Crooks Exploit 5 Microsoft Bugs While Windows Giant Addresses 130 Flaws

Spread the love

tuesday patch Microsoft today addressed 130 CVE-listed vulnerabilities in its products. Five of those bugs have already been exploited.

A complete list of security updates and advisories for this month’s Patch Tuesday batch can be found from the IT giant here, or from ZDI here. In summary, it includes fixes for Windows, Office, .NET, Visual Studio, Azure Active Directory, DevOps, Dynamics, Printer Drivers, Redmond’s DNS Server, and Remote Desktop.

Of the 130 vulnerabilities, 9 are considered critical and many of the rest are relatively severe. Let’s start with the ones that are under active attack.

First, there’s CVE-2023-36884. This is a remote code execution flaw that can be exploited by maliciously crafted Microsoft Office files. If the target opens any of these documents on a vulnerable machine, the PC will be compromised.

Importantly, there is no patch for CVE-2023-36884 yet, and it is said that it may come through an emergency update or an upcoming Tuesday patch. Microsoft has released details of the vulnerability as it is believed that the Russian crew, dubbed Storm-0978, used the vulnerability to target attendees of the NATO summit on Russia’s invasion of Ukraine, which is taking place in Lithuania. was announced early.

According to Microsoft, Storm-0978, also known as RomCom and DEV-0978, is known to run opportunistic ransomware campaigns, infecting vulnerable organizations and targeting specific targets when criminals find them. Prey to collect access credentials for Russian intelligence agencies. . In addition to government IT systems, Storm-0978 also allegedly attacked telecommunications and financial organizations in Europe and the United States.

“Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities using specially crafted Microsoft Office documents,” the Windows giant said in its advisory. With no fix yet, Redmond advised people to use good old attachment blocking.

Four other actively exploited issues have been patched and are conveniently grouped into two categories: Software Security Feature Bypass and Privilege Escalation Issues.

Let’s start with security bypass. CVE-2023-32049 for Windows SmartScreens and CVE-2023-35311 for Microsoft Outlook. In both cases, clicking on a maliciously crafted URL compromises the victim’s PC.

For privilege escalation, CVE-2023-32046 in the MSHTML browser engine and CVE-2023-36874 in the Windows Error Reporting service. For browser engines, just tricking Mark into opening a specially crafted file (such as an email attachment or embedded in a web page) is enough to trigger an exploit.

As for the others, there are many. From remote code execution flaws in Microsoft Access and SharePoint Server (although authentication is required) to various kernel-level privilege escalation holes. Please check the items you are interested in from the list.

Apple once again undermines rapid security response

Coincidentally, Apple released a so-called Rapid Security Response (RSR) patch for the Webkit vulnerability in iOS/iPadOS and macOS one day before Patch Tuesday.

Unfortunately, these patches did a little better at blocking web content that could lead to arbitrary code execution on vulnerable devices. And today, Cupertino advises users to uninstall RSR if they can’t view content on the web.

“Apple is aware of an issue that may prevent some websites from displaying properly due to the recent rapid security response,” iMaker said. “A rapid security response will be available soon to address this issue.” If that makes you feel better.

This is just the latest buggy RSR Apple has issued since they started rolling out these updates earlier this year. The first time he tried to push the RSR, multiple users reported patching failures.

SAP users in the oil and gas industry need to patch

SAP publishes 18 security updates as part of July batch [PDF] Patch containing fixes for critical issues in IS-OIL software for the oil and gas industry.

This bug has a CVSS score of 9.1 out of 10 and allows an authenticated attacker to inject arbitrary OS commands into a risky deployment. “Successful exploitation of this vulnerability will have a significant impact on the confidentiality, integrity and availability of the affected SAP system, so patching is strongly recommended,” advised information security firm Onapsys. .

Critical patches are also available for SAP Solutions Manager, Web Dispatcher, and ICM.

Mandatory ICS fix for Schneider, Siemens

Industrial control system makers Schneider Electric and Siemens have issued patches for their equipment.

Siemens today updated several advisories and published five new advisories. These advisories cover vulnerabilities in Ruggedcom ROX devices that could lead to information disclosure and remote code execution, as well as issues in the Symantec CN 4100 communication system that could give users complete control of the device and features. doing. Bypass network isolation.

Schneider’s most pressing issue appears to be with version 3 of the Codesys runtime system, which can be exploited to cause denial of service and remote code execution.

Adobe is having a quiet month

Adobe has released only two patches, one for InDesign and one for ColdFusion, addressing a total of 15 CVEs, 11 of which belong to InDesign, the worst of which is ColdFusion affects

Users of Adobe’s web app development platform are facing an untrusted data deserialization vulnerability in CVSS 9.8. In addition to improper access control issues and improper limits on excessive authentication attempts, ColdFusion could be abused to bypass security features and execute arbitrary code.

InDesign’s worst issue this month is an out-of-bounds write issue that can lead to arbitrary code execution, and a series of out-of-bounds read issues that can lead to memory leaks.

Android and Mozilla release boring patches

Google’s monthly Android advisories are always published at a fixed time (the 5th of this month), but the Pixel family’s Google Security Chip and Titan M contain several potential escalation of privilege and denial of service vulnerabilities. It is worth noting that there is a significant vulnerability in Each. Make sure to install the Android security patch.

Mozilla released a single fix to Firefox and the newly released Firefox ESR 115.0.2 this month, including a worker use-after-free() condition that could cause an “exploitable crash”. bottom. Mozilla believes this has a big impact, so be sure to install it. ®

#Crooks #Exploit #Microsoft #Bugs #Windows #Giant #Addresses #Flaws

Spread the love

Leave a Comment