The Microsoft Windows Kernel suffers from out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation.

Microsoft Windows Kernel Out-Of-Bounds Reads / Memory Disclosure

The Microsoft Windows Kernel suffers from a paged pool memory disclosure in VrpPostEnumerateKey.

Microsoft Windows Kernel Paged Pool Memory Disclosure

The Microsoft Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption.

Microsoft Windows Kernel Race Condition / Memory Corruption

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.
"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook\[.\]site.

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29's "rapidly evolving" phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29's tooling and tradecraft are "likely designed to support the increased frequency and scope of operations and hinder forensic analysis," the company said, and that it has "used various infection chains simultaneously across different operations."

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated Turla in attacks deploying the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets.

"The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives," Trend Micro disclosed in a recent report. "Turla has continuously developed its tools and techniques over years and will likely keep on refining them."

Ukrainian cybersecurity agencies, in a report last month, also revealed that Kremlin-backed threat actors targeted domestic law enforcement entities to collect information about Ukrainian investigations into war crimes committed by Russian soldiers.

"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), \[and\] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said.

CERT-UA recorded 27 "critical" cyber incidents in H1 of 2023, compared to 144 in the second half of 2022 and 319 in the first half of 2022. In total, destructive cyber-attacks affecting operations fell from 518 to 267.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

New research shows the number of deepfake videos is skyrocketing—and the world's biggest search engines are funneling clicks to dozens of sites dedicated to the nonconsensual fakes.

Google’s and Microsoft’s search engines have a problem with deepfake porn videos. Since deepfakes emerged half a decade ago, the technology has consistently been used to abuse and harass women—using machine learning to morph someone’s head into pornography without their permission. Now the number of nonconsensual deepfake porn videos is growing at an exponential rate, fueled by the advancement of AI technologies and an expanding deepfake ecosystem.

A new analysis of nonconsensual deepfake porn videos, conducted by an independent researcher and shared with WIRED, shows how pervasive the videos have become. At least 244,625 videos have been uploaded to the top 35 websites set up either exclusively or partially to host deepfake porn videos in the past seven years, according to the researcher, who requested anonymity to avoid being targeted online.

Over the first nine months of this year, 113,000 videos were uploaded to the websites—a 54 percent increase on the 73,000 videos uploaded in all of 2022. By the end of this year, the analysis forecasts, more videos will have been produced in 2023 than the total number of every other year combined.

These startling figures are just a snapshot of how colossal the issues with nonconsensual deepfakes has become—the full scale of the problem is much larger and encompasses other types of manipulated imagery. A whole industry of deepfake abuse, which predominantly targets women and is produced without people’s consent or knowledge, has emerged in recent years. Face-swapping apps that work on still images and apps where clothes can be “stripped off a person” in a photo with just a few clicks are also highly prominent. There are likely millions of images being created with these apps.

“This is something that targets everyday people, everyday high school students, everyday adults—it's become a daily occurrence,” says Sophie Maddocks, who conducts research on digital rights and cyber-sexual violence at the University of Pennsylvania. “It would make a lot of difference if we were able to make these technologies harder to access. It shouldn't take two seconds to potentially incite a sex crime.”

The new research highlights 35 different websites, which exist to exclusively host deepfake pornography videos or incorporate the videos alongside other adult material. (It does not encompass videos posted on social media, those shared privately, or manipulated photos.) WIRED is not naming or directly linking to the websites, so as not to further increase their visibility. The researcher scraped the websites to analyze the number and duration of deepfake videos, and they looked at how people find the websites using the analytics service SimilarWeb.

Many of the websites make it clear they host or spread deepfake porn videos—often featuring the word _deepfakes_ or derivatives of it in their name. The top two websites contain 44,000 videos each, while five others host more than 10,000 deepfake videos. Most of them have several thousand videos, while some only list a few hundred. Some videos the researcher analyzed have been watched millions of times.

The research also identified an additional 300 general pornography websites that incorporate nonconsensual deepfake pornography in some way. The researcher says “leak” websites and websites that exist to repost people’s social media pictures are also incorporating deepfake images. One website dealing in photographs claims it has “undressed” people in 350,000 photos.

Measuring the full scale of deepfake videos and images online is incredibly difficult. Tracking where the content is shared on social media is challenging, while abusive content is also shared in private messaging groups or closed channels, often by people known to the victims. In September, more than 20 girls aged 11 to 17 came forward in the Spanish town of Almendralejo after AI tools were used to generate naked photos of them without their knowledge.

“There has been significant growth in the availability of AI tools for creating deepfake nonconsensual pornographic imagery, and an increase in demand for this type of content on pornography platforms and illicit online networks,” says Asher Flynn, an associate professor at Monash University, Australia, who focuses on AI and technology-facilitated abuse. This is only likely to increase with new generative AI tools.

The gateway to many of the websites and tools to create deepfake videos or images is through search. Millions of people are directed to the websites analyzed by the researcher, with 50 to 80 percent of people finding their way to the websites via search. Finding deepfake videos through search is trivial and does not require a person to have any special knowledge about what to search for.

The issue is global. Using a VPN, the researcher tested Google searches in Canada, Germany, Japan, the US, Brazil, South Africa, and Australia. In all the tests, deepfake websites were prominently displayed in search results. Celebrities, streamers, and content creators are often targeted in the videos. Maddocks says the spread of deepfakes has become “endemic” and is what many researchers first feared when the first deepfake videos rose to prominence in December 2017.

Since the tools needed to create deepfake videos emerged, they’ve become easier to use, and the quality of the videos being produced has improved. The wave of image-generation tools also offers the potential for higher-quality abusive images and, eventually, video to be created. And five years after the first deepfakes started to appear, the first laws are just emerging that criminalize the sharing of faked images.

The proliferation of these deepfake apps combined with a greater reliance on digital communications in the Covid-19 era and a "failure of laws and policies to keep pace" has created a “perfect storm,” Flynn says.

Experts say that alongside new laws, better education about the technologies is needed, as well as measures to stop the spread of tools created to cause harm. This includes action by firms that host the websites and also search engines, including Google and Microsoft’s Bing. Currently, Digital Millennium Copyright Act (DMCA) complaints are the primary legal mechanism that women have to get videos removed from websites.

Henry Ajder, a deepfake and generative AI expert who has monitored the spread of the technologies, says adding more “friction” to the process of people finding deepfake porn videos, apps to change people’s faces, and tools that specifically allow the creation of nonconsensual images can reduce the spread. “It's about trying to make it as hard as possible for someone to find,” he says. This could be search engines down-ranking results for harmful websites or internet service providers blocking sites, he says. “It's hard to feel really optimistic, given the volume and scale of these operations, and the need for platforms—which historically have not taken these issues seriously—to suddenly do so,” Ajder says.

“Like any search engine, Google indexes content that exists on the web, but we actively design our ranking systems to avoid shocking people with unexpected harmful or explicit content they don't want to see,” says Google spokesperson Ned Adriance, pointing to its page on when it removes search results. Google’s support pages say it is possible for people to request that “involuntary fake pornography” be removed. Its removal form requires people to manually submit URLs and the search terms that were used to find the content. “As this space evolves, we're actively working to add more safeguards to help protect people, based on systems we've built for other types of nonconsensual explicit imagery,” Adriance says.

Courtney Gregoire, chief digital safety officer at Microsoft, says it does not allow deepfakes, and they can be reported through its web forms. “The distribution of nonconsensual intimate imagery (NCII) is a gross violation of personal privacy and dignity with devastating effects for victims,” Gregoire says. “Microsoft prohibits NCII on our platforms and services, including the soliciting of NCII or advocating for the production or redistribution of intimate imagery without a victim’s consent.”

While the number of videos and pictures continues to skyrocket, the impact on victims can be long-lasting. “Gender-based online harassment is having an enormous chilling effect on free speech for women,” Maddocks says. As reported by WIRED, female Twitch streamers targeted by deepfakes have detailed feeling violated, being exposed to more harassment, and losing time, and some said the nonconsensual content found its way to family members.

Flynn, the Monash University professor, says her research has found “high rates” of mental health concerns—such as anxiety, depression, self-injury, and suicide—as a result of digital abuse. “The potential impacts on a person’s mental and physical health, as well as impacts on their employment, family, and social lives can be immense,” Flynn says, “regardless of whether the image is deepfaked or ‘real.’”

Deepfake Porn Is Out of Control

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q3 Security Researcher Leaderboard are Wei, VictorV, and Anonymous!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q3 Security Researcher Leaderboard are **Wei, VictorV, and Anonymous!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **Wei, VictorV, Suresh Chelladurai!**

Congratulations to the top Office researchers this quarter: **Brad Schlintz, Harun Can, Disclosures!**

Congratulations to the top Windows researchers this quarter: **Jarvis\_1oop, k0shl, Anonymous!**

This 2023 Q3 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between July 1, 2023, and September 30, 2023
*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023 (last program period), but assessed after July 1, 2023

Past quarterly leaderboard announcements:

*   MSRC 2023 Q2 Security Researcher Leaderboard
*   MSRC 2023 Q1 Security Researcher Leaderboard
*   MSRC 2022 Q4 Security Researcher Leaderboard
*   MSRC 2022 Q3 Security Researcher Leaderboard
*   MSRC 2022 Q2 Security Researcher Leaderboard
*   MSRC 2022 Q1 Security Researcher Leaderboard
*   MSRC 2021 Q4 Security Researcher Leaderboard
*   MSRC 2021 Q3 Security Researcher Leaderboard

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q3 Security Researchers!

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security.
"The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include

Authentication / Endpoint Security

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security.

"The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos."

IAKerb enables clients to authenticate with Kerberos across a diverse range of network topologies. The second feature, a local Key Distribution Center (KDC) for Kerberos, extends Kerberos support to local accounts.

First introduced in the 1990s, NTLM is a suite of security protocols intended to provide authentication, integrity, and confidentiality to users. It is a single sign-on (SSO) tool that relies on a challenge-response protocol that proves to a server or domain controller that a user knows the password associated with an account.

It has since been supplanted by another authentication protocol called Kerberos since the release of Windows 2000, although NTLM continues to be used as a fallback mechanism.

"The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user," CrowdStrike notes. "Kerberos uses a two-part process that leverages a ticket granting service or key distribution center."

Another crucial distinction is that while NTLM relies on password hashing, Kerberos leverages encryption.

Besides NTLM's inherent security weaknesses, the technology has been rendered vulnerable to relay attacks, potentially allowing bad actors to intercept authentication attempts and gain unauthorized access to network resources.

Microsoft said it's also working on addressing hard-coded NTLM instances in its components in preparation for the shift to ultimately disable NTLM in Windows 11, adding it's making improvements that encourage the use of Kerberos instead of NTLM.

"All these changes will be enabled by default and will not require configuration for most scenarios," Matthew Palko, Microsoft's senior product management lead in Enterprise and Security, said. "NTLM will continue to be available as a fallback to maintain existing compatibility."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

Note (2022) : minizip source are avaiable on the contrib/zlib github page. There is also minizip-ng, a rewritten library with more feature (like zlib-ng, a reworked and faster zlib)

. You'll also find SmartVersion with source code.

Click to download Minizip (zip/unzip) package for zLib version 1.01h, with minor bugfixes, or, better, 1.1 (with zip64 support).

This package enables to extract files from a .zip archive file. It is compatible with PKZip 2.04g, WinZip, InfoZip, MimarSinan Codex Suite 2002 tools, and compatible sofware.  
It runs both under Linux and Windows, and probably other systems too. Encryption, multi-volume Zip files (span), and old compression methods used by old PKZip 1.x are not supported.  
See appnote-011203-iz.zip or appnote-iz-latest.zip for the specification of ZIP format (or appnote-981119-iz.zip for older versions). Pkware provides also probdesc.zip and an HTML page with the specification.

**What is Minizip (Zip/Unzip)?**

The Zlib library allows to deflate compressed files and to create gzip (.gz) files. Zlib is free software and small.

An archive in ZIP format can contain several files compressed with this method, while a .gz archive can containt only one file. It is a very popular format, that is why I have written a package for reading files compressed within a Zip archive.

**How to get the Minizip package**

You need the source code of Zlib (**zlib125.zip** or **zlib-1.2.5.tar.gz**. For previous version, get zlib114.zip, or by FTP zlib114.zip).  
Now, with version 1.23,1.24,1.25 and 1.14 of zLib, the Minizip library is inlucded in the contrib/minizip directory.

In **zlib125dll.zip** there is the Win32 Windows DLL of my Windows DLL named Zlibwapi.dll that contains both zLib and Minilib.  
For previous version, in zlib114dll.zip you will find Windows DLL (Win16 and Win32) and static library (Win32) of Zlib 1.14 WITH zip/unzip package.  
Please note I have added in buildzlib114dll.zip the version of zip.c/unzip.c (0.21).  
You must read zip.h and unzip.h, which contains the documentation of the zip and unzip functions.

March 2003: you can get version 0.21 with support of custom I/O functions to read and write zip files, and raw I/O (in order to duplicate files from one zip archive to another without uncompressing nor compressing). There is also a modified version of unzip with uncrypting, written by Terry Thorsen).  
You can also get version 0.22e with crypting/uncrypting (do a #define NOCRYPT if you don't need it) and adding a file to an existing Zip archive.

15 March 2010: You can now download version 1.01h, with minor bugfixes, or, better, 1.1 with zip64 support.  
Justin Fletcher wrote a very simple implementation of a memory access method for the ioapi code (ioapi\_mem\_c.zip). Ivan A. Krestinin wrote a small example of how delete a file from zip archive. This example is not fully tested (memory leaks are possible if the source archive is corrupt), but it might help you.

**Unzipping files**

The source code is made of only two files: unzip.h and unzip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

miniunz.c is a very simple, but real unzip program. It can display files contained in a Zip archive or extract them.

**Zipping files**

The source code is made of only two files: zip.h and zip.c (plus ioapi.c and a few other include files). It uses the Zlib library.

minizip.c is a very simple, but real zip program.

**A C++ Wrapper**

Daniel Godson made a C++ wrapper to the zip/unzip library. Another can be found at Troels page.

**A full MFC sample**

In the CodeGuru developers site, there is an excellent example, 'Implementing a "Send as ZIP-File" command in Scribble' written by Stefan Kuhr. Unfortunately, this example is not built with the good, standard zLib DLL (see the DLL page). Download mapizip\_demo\_gooddll.zip for a fixed project which uses the good DLL.

**Extension to Minizip**

Troels K. worked hard on the Minizip library. He has made several add-on, including a proposal for unzAttach/unzDetach.

**Other examples**

Jukka Pihl wrote mod\_ziplook Apache module. It enables to view zip archive files directly in Apache without extracting them to the filesystem. It also uses HTTP compression (supported by W3C, like Microsoft IIS, Apache mod\_deflate and examples in python and jython. Bashuman Deb wrote a FTP paging Support for miniunz.

**Miscellaneous**

The Gilles vollant software forum contain a section about Minizip.

Please also email me for feedback.

**Future of ZIP file format**

It seems that the ZIP file format will changes. The web sites PCWorld (and this new article), IDG, SlashDot contain information about ZIP's future. PkWare site contains a new specification, InfoZip has also a ZIP specification. WinZip specifies also new encryption. The PKWare specification mentions a new BZip2 compression method (there is a "zlib-like" library for BZip2 compression).

_Latest revision : 2010-03-15_

CVE-2023-45853: Minizip: Zip and UnZip additionnal library

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36559

The goal of the program is to uncover critical or important vulnerabilities within the AI-powered Bing program.

Microsoft has announced its AI bug-bounty program to encourage researchers worldwide to discover vulnerabilities within the Bing generative AI chatbot and AI integrations. Bounty rewards will range from $2,000 to $15,000 for qualified submissions.

Eligible participants must be at least 14 years old, with permission from a legal guardian if they are a minor, and an individual researcher. Should a participant be a public sector employee, the bounty award must go to the public sector organization and be signed by an attorney or executive responsible for its ethics policies. 

The scope of the bounty program extends to AI-powered Bing on bing.com, AI-powered Bing integration in Microsoft Edge, AI-powered Bing integration in the Microsoft Start app, and AI-powered Bing integration in the Skype Mobile app. Any vulnerabilities found in these integrations are qualified for submission and are eligible to win a reward.

Microsoft stated that the goal of the program is to uncover vulnerabilities that have a significant impact on the security of its customers within the AI-powered "Bing experience." When submitting a vulnerability, researchers must ensure that it has not been previously reported, is of critical or important severity as per the Microsoft Vulnerability Severity Classification for AI Systems, and is reproducible on the latest version of the product with clear steps as to how to reproduce the vulnerability. 

Further directions as to how to get started and enter a submission; specific information on different types of vulnerabilities and the winnings they have the potential to earn; research rules of engagement; and terms and conditions, are listed on Microsoft’s website.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#microsoft