noticed that Apple has decided to update iOS 12 again after all.
This new update applies to the following models: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation. (Before iOS 13.1 and iPadOS 13.1 came out, iPhones and iPads used the same operating system, referred to as iOS for both devices.)
We didn’t receive a Security Advisory email from Apple, but an alert Naked Security reader who knows we still have that old iPhone 6+ let us know about Apple Security Bulletin HT213428. (Thanks!)
Simply put, Apple has published a patch for
CVE-2022-32893
, which is one of the two mysterious zero-day bugs that received emergency patches on most other Apple platforms earlier in August 2022:
As you will see in the article just above, there was a WebKit remote code execution bug, CVE-2022-32893, by means of which a jailbreaker, a spyware peddler, or some devious cybercriminal could lure you to a booby-trapped website and implant malware on your device, even if all you did was glance at an otherwise innocent-looking page or document.
Then there was a second bug in the kernel, CVE-2022-32894, by which said malware could extend its tentacles beyond the app it just compromised (such as a browser or a document viewer), and get control over the innards of the operating system itself, thus allowing the malware to spy on, modify or even install other apps, bypassing Apple’s much vaunted and notoriously strict security controls.
So, here’s the good news: iOS 12 isn’t vulnerable to the kernel-level zero-day CVE-2022-32894, which almost certainly avoids the risk of total compromise of the operating system itself.
But here’s the bad news: iOS 12 is vulnerable to the WebKit bug CVE-2022-32893, so that individual apps on your phone definitely are at risk of compromise.
We’re guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution.
The danger of WebKit
Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple’s own Safari browser isn’t the only app at risk from this vulnerability.
All browsers on iOS, even Firefox, Edge, Chrome and so on, use WebKit (that’s an Apple requirement if you want your app to make it into the App Store).
And any app that displays web content for purposes other than general browsing, such as in its help pages, its About screen, or even in a built-in “minibrowser”, is also at risk because it will be using WebKit under the covers.
In other words, just “avoiding Safari” and sticking to a third-party browser is not a suitable workaround in this case.
What to do?
We now know that the absence of an update for iOS 12 when the latest emergency patches came out for more recent iPhones was not down to the fact that iOS was already safe.
It was simply down to the fact that an update wasn’t available yet.
So, given that we now know that iOS 12 is at risk, and that exploits against CVE-2022-32893 are being used in real life, and that there is a patch available…
…then it’s an urgent matter of Patch Early/Patch Often!
Go to Settings > General > Software Update, and check that you have iOS 12.5.6.
If you haven’t yet received the update automatically, tap Download and Install to begin the process right away:
Go to Settings > General > Software Update. You’re looking for iOS 12.5.6. Use Download and Install if needed.
The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows).
According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.
The name zero-day is a reminder that there were zero days on which even the most well-informed and proactive user or sysadmin could have been patched ahead of the Bad Guys.
Update details
Details about the updates are scant, given that Google, in common with many other vendors these days, restricts access to bug details “until a majority of users are updated with a fix”.
But Google’s release bulletin explicitly enumerates 10 of the 11 bugs, as follows:
CVE-2022-2852:Use after free in FedCM.
CVE-2022-2854:Use after free in SwiftShader.
CVE-2022-2855:Use after free in ANGLE.
CVE-2022-2857:Use after free in Blink.
CVE-2022-2858:Use after free in Sign-In Flow.
CVE-2022-2853:Heap buffer overflow in Downloads.
CVE-2022-2856:Insufficient validation of untrusted input in Intents. (Zero-day.)
CVE-2022-2859:Use after free in Chrome OS Shell.
CVE-2022-2860:Insufficient policy enforcement in Cookies.
CVE-2022-2861:Inappropriate implementation in Extensions API.
As you can see, seven of these bugs were caused by memory mismanagement.
A use-after-free vulnerability means that one part of Chrome handed back a memory block that it wasn’t planning to use any more, so that it could be reallocated for use elsewhere in the software…
…only to carry on using that memory anyway, thus potentially causing one part of Chrome to rely on data it thought it could trust, without realising that another part of the software might still be tampering with that data.
Often, bugs of this sort will cause the software to crash completely, by messing up calculations or memory access in an unrecoverable way.
Sometimes, however, use-after-free bugs can be triggered deliberately in order to misdirect the software so that it misbehaves (for example by skipping a security check, or trusting the wrong block of input data) and provokes unauthorised behaviour.
A heap buffer overflow means asking for a block of memory, but writing out more data than will fit safely into it.
This overflows the officially-allocated buffer and overwrites data in the next block of memory along, even though that memory might already be in use by some other part of the program.
Buffer overflows therefore typically produce similar side-effects to use-after-free bugs: mostly, the vulnerable program will crash; sometimes, however, the program can be tricked into running untrusted code without warning.
The zero-day hole
The zero-day bug CVE-2022-2856 is presented with no more detail than you see above: “Insufficient validation of untrusted input in Intents.”
A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that’s launched to process that data.
Google hasn’t provided any details of which apps, or what sort of data, could be maliciously manipulated by this bug…
…but the danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds.
What to do?
Chrome will probably update itself, but we always recommend checking anyway.
On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.
There’s a separate release bulletin for Chrome for iOS, which goes to version 104.0.5112.99, but no bulletin yet [2022-08-17T12:00Z] that mentions Chrome for Android.
On iOS, check that your App Store apps are up-to-date. (Use the App Store app itself to do this.)
You can watch for any forthcoming update announcement about Android on Google’s Chrome Releases blog
The open-source Chromium variant of the proprietary Chrome browser is also currently at version 104.0.5112.101.
Microsoft Edge security notes, however, currently [2022-08-17T12:00Z] say:
August 16, 2022
Microsoft is aware of the recent exploit existing in the wild. We are actively working on releasing a security patch as reported by the Chromium team.
You can keep your eye out for an Edge update on Microsoft’s official Edge Security Updates page.
BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company’s vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.
In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft’s Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.
For most vulnerabilities, Microsoft’s current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. “If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers,” Gupta says.
Sparse Vulnerability Information?
Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.
However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft’s current practice of putting vulnerabilities into an “Exploitation More Likely” or an “Exploitation Less Likely” bucket does not provide enough information to make risk-based prioritization decisions.
More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable’s CEO Amit Yoran accused the company of “silently” patching a couple of Azure vulnerabilities that Tenable’s researchers had discovered and reported.
“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service,” Yoran wrote. “After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk,” and without notifying customers.
Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.
Consistent with MITRE’s CVE Policies
Gupta says Microsoft’s decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE’s CVE program.
“As per their policy, if there is no customer action needed, we are not required to issue a CVE,” she says. “The goal is to keep the noise level down for organizations and not burden them with information they can do little with.”
“You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis,” she notes.
Gupta points to last year’s disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft’s strategy was to directly contact organizations that are impacted.
“What we do is send one-to-one notifications to customers because we don’t want this info to get lost,” she says “We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly.”
Sometimes an organization might wonder why they were not notified of an issue — that’s likely because they are not impacted, Gupta says.
Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited
Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.
The tech giant patched CVE-2022-34713 – informally known as “DogWalk” – on Tuesday, noting in its advisory that it has already been exploited.
According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,” Microsoft explained. “An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”
Later in the advisory, Microsoft said the type of exploit needed is called an “Arbitrary Code Execution,” or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer.
A three-year wait
The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later.
Microsoft initially told Rad that to make use of the attack he described, an attacker would need “to create what amounts to a virus, convince a user to download the virus, and then run it.” The company added that “as written this wouldn’t be considered a vulnerability.”
“No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already,” Microsoft told Rad.
But in June, as security researchers dug into the “Follina” vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again.
Bonuses:
1) It's not needed to use a remote location for "ms-search". We can use folder Downloads. 2) As the downloaded file is diagcab, there's no prompt to open an executable in a remote location. And MOTW prompt bypass. pic.twitter.com/2WP40H6f8I
Rad noted that on August 4, Microsoft contacted him and said they “reassessed the issue” and “determined that this issue meets our criteria for servicing with a security update” tagging it as CVE-2022–34713.
Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)
“Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft said this week.
Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.
“We finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,” he said.
if there is a way to bypass the fix it is probably my fault 🙂
Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would “be easily delivered using a phishing/rogue link campaign.”
When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers – making it an interesting tactic for an insider to leverage.
“The vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),” Barratt said. “The challenge for a lot of anti-malware is that the file leveraged doesn’t look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. It’s an interesting technique but not one that is going to affect the masses. I’d expect this to be leveraged more by someone meeting the profile of an insider threat.”
Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022–34713 because today’s bad actors are growing more sophisticated and creative in their exploits.
Jogi noted that Follina has been recently used by threat actors — like China-linked APT TA413 — in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider
The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.
Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.
The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.
Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.
In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.
The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).
This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.
Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”
The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.
After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.
“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.
Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.
The relevant security bulletins, update numbers, and where to find them online are as follows:
APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341
As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.
But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.
Google: Seven zero-days in 2021 developed commercially and sold to governments
Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan.
The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed by spyware vendor RCS Labs and telecoms company Tykelab Srl.
The Google report examined the spyware from RCS Labs, noting that the Italian vendor “uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”
Google TAG researchers Benoit Sevens and Clement Lecigne also touch on the wider commercial spyware industry, noting that Google continues to track the activities of vendors and recently testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work they’re doing “to monitor and disrupt this thriving industry.”
“Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Sevens and Lecigne explained.
“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”
(CVSS score 7.8), in the Microsoft Office productivity suite.
“On Monday May 30, 2022, Microsoft issued
CVE-2022-30190
regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3pic.twitter.com/rVSb02ZTwt
The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont.“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”
The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.
Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg import filename”
Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.
A zero-day vulnerability in uClibc and uClibc-ng, a popular C standard library, could enable a malicious actor to launch DNS poisoning attacks on vulnerable IoT devices.
The bug, tracked as ICS-VU-638779, which has yet to be patched, could leave users exposed to attack, researchers have warned.
DNS poisoning
In a DNS poisoning attack, the target domain name is resolved to the IP address of a server that’s under an attacker’s control.
This means at if a malicious actor were to send a ‘forgotten password’ request, they could direct it to their own email address and intercept it – allowing them to change the victim’s password and access their account.
For an IoT device, this attack could potentially be used to intercept a firmware update request and instead directing it to download malware.
The DNS poisoning vulnerability was discovered by researchers at Nozomi Networks, who revealed that the issue remains unpatched, potentially exposing multiple users to attack.
Nozomi Networks states that uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo. uClibc-ng is a fork specifically designed for OpenWRT, a common operating system for web routers.
The library maintainer was unable to provide a fix, according to Nozomi. The researchers said they would refrain from sharing technical details or listing vulnerable devices until a patch is available.
“It’s important to note that a vulnerability affecting a C standard library can be a bit complex,” the team wrote in a blog post this week.
“Not only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single program, but the vulnerability would affect an indefinite number of other programs from multiple vendors configured to use that library.”
An unauthenticated zero-day RCE vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed.
Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.
The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.
The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).
A Java Springcore RCE 0day exploit has been leaked. It was leaked by a Chinese security researcher who, since sharing and/or leaking it, has deleted their Twitter account.
“The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks.” reported the analysis published by Rapid7. “The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.”
The flaw has yet to be patched and impacts Spring Core on Java Development Kit (JDK) versions 9 and later. The vulnerability is a bypass for another vulnerability tracked as
Rapid7 researchers pointed out that the vulnerability (and proof of concept) could be triggered only when a specific functionality is used. The exploit code released by the Chinese researchers is not related to a “completely different” unauthenticated RCE flaw that was published on March 29, 2022 for Spring Cloud.
“Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.” continues Rapid7.
The analysis of the flaw suggests that its impact may not be severe like other issues, like Log4J.
“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” reads the analysis published by cybersecurity firm Praetorian.
Security researchers that tested the Spring4Shell exploit confirmed that it works. CERT/CC vulnerability analyst Will Dormann confirmed that the PoC exploit code works against the stock ‘Handling Form Submission’ sample code from
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked as
, to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.
Yesterday Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.
The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.
Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.
Below is the description of both flaws included in the advisory published by Mozilla:
CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog that are reported in the following table along with the associated due date.
CVE ID
Vulnerability Name
Due Date
CVE-2022-26486
Mozilla Firefox Use-After-Free Vulnerability
03/21/22
CVE-2022-26485
Mozilla Firefox Use-After-Free Vulnerability
03/21/22
CVE-2021-21973
VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)
03/21/22
CVE-2020-8218
Pulse Connect Secure Code Injection Vulnerability
09/07/22
CVE-2019-11581
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.
The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
“Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on 2022-02-10 [$TBD][1285449]” reads the security advisory published by Google. “Google is aware of reports that an exploit for
CVE-2022-0609
exists in the wild.”
The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.
Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.
The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victim’s system without requiring any user interaction.
The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.
The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.
The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.
“Note that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).” reads the analysis published by Project Zero. “I tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.”
The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the product’s memory.
The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.
“This bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.” continues the analysis.
The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.
Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.
“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich concludes. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”
Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.
The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.
The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.
Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.
Below is the video PoC of the zero-day exploitation:
The Life and Times of Zero-Day Vulnerabilities and Their Exploits
If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday…
…had been dumped forever by Apple.
Apple notoriously won’t tell you anything about the security situation in its products unless and until it has a patch out.
So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn’t, we couldn’t tell whether it was still safe and didn’t need the patches, whether it needed the patches but they’d be a bit late, or whether it needed the patches but would never get them.
And with iOS 15 arriving as the new kid on the block this week, we assumed the worst, following the “one-in-one-out” principle.
You know what we’re going to say, so we’ll say it right away.
Patch early, patch often.
Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems.
They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though its official designation is CVE-2021-30860.
Citizen Lab has attributed the vulnerability, and the code that exploits it, to controversial device surveillance company NSO Group, already well-known for its so-called Pegasus line of spyware-like products.
According to Citizen Lab, this exploit relies on booby-trapped PDF files, and was spotted in the wild when a Saudi Arabian activist handed over their phone for analysis after suspecting that spyware had somehow been implanted on the device.
The Citizen Lab report coincides with Apple’s own security bulletin HT21807, which credits Citizen Lab for reporting the hole, and says simply:
Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. […] An integer overflow was addressed with improved input validation.
Details are scarce so far, but Microsoft is warning Officeusers about a bug that’s dubbed
CVE-2021-40444
, and described as Microsoft MSHTML Remote Code Execution Vulnerability.
The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.”
In other words: the crooks got there first.
As far as we can tell, the treachery works like this:
You open a booby-trapped Office file from the internet, either via an email attachment or by downloading a document from a criminal-controlled web link.
The document includes an ActiveX control (embedded add-on code) that ought not to have unrestricted access to your computer.
The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker’s choice.
MSHTML isn’t a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.
Even though HTML is most closely associated with web browsing, many apps other than browsers find it useful to be able to render and display web content, for example as a convenient and good-looking way to present documentation and help files, or to let users fill in and submit support tickets.
This “stripped down minibrowser” concept can be found not only on Windows but also on Google’s Android and Apple’s iOS, where the components Blink and WebKit respectively provide the same sort of functionality as MSHTML on Microsoft platforms. Mozilla products such as Firefox and Thunderbird are based on a similar idea, known as Gecko. On iOS, interestingly, Apple not only uses WebKit as the core of its own browser, Safari, but also mandates the use of WebKit in browsers or browser-like apps from all other vendors. That’s why Firefox on iOS is the only version of that product that doesn’t include Gecko -it has no choice but to use WebKit instead.
