Beyond Information Security

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month’s Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited –

  • CVE-2024-38014 (CVSS score: 7.8) – Windows Installer Elevation of Privilege Vulnerability
  • CVE-2024-38217 (CVSS score: 5.4) – Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
  • CVE-2024-38226 (CVSS score: 7.3) – Microsoft Publisher Security Feature Bypass Vulnerability
  • CVE-2024-43491 (CVSS score: 9.8) – Microsoft Windows Update Remote Code Execution Vulnerability

“Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running,” Satnam Narang, senior staff research engineer at Tenable, said in a statement.

Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / Infosecurity magazine / SANS internet storm center

Link: https://thehackernews.com/2024/09/microsoft-issues-patches-for-79-flaws.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2024-patch-tuesday-fixes-4-zero-days-79-flaws/

Link: https://krebsonsecurity.com/2024/09/bug-left-some-windows-pcs-dangerously-unpatched/

Link: https://www.darkreading.com/application-security/microsoft-discloses-4-zero-days-in-september-update

Link: https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2024/

Link: https://www.infosecurity-magazine.com/news/microsoft-fixes-four-actively/

Link: https://isc.sans.edu/diary/Microsoft%20September%202024%20Patch%20Tuesday/31254


Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.

“An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution,” Ivanti noted in an advisory released earlier this week. “The attacker must have admin level privileges to exploit this vulnerability.” The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.

“With the end-of-life status this is the last fix that Ivanti will backport for this version,” the Utah-based IT software company added. “Customers must upgrade to Ivanti CSA 5.0 for continued support.”

Source: The hacker news / Bleeping computer / Securityweek / Ivanti security advisory

Link: https://thehackernews.com/2024/09/ivanti-warns-of-active-exploitation-of.html

Link: https://www.bleepingcomputer.com/news/security/ivanti-warns-high-severity-csa-flaw-is-now-exploited-in-attacks/

Link: https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager/

Link: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US


Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.

The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0

“An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances,” the company said in an alert.

The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Source: The hacker news / Bleeping computer / Securityweek / GitLab Critical Patch Release

Link: https://thehackernews.com/2024/09/urgent-gitlab-patches-critical-flaw.html

Link: https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pipeline-execution-vulnerability/

Link: https://www.securityweek.com/gitlab-updates-resolve-critical-pipeline-execution-vulnerability/

Link: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job


Adobe fixes Acrobat Reader zero-day with public PoC exploit

A cybersecurity researcher is urging users to upgrade Adobe Acrobat Reader after a fix was released yesterday for a remote code execution zero-day with a public in-the-wild proof-of-concept exploit.

The flaw is tracked as CVE-2024-41869 and is a critical use after free vulnerability that could lead to remote code execution when opening a specially crafted PDF document.

A “use after free” bug is when a program tries to access data in a memory location that has already been freed or released. This causes unexpected behavior, such as a program crashing or freezing. However, if a threat actor is able to store malicious code in that memory location, and the program subsequently accesses it, it could be used to execute malicious code on the targeted device. The flaw has now been fixed in the latest  Acrobat Reader and Adobe Acrobat versions.

Source: Bleeping computer / Securityweek / Helpnet security

Link: https://www.bleepingcomputer.com/news/security/adobe-fixes-acrobat-reader-zero-day-with-public-poc-exploit/

Link: https://www.securityweek.com/adobe-patches-critical-code-execution-flaws-in-multiple-products/

Link: https://www.helpnetsecurity.com/2024/09/12/cve-2024-41869/


Microsoft Is Adding New Cryptography Algorithms

Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. From a news article:

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren’t vulnerable to Shor’s algorithm when the keys are of a sufficient size.

The ML in the ML-KEM name refers to Module Learning with Errors, a problem that can’t be cracked with Shor’s algorithm. As explained here, this problem is based on a “core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency.”

ML-KEM, which is formally known as FIPS 203, specifies three parameter sets of varying security strength denoted as ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The stronger the parameter, the more computational resources are required.

The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it’s based on “stateful hash-based signature schemes.” These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses.

Source: Bruce Schneier on security / Microsoft tech community / ars Technica / Securityweek

Link: https://www.schneier.com/blog/archives/2024/09/microsoft-is-adding-new-cryptography-algorithms.html

Link: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-s-quantum-resistant-cryptography-is-here/ba-p/4238780

Link: https://arstechnica.com/security/2024/09/microsoft-adds-quantum-resistant-algorithms-to-its-core-crypto-library/

Link: https://www.securityweek.com/microsoft-adds-support-for-post-quantum-algorithms-in-symcrypt-library/