Headline
Update now! Microsoft fixes two zero-day bugs
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday
Tags: March
Tags: 2023
Tags: Microsoft
Tags: Adobe
Tags: Fortinet
Tags: Android
Tags: SAP
Tags: CVE-2023-23397
Tags: CVE-2023-24880
Tags: CVE-2023-26360
Tags: CVE-2022-41328
This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one.
(Read more…)
The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Posted: March 15, 2023 by
Microsoft, and other vendors, have released their monthly updates. In total Microsoft has fixed a total of 101 vulnerabilities for several titles (including Edge), with two of them being actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the actively exploited vulnerabilities patched in these updates are:
CVE-2023-23397: a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to cause a connection from the victim to an external UNC location of attackers’ control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane.
This means this vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that mathematical operation required to gain access. The authentication process does not require the plaintext password. The hash is enough.
CVE-2023-24880: a moderate Windows SmartScreen Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Reportedly, this vulnerability was used in ransomware related attacks.
MOTW, the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet makes another comeback. The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a Restricted Zone. When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. And, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3, which means that the file was downloaded from the internet, the SmartScreen does a reputation check.
CVE-2023-26360: classified as a priority 1 vulnerability in Adobe ColdFusion due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers.
Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.
Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
- ColdFusion 2018 Auto-Lockdown guide
- ColdFusion 2021 Lockdown Guide
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates to address vulnerabilities in other products. Commerce APSB23-17, Experience Manager APSB23-18, Illustrator APSB23-19, Dimension APSB23-20, Creative Cloud Desktop Application APSB23-21, Substance 3D Stager APSB23-22, and Photoshop APSB23-23.
Fortinet published its March 2023 security advisories which address a high-severity security vulnerability (CVE-2022-41328) in FortiOS, that allowed threat actors to execute unauthorized code or commands.
SAP has released security updates for 19 vulnerabilities, five of which were rated as critical.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
RELATED ARTICLES
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.
By Deeba Ahmed Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to… This is a post from HackRead.com Read the original post: FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities
Everyone's New Year's Resolution should be to stop using passwords altogether.
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
By Deeba Ahmed CISA Warns of Critical Adobe ColdFusion Vulnerability Actively Exploited by Threat Actors. This is a post from HackRead.com Read the original post: Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's
Categories: Exploits and vulnerabilities Categories: News Tags: Adobe Tags: ColdFusion Tags: CVE-2023-26359 Tags: CVE-2023-26360 Tags: critical Tags: known exploited Tags: deserialization A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA's known exploited vulnerabilities catalog. (Read more...) The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security
This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.
Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.
By Deeba Ahmed According to researchers, multiple Fortinet products were impacted by this vulnerability, including FortiManager, FortiGate, and FortiAnalyzer. This is a post from HackRead.com Read the original post: Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion
Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.
Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft Outlook Elevation of Privilege Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.
**What is the relationship between Mark of the Web and Windows SmartScreen?** When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. For more information on SmartScreen, please visit Microsoft Defender SmartScreen overview | Microsoft Learn.
**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.