Microsoft Corp. right this moment launched software program updates to quash 130 safety bugs in its Windows working programs and associated software program, together with a minimum of 5 flaws which might be already seeing energetic exploitation. Meanwhile, Apple prospects have their very own zero-day woes once more this month: On Monday, Apple issued (after which shortly pulled) an emergency replace to repair a zero-day vulnerability that’s being exploited on MacOS and iOS gadgets.
On July 10, Apple pushed a “Rapid Security Response” replace to repair a code execution flaw within the Webkit browser part constructed into iOS, iPadOS, and macOS Ventura. Almost as quickly because the patch went out, Apple pulled the software program as a result of it was reportedly inflicting issues loading sure web sites. MacRumors says Apple will doubtless re-release the patches when the glitches have been addressed.
Launched in May, Apple’s Rapid Security Response updates are designed to handle time-sensitive vulnerabilities, and that is the second month Apple has used it. July marks the sixth month this yr that Apple has launched updates for zero-day vulnerabilities — people who get exploited by malware or malcontents earlier than there may be an official patch obtainable.
If you depend on Apple gadgets and don’t have computerized updates enabled, please take a second to verify the patch standing of your varied iDevices. The newest safety replace that features the repair for the zero-day bug must be obtainable in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.
On the Windows aspect, there are a minimum of 4 vulnerabilities patched this month that earned excessive CVSS (badness) scores and which might be already being exploited in energetic assaults, based on Microsoft. They embody CVE-2023-32049, which is a gap in Windows SmartScreen that lets malware bypass safety warning prompts; and CVE-2023-35311 permits attackers to bypass security measures in Microsoft Outlook.
The two different zero-day threats this month for Windows are each privilege escalation flaws. CVE-2023-32046 impacts a core Windows part referred to as MSHTML, which is utilized by Windows and different functions, like Office, Outlook and Skype. CVE-2023-36874 is an elevation of privilege bug within the Windows Error Reporting Service.
Many safety consultants anticipated Microsoft to handle a fifth zero-day flaw — CVE-2023-36884 — a distant code execution weak point in Office and Windows.
“Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities,” stated Adam Barnett, lead software program engineer at Rapid7. “Microsoft is actively investigating publicly disclosed vulnerability, and promises to update the advisory as soon as further guidance is available.”
Barnett notes that Microsoft hyperlinks exploitation of this vulnerability with Storm-0978, the software program large’s title for a cybercriminal group primarily based out of Russia that’s recognized by the broader safety group as RomCom.
“Exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom trojan or other malware,” Barnett stated. “[Microsoft] suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.”
Microsoft’s advisory on CVE-2023-36884 is fairly sparse, but it surely does embody a Windows registry hack that ought to assist mitigate assaults on this vulnerability. Microsoft has additionally revealed a weblog submit about phishing campaigns tied to Storm-0978 and to the exploitation of this flaw.
Barnett stated it’s whereas it’s attainable {that a} patch shall be issued as a part of subsequent month’s Patch Tuesday, Microsoft Office is deployed nearly in all places, and this menace actor is making waves.
“Admins should be ready for an out-of-cycle security update for CVE-2023-36884,” he stated.
Microsoft additionally right this moment launched new particulars about the way it plans to handle the existential menace of malware that’s cryptographically signed by…look forward to it….Microsoft.
In late 2022, safety consultants at Sophos, Trend Micro and Cisco warned that ransomware criminals had been utilizing signed, malicious drivers in an try to evade antivirus and endpoint detection and response (EDR) instruments.
In a weblog submit right this moment, Sophos’s Andrew Brandt wrote that Sophos recognized 133 malicious Windows driver information that had been digitally signed since April 2021, and discovered 100 of these had been truly signed by Microsoft. Microsoft stated right this moment it’s taking steps to make sure these malicious driver information can not run on Windows computer systems.
As KrebsOnSecurity famous in final month’s story on malware signing-as-a-service, code-signing certificates are supposed to assist authenticate the identification of software program publishers, and supply cryptographic assurance {that a} signed piece of software program has not been altered or tampered with. Both of those qualities make stolen or ill-gotten code-signing certificates enticing to cybercriminal teams, who prize their skill so as to add stealth and longevity to malicious software program.
Dan Goodin at Ars Technica contends that no matter Microsoft could also be doing to maintain maliciously signed drivers from working on Windows is being bypassed by hackers utilizing open supply software program that’s fashionable with online game cheaters.
“The software comes in the form of two software tools that are available on GitHub,” Goodin defined. “Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.”
Meanwhile, researchers at Cisco’s Talos safety workforce discovered a number of Chinese-speaking menace teams have repurposed the instruments—one apparently referred to as “HookSignTool” and the opposite “FuckCertVerifyTimeValidity.”
“Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have,” Goodin stated.
For a more in-depth take a look at the patches launched by Microsoft right this moment, try the always-thorough Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a foul thought to carry off updating for just a few days till Microsoft works out any kinks within the updates: AskWoody.com normally has the lowdown on any patches which may be inflicting issues for Windows customers.
And as ever, please take into account backing up your system or a minimum of your necessary paperwork and knowledge earlier than making use of system updates. If you encounter any issues with these updates, please drop a word about it right here within the feedback.