Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30157.

CVE-2022-30158

Microsoft Office Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-30171, CVE-2022-30172.

CVE-2022-30159

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2022-22021

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVE-2022-21938: Product Security Advisories

Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of the host.

CVE-2022-28749: Security Bulletin

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

Username and password combinations offered for sale on the Dark Web by criminals has increased 65% since 2020.

Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.

That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.

The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.  

Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them. 

**'Endless List' of Breached Data**

Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.

“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.

**Passwordless to the Rescue?**

This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords. 

The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.

One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb. 

Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.

But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.

“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far

Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized.
The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

The June 2022 Patch Tuesday may go down in history as the day that Follina got patched, but there was a host of other important updates. And not just from Microsoft. Many other software vendors follow the pattern of monthly updates set by the people in Redmond.

**Microsoft**

Microsoft released updates to deal with 60 security vulnerabilities. Undoubtedly the most prominent one is the one that goes by the name of Follina. The Edge browser received five of the patched vulnerabilities .

**Follina, or CVE-2022-30190**

A quick recap about Follina. On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows. An in the wild exploit was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn was using MSDT to load code and execute PowerShell commands.

**CVE-2022-30136**

Another critical vulnerability is CVE-2022-30136, a bug in NFS 4.1 which could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability concerns a number of Windows Server products and received a CVSS score of 9.8 out of 10. Last month, Microsoft fixed a similar vulnerability (CVE-2022-26937) affecting NFS v2.0 and v3.0.

**CVE-2022-30139**

Similar is CVE-2022-30139, a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) vulnerability. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. LDAP is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network. LDAP is a “lightweight” (smaller amount of code) version of Directory Access Protocol (DAP). In total, seven vulnerabilities in LDAP were found and fixed.

**CVE-2022-30163**

Noteworthy as well is CVE-2022-30163 a Windows Hyper-V Remote Code Execution vulnerability that allows an attacker to run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code. Microsoft Hyper-V is a virtualization platform, which enables administrators to virtualize multiple operating systems to run off the same physical server simultaneously.

**More Microsoft news**

Microsoft has also started to phase out Internet Explorer, but more about that in a separate post.

And then there was a storm of criticism about the way Microsoft handled the SynLapse vulnerability in Azure Data Factory and Azure Synapse Pipelines. SynLapse is the name for a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure. Rather than dealing with the vulnerability in a way that closed the gap once and for all, Microsoft choose what researchers called a halfhearted way that was easily bypassed in a following attempt. Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

**Other vendors**

Adobe has released security updates to address vulnerabilities in multiple products.

Atlassian released a patch for the in the wild exploited Confluence RCE vulnerability.

Citrix fixed two vulnerabilities in Citrix ADM server and Citrix ADM agent.

Drupal fixed two “Moderately critical” vulnerabilities.

GitLab released versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Google put out updates for Android and Chrome.

SAP published security notes about some high priority vulnerabilities

Stay safe, everyone!

Update now!  Microsoft patches Follina, and many other security updates

Microsoft is ready to phase out Internet Explorer and will start the procedure today. Are you ready as well? And will it solve a lot of security issues?
The post It’s official, today you can say goodbye to Internet Explorer. Or can you? appeared first on Malwarebytes Labs.

Today, the Internet Explorer (IE) 11 desktop application goes out of support and will be retired for certain versions of Windows 10.

The retirement consists of two phases. During the first phase—the redirection phase—devices will be progressively redirected from IE to Microsoft Edge over the following months.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

**History**

Microsoft’s Internet Explorer 1.0 saw the first websites in August 1995. In 2003, Microsoft said goodbye to the standalone version of the browser, but Internet Explorer continued as a part of the evolution of the operating system, with updates coming bundled in operating system upgrades.

Over the following years, despite everything Microsoft tried, Chrome took over as the most used browser. With Windows 10, Edge became the default Microsoft browser, but Internet Explorer could still be found in the Windows Accessories folder.

While Edge started out based on Microsoft’s EdgeHTML browser engine, it later switched to a Chromium-based model.

After all this, Microsoft felt it was time to phase out Internet Explorer.

**Platforms**

For now the retirement is only partial, even for Windows 10. In scope at the time of this announcement.

Internet Explorer 11 desktop application delivered via the Semi-Annual Channel (SAC):

*   Windows 10 client SKUs
*   Windows 10 IoT

Out of scope at the time of this announcement (unaffected):

*   Internet Explorer mode in Microsoft Edge
*   Internet Explorer platform (MSHTML/Trident), including WebOC and COM automation
*   Internet Explorer 11 desktop application on:
    *   Windows 8.1
    *   Windows 7 Extended Security Updates (ESU)
    *   Windows Server SAC (all versions)
    *   Windows 10 IoT Long-Term Servicing Channel (LTSC) (all versions)
    *   Windows Server LTSC (all versions)
    *   Windows 10 client LTSC (all versions)
    *   Windows 10 China Government Edition

In-market Windows 10 LTSC and Windows Server are also unaffected by this change. Windows Server 2022 and Windows 10 Enterprise LTSC 2021 are also out of scope.

**The end**

During the first phase, users will find themselves redirected from IE to Microsoft Edge. This will not happen for all devices at the same time, which gives organizations a chance to identify and resolve any potential issues, such as missed sites, before the redirection happens on all devices within an organization.

The second phase of retirement is the Windows Update phase. After the redirection phase completes, IE will be permanently disabled through a future Windows Update on all devices with Windows platforms that are in-scope for IE retirement.

Given the cumulative nature of Windows Updates, IE disablement will persist in subsequent Windows Updates.

For those that can’t wait to get rid of Internet Explorer, Microsoft has published a blog to explain how to move forward. It’s also worth reading for system administrators that want to prepare for the second phase of the retirement process.

**Not so much**

Why not uninstall IE entirely, you may wonder. This isn’t recommended as Internet Explorer mode relies on Internet Explorer 11 to function. IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 for legacy sites.

Support for IE mode follows the lifecycle of current and future Windows client, Windows server, and Windows IoT releases (including Windows 11) at least through 2029.

**Security angle**

While your first response to the news might have been a sigh of relief, the stage exit of Internet Explorer does not bring any immediate security improvements. The holy grail of backward compatibility has thrown a wrench in the Microsoft works before and it will probably continue to do so, as long as we are afraid to say goodbye to legacy technology in a decisive manner.

Switching to a more secure platform makes all kinds of sense, but it is held back if we keep on using the old, less secure platform on the side. Threat actors will prey on the old platform as long as it is in use.

Researchers will find vulnerabilities in Internet Explorer related files that need to stay on the system even if someone doesn’t use Internet Explorer anymore. And system administrators will find endpoint and/or users that need to keep Internet Explorer because there is some legacy resource that requires it.

It’s official, today you can say goodbye to Internet Explorer. Or can you?

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

**Microsoft** on Tuesday released software updates to fix 60 security vulnerabilities in its **Windows** operating systems and other software, including a zero-day flaw in all supported **Microsoft Office** versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its **Internet Explorer** (IE) web browser, which turns 27 years old this year.

Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the **Microsoft Support Diagnostics Tool** (MSDT), a service built into Windows.

Dubbed “**Follina**,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious **Word** document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.

“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes **Mayuresh Dani**, manager of threat research at **Qualys**. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”

**Kevin Beaumont**, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.

Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.

Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. **Orca Security** said that back on January 4 it told Microsoft about a critical bug in Azure’s **Synapse** service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.

In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s **Avi Shua**. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

**Amit Yoran**, CEO of **Tenable** and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the **Windows Network File System** (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.

“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote **Trend Micro’s Zero Day Initiative**. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”

Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Tag

#microsoft