Post Content Read More
Related Posts
Windows Update Addressed 2 Zero-Days and 52 Other Vulnerabilities
Windows Update Addressed 2 Zero-Days and 52 Other Vulnerabilities
Microsoft has released its Patch Tuesday update, which includes 59 vulnerabilities along with two Zero-Days. The severity for these vulnerabilities ranges from 4.3 (Medium) to 8.8 (High).
Categories of the vulnerabilities patched include Information Disclosure (9), Elevation of Privilege (18), Remote Code Execution (26), Security Feature Bypass(3), Spoofing (5) and Denial of Service (3).
In addition, there were two Chromium vulnerabilities and two Non-Microsoft flaws in AutoDesk and Electron.
Zero Days
The Two zero-days patched by Microsoft were CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability and CVE-2023-36761 – Microsoft Word Information Disclosure Vulnerability.
CVE-2023-36802 local privilege escalation vulnerability can be exploited by threat actors to gain SYSTEM privileges whereas CVE-2023-36761 can be exploited for stealing NTLM (New Technology LAN Manager) hashes when opening a MS Office document.
These hashes can then be cracked to gain access to the accounts and can also be used for NTLM Relay attacks.
Among the fixed patches, some vulnerabilities had the highest severity of 8.8 (High), which were CVE-2023-38148 (Internet Connection Sharing (ICS) Remote Code Execution Vulnerability) CVE-2023-33136 (Azure DevOps Server Remote Code Execution Vulnerability), CVE-2023-36764 (Microsoft SharePoint Server Elevation of Privilege Vulnerability), CVE-2023-38146 (Windows Themes Remote Code Execution Vulnerability) and CVE-2023-38147 (Windows Miracast Wireless Display Remote Code Execution Vulnerability).
Other fixed patches and their severity can be found in the table below.
CVE NumberCVE TitleImpactMax SeverityTagCVE-2023-4863Chromium: CVE-2023-4863 Heap buffer overflow in WebPMicrosoft Edge (Chromium-based)CVE-2023-41764Microsoft Office Spoofing VulnerabilitySpoofingModerateMicrosoft OfficeCVE-2023-39956Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution VulnerabilityRemote Code ExecutionImportantVisual Studio CodeCVE-2023-38164Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilitySpoofingImportantMicrosoft DynamicsCVE-2023-38163Windows Defender Attack Surface Reduction Security Feature BypassSecurity Feature BypassImportantWindows DefenderCVE-2023-38162DHCP Server Service Denial of Service VulnerabilityDenial of ServiceImportantWindows DHCP ServerCVE-2023-38161Windows GDI Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows GDICVE-2023-38160Windows TCP/IP Information Disclosure VulnerabilityInformation DisclosureImportantWindows TCP/IPCVE-2023-38156Azure HDInsight Apache Ambari Elevation of Privilege VulnerabilityElevation of PrivilegeImportantAzure HDInsightsCVE-2023-38155Azure DevOps Server Remote Code Execution VulnerabilityElevation of PrivilegeImportantAzure DevOpsCVE-2023-38152DHCP Server Service Information Disclosure VulnerabilityInformation DisclosureImportantWindows DHCP ServerCVE-2023-38150Windows Kernel Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows KernelCVE-2023-38149Windows TCP/IP Denial of Service VulnerabilityDenial of ServiceImportantWindows TCP/IPCVE-2023-38148Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityRemote Code ExecutionCriticalWindows Internet Connection Sharing (ICS)CVE-2023-38147Windows Miracast Wireless Display Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Windows Codecs LibraryCVE-2023-38146Windows Themes Remote Code Execution VulnerabilityRemote Code ExecutionImportantWindows ThemesCVE-2023-38144Windows Common Log File System Driver Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows Common Log File System DriverCVE-2023-38143Windows Common Log File System Driver Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows Common Log File System DriverCVE-2023-38142Windows Kernel Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows KernelCVE-2023-38141Windows Kernel Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows KernelCVE-2023-38140Windows Kernel Information Disclosure VulnerabilityInformation DisclosureImportantWindows KernelCVE-2023-38139Windows Kernel Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows KernelCVE-2023-36886Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilitySpoofingImportantMicrosoft DynamicsCVE-2023-36805Windows MSHTML Platform Security Feature Bypass VulnerabilityRemote Code ExecutionImportantWindows ScriptingCVE-2023-36804Windows GDI Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows GDICVE-2023-36803Windows Kernel Information Disclosure VulnerabilityInformation DisclosureImportantWindows KernelCVE-2023-36802Microsoft Streaming Service Proxy Elevation of Privilege VulnerabilityElevation of PrivilegeImportantMicrosoft Streaming ServiceCVE-2023-36801DHCP Server Service Information Disclosure VulnerabilityInformation DisclosureImportantWindows DHCP ServerCVE-2023-36800Dynamics Finance and Operations Cross-site Scripting VulnerabilitySpoofingImportantMicrosoft Dynamics Finance & OperationsCVE-2023-36799.NET Core and Visual Studio Denial of Service VulnerabilityDenial of ServiceImportant.NET Core & Visual StudioCVE-2023-36796Visual Studio Remote Code Execution VulnerabilityRemote Code ExecutionCritical.NET and Visual StudioCVE-2023-36794Visual Studio Remote Code Execution VulnerabilityRemote Code ExecutionImportant.NET and Visual StudioCVE-2023-36793Visual Studio Remote Code Execution VulnerabilityRemote Code ExecutionCritical.NET and Visual StudioCVE-2023-36792Visual Studio Remote Code Execution VulnerabilityRemote Code ExecutionCritical.NET and Visual StudioCVE-2023-36788.NET Framework Remote Code Execution VulnerabilityRemote Code ExecutionImportant.NET FrameworkCVE-2023-36777Microsoft Exchange Server Information Disclosure VulnerabilityInformation DisclosureImportantMicrosoft Exchange ServerCVE-2023-367733D Builder Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D BuilderCVE-2023-367723D Builder Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D BuilderCVE-2023-367713D Builder Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D BuilderCVE-2023-367703D Builder Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D BuilderCVE-2023-36767Microsoft Office Security Feature Bypass VulnerabilitySecurity Feature BypassImportantMicrosoft OfficeCVE-2023-36766Microsoft Excel Information Disclosure VulnerabilityInformation DisclosureImportantMicrosoft Office ExcelCVE-2023-36765Microsoft Office Elevation of Privilege VulnerabilityElevation of PrivilegeImportantMicrosoft OfficeCVE-2023-36764Microsoft SharePoint Server Elevation of Privilege VulnerabilityElevation of PrivilegeImportantMicrosoft Office SharePointCVE-2023-36763Microsoft Outlook Information Disclosure VulnerabilityInformation DisclosureImportantMicrosoft Office OutlookCVE-2023-36762Microsoft Word Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Office WordCVE-2023-36761Microsoft Word Information Disclosure VulnerabilityInformation DisclosureImportantMicrosoft Office WordCVE-2023-367603D Viewer Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D ViewerCVE-2023-36759Visual Studio Elevation of Privilege VulnerabilityElevation of PrivilegeImportantVisual StudioCVE-2023-36758Visual Studio Elevation of Privilege VulnerabilityElevation of PrivilegeImportantVisual StudioCVE-2023-36757Microsoft Exchange Server Spoofing VulnerabilitySpoofingImportantMicrosoft Exchange ServerCVE-2023-36756Microsoft Exchange Server Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Exchange ServerCVE-2023-36745Microsoft Exchange Server Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Exchange ServerCVE-2023-36744Microsoft Exchange Server Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Exchange ServerCVE-2023-36742Visual Studio Code Remote Code Execution VulnerabilityRemote Code ExecutionImportantVisual Studio CodeCVE-2023-367403D Viewer Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D ViewerCVE-2023-367393D Viewer Remote Code Execution VulnerabilityRemote Code ExecutionImportant3D ViewerCVE-2023-36736Microsoft Identity Linux Broker Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Identity Linux BrokerCVE-2023-35355Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityElevation of PrivilegeImportantWindows Cloud Files Mini Filter DriverCVE-2023-33136Azure DevOps Server Remote Code Execution VulnerabilityRemote Code ExecutionImportantAzure DevOpsCVE-2023-32051Raw Image Extension Remote Code Execution VulnerabilityRemote Code ExecutionImportantMicrosoft Windows Codecs LibraryCVE-2023-29332Microsoft Azure Kubernetes Service Elevation of Privilege VulnerabilityElevation of PrivilegeCriticalMicrosoft Azure Kubernetes ServiceCVE-2023-24936.NET, .NET Framework, and Visual Studio Elevation of Privilege VulnerabilityElevation of PrivilegeModerate.NET and Visual StudioCVE-2022-41303AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or priorRemote Code ExecutionImportant3D ViewerSource: Microsoft
It is recommended that organizations upgrade to the latest version of patches released by Microsoft to fix these vulnerabilities and prevent them from getting exploited.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Windows Update Addressed 2 Zero-Days and 52 Other Vulnerabilities appeared first on Cyber Security News.
Cyber Security News
A week in security (April 15 – April 21)
A week in security (April 15 – April 21)
[[{“value”:”
Last week on Malwarebytes Labs:
Law enforcement reels in phishing-as-a-service whopper
Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million
Cannabis investment scam JuicyFields ends in 9 arrests
Should you share your location with your partner?
Giant Tiger breach sees 2.8 million records leaked
Last week on ThreatDown:
What makes some zero-day vulnerabilities more valuable than others?
Turning back the clock on encryption: How to perform ransomware backups in one-click
ThreatDown earns highest ratings across EDR and MDR categories in G2 Spring 2024 results
K-12 district hit with $500k Medusa ransomware attack
FakeBat campaign continues, now also targeting VMware users
Stay safe!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
“}]] Read More
Malwarebytes
![Lazarus Hackers Exploited Windows kernel 0-day In The Wild](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLFO_wExGSTzTNCObuJq6c02YqMNbd6UXsCpnhpBCowo3_7lM5LWBy1ziooTPDDoVQYB20WCHJOeOKnKIUa51KRQjhyphenhyphenoe6DqxlACzJHiTB8dzxr5i0rp-eKzEXYcKF5JwLSBImZ3W0lX2rHc-KGhAcA2XkPj-KYC-QSmCMe89AMT2LNDNChVC-SJqYmh-U/s16000/Capture%20(22).webp)
Lazarus Hackers Exploited Windows kernel 0-day In The Wild
Lazarus Hackers Exploited Windows kernel 0-day In The Wild
[[{“value”:”
The Lazarus threat group has been exploiting a Microsoft vulnerability associated with Windows Kernel Privilege Escalation to establish a kernel-level read/write primitive.
This vulnerability was previously unknown which exists in the appid.sys AppLocker driver.
This vulnerability has been assigned with CVE-2024-21338 and has been addressed by Microsoft on their February patch.
Once established, threat actors could perform direct kernel object manipulation in their new version of the FudModule rootkit. There has been a major advancement in the rootkit, which handles table entry manipulation techniques.
Lazarus Hackers Exploited Windows 0-day
According to the Avast report, the threat actors were previously using BYOVD (Bring Your Own Vulnerable Driver) techniques for establishing the admin-to-kernel primitive, which is a noisy method.
But it seems like this new zero-day exploitation has paved a new way for establishing kernel-level read/write primitives.
Investigating further, it was discovered that this issue is technically due to a thin line on Windows Security that Microsoft has left for a long time.
Microsoft still holds the right to patch admin-to-kernel vulnerabilities, stating that “administrator-to-kernel is not a security boundary”.
This also means that threat actors who have admin-level privileges still have access to exploit the kernel of Windows. As this is an open space for attackers to play with, they try to exploit vulnerabilities in every possible way to access the Kernel.
Once kernel-level access is achieved, the threat actors can do any kind of malicious activities, including disruption of software, concealing infection indicators, kernel-mode telemetry disabling, and much more.
Lazarus And Three Types Of Admin-To-kernel Exploits
There were three categories of Admin-to-kernel exploits discovered, each with a trade-off between attack difficulty and stealth.
N-Day BYOVD Exploits (requires the attacker to drop a vulnerable drive on the file system and load it to the kernel)
Zero-day exploits (requires the attacker to discover a zero-day vulnerability) and
Beyond BYOVD (used by the Lazarus threat group for exploiting the kernel).
Moreover, the Lazarus group selected the third method of kernel exploit as a means of stealth and to cross the admin-to-kernel boundary on Windows systems.
In addition, this approach also offers the minimizing of swapping with another vulnerability that enables the threat actors to stay undetected for longer periods.
Exploitation
The threat group’s exploitation begins with performing a one-time setup for both the exploit and the rootkit by dynamically resolving all necessary Windows API functions. After this, the exploit inspects the build number to see if the version supports this rootkit.
If it is supported, the hard-coded constants are tailored for the build version, which can sometimes lead to updating the build revision.
This is done so that the exploit does not have any interruption during the execution and that it supports a wide range of target machines.
The FudModule Rootkit is a data-only rootkit that is capable of read/write primitives that affect the user-mode thread and can read and write arbitrary kernel memory using system calls.
It is executed entirely from user space, and kernel tampering is performed with the rootkit’s privileges.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
The post Lazarus Hackers Exploited Windows kernel 0-day In The Wild appeared first on Cyber Security News.
“}]] Read More
Cyber Security News