Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Updates. Show all posts

Microsoft Announced the End of Support for Windows 7 & 8

Microsoft has published a warning over the imminent end of support for Windows 8.1, which would not receive any updates or patches after January 10th, 2023.

According to the research, over 100 million computers were still running Windows 7 as of 2021, giving their owners little time to update them before they face the security hazards associated with utilizing an antiquated browser and operating system.

Windows 8.1 is still the fourth most popular Microsoft operating system in the world, according to the Statcounter team, with 2.45% of all Windows users having it installed on their computers. Given the fact that it will affect millions of individuals and expose numerous PCs to attack, this end of support is quite concerning. 

PCs running Windows XP, 7, or 8 were more prevalent than those running Windows 11 according to a Lansweeper survey of 27 million Windows devices conducted in October.

For systems running Windows 10 2004 or 20H2, Windows 10 21H1 was a minor feature update that was designed to be simple to install. It contained improvements to Windows Defender Application Guard, Windows Management Instrumentation via Group Policy, and support for several Windows Hello-enabled cameras. 

Along with the release of a new Chrome version, Google also disclosed that it will discontinue support for Windows 7 and Windows 8.1 in early 2023. For users to continue receiving new Chrome updates, their device must be running Windows 10 or later.

It would be wise for anyone running an outdated version of Windows to inspect their computers and make some critical adjustments this week. Microsoft has issued the warning because Windows 8.1 will soon stop receiving security updates and patches after January 10, 2023.

Bugs in MediaTek Chips Impacts 37% of All Android Smartphones

 

Check Point researchers have uncovered new flaws in MediaTek system-on-chips (SoCs) which could have enabled threat actors to eavesdrop on the audio of roughly two-fifths (37%) of all smartphones and Internet of Things devices. 

Tracked as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, the three security flaws were patched by Taiwanese microchip firm MediaTek in its October bulletin after accountable disclosure by Check Point Research. A fourth bug, CVE-2021-0673, was fixed in October and will probably be published in the December bulletin.

The Check Point team mentioned it reverse engineered one of the key parts on the chip, the audio digital signal processor (DSP), which is implemented to minimize CPU usage and enhance media output.

The report published also highlighted the process that attackers would have to go through to abuse this flaw. The vulnerability can only be exploited if a user installs a malicious app from the Google Play Store allowing hackers to exploit the flaw in MediaTek SoC-powered smartphones. Once installed, the app will leverage the MediaTek API to attack a library that has permission to communicate with the audio driver. 

After that, the malicious app with system privilege will send crafted messages to the driver to implement code in the firmware of the audio processor. This would enable remote attackers to eavesdrop on audio conversations.

MediaTek’s chip is the primary processor for “nearly every notable Android device,” which includes several Chinese manufacturers including Xiaomi, Oppo, Realme, and Vivo, in accordance with Check Point. 

“Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign,” warned Check Point safety researcher, Slava Makkaveev. Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi.” 

Tiger Hsu, product security officer at MediaTek, urged all customers to replace their handsets when patches become available but were at pains to point out there’s no evidence the vulnerabilities are currently being abused. 

“Device security is a critical component and priority of all MediaTek platforms,” Hsu stated. “Regarding the audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs.”

Apple Fixes Critical iOS Flaws; One Under Attack

 

Researchers discovered one significant flaw that could be exploited from the browser, allowing watering-hole assaults. 

On October 25 and 26, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1, and tvOS 15.1, fixing 24 CVEs overall. The CVEs are detailed on Apple's security website, and they include various problems in iOS components that, if abused, may result in arbitrary code execution, sometimes with kernel privileges that would allow an intruder to reach the core of the operating system.

In one incident of a memory-corruption issue in IOMobileFrameBuffer for Apple TV, Apple stated that it is "aware of a report that this problem may have been actively exploited ", a "maybe" that researchers substantiated. 

This one is especially concerning because researchers have previously discovered that the issue is exploitable via the browser, making it "ideal for one-click & waterholing mobile attacks," as per the mobile security firm ZecOps earlier this month. 

A watering-hole attack occurs when a threat actor places malware on websites that may attract a target in the hopes that someone may ultimately drop in and become infected. Justifiably, Apple keeps information confidential that may aid further attackers to create damage and attack. This flaw might allow an application to run arbitrary code with kernel privileges. 

Apple stated earlier this year that it would give users a choice: they could either update to iOS 15 as soon as it was available, or they could stay on iOS 14 and get essential security updates until they were ready to upgrade. 

In context with the reason behind the prompt decision, there have been speculations that it had something to do with an "urban mythology" about Apple deliberately slowing down older phones to entice consumers to upgrade. 

Maybe it's simply a popular conspiracy idea, but it's based on legal comeuppance, at least in terms of battery life: In 2017, Apple admitted to slowing down phones in order to prevent outdated batteries from abruptly shutting down devices. In November of last year, the corporation was fined $113 million to resolve an investigation into what was known as iPhone “batterygate.”

Microsoft Released Security Updates that Block PetitPotam NTLM Relay Attacks

 

The PetitPotam NTLM relay exploit, which allows a threat actor to take over a Windows domain, has been blocked by Microsoft security patches. Gilles Lionel, nicknamed Topotam, a security researcher, revealed a new method called PetitPotam in July that forces a domain controller to authenticate against a threat actor's server utilizing the MS-EFSRPC API capabilities. 

Gilles Lionel published a proof-of-concept (PoC) exploit for a brand new PetitPotam security flaw on July 23, 2021. This problem affected Microsoft's Active Directory Certificate Services (AD CS), which is needed to assure public key infrastructure (PKI) server functionality. 

According to the SANS Institute's Internet Storm Center, PetitPotam uses the Encrypting File System Remote Protocol (MS-EFSRPC) to start the authentication process in remote Windows instances and force them to divulge the NTLM hashes to the adversary. The attacker specifically exploits LSARPC to force any targeted server, including domain controllers (DCs), to connect to the malicious random server and perform NTLM authentication. As a result, the adversary acquires an authentication certificate that is valid for all domain services, including the DC. 

Despite the fact that the PetitPotam attack had devastating results and was simple to launch, the adversaries faced some constraints. To transfer the stolen credentials back to the DC or other internal instances, threat actors needed to achieve SYSTEM/ADMIN rights or maintain covert malicious infrastructure within the LAN, according to the researchers' findings. 

The majority of supported Windows versions, according to the researchers, are vulnerable to the PetitPotam. The technique has been successfully applied to Windows 10, Windows Server 2016, and Windows Server 2019. 

Microsoft provided a security update in August 2021 Patch Tuesday, that prevents the PetitPotam vector (CVE-2021-36942) from forcing a domain controller to authenticate against another server. "This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface," explains Microsoft in the CVE-2021-36942 advisory. 

Installing this update may damage backup software that uses the EFS API OpenEncryptedFileRaw(A/W) function, according to Microsoft. "The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2," warns Microsoft.

GitHub Brings Suite of Supply Chain Security Features to Go

 

GitHub has released a number of supply chain security updates for Go programming language modules.

In a blog post published on July 22, GitHub staff product manager William Bartholomew stated that Go — also known as Golang is now firmly ingrained in the top 15 programming languages on the platform and that as the most famous host for Go modules, GitHub intends to assist the community in discovering, reporting, and preventing security vulnerabilities. 

Go modules were launched in 2019 to help with dependency management. As per the Go Developer Survey 2020, Go is now utilized in the workplace in some form by 76 percent of respondents. 

Furthermore, Go modules are becoming more popular, with 96 percent of those polled indicating they use them for package management, up 7% from 2019, and 87 percent saying they use exclusively Go modules for this reason. 

According to the results of the survey, the usage of other package management solutions is declining. As per GitHub, four major aspects of supply chain security enhancement are now available for Go modules. 

The first is GitHub's Advisory Database, an open-source repository of vulnerability information that presently has over 150 Go advisories at the time of publication. Developers can also use the database to get CVE IDs for newly identified security flaws. 

"This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones," Bartholomew added. 

GitHub has also released its dependency graph, which can be used to track and evaluate project dependencies using go.mod, as well as warn users when risky dependencies are discovered. In this version, GitHub has also introduced Dependabot, which will notify developers when new security flaws in Go modules are identified.

To fix vulnerable Go modules, automatic pull requests can be enabled, and notification settings have been enhanced for fine-tuning. According to Bartholomew, repositories are enabled to automatically create pull requests for security updates, dependencies patch up to 40% faster than those that do not.

Google Confirms Two New High-Severity Vulnerabilities in Chrome 81


The new Chrome 81 version released on April 7th by Google for Windows, Mac, and Linux primarily focused on security owing to the vulnerability users are subjected to due to the coronavirus pandemic. The launch of the update was delayed for similar reasons. It brought along new features, bug fixes, and over 30 security flaw patches from Google's security researchers and some experts from outside.

The new Chrome 81 version is being promoted to the Stable channel, meanwhile, Chrome 83 and Chrome 84 will be promoted to the Beta version and the Canary version respectively. As per sources, Chrome 82 will be disregarded because of the COVID-19 charged atmosphere, and all progress from the version will be channelized into the subsequent version, Chrome 83.

While warning users of more security flaws in Chrome 81, Google confirms two new high-severity vulnerabilities infecting the web browser. As these new security exploits could allow hackers to run commands over an affected system by gaining unauthorized control, users worldwide are being advised by the U.S Cybersecurity and Infrastructure Security Agency (CISA) to apply the latest update launched by the company in defense against these security vulnerabilities.

Both of the aforementioned security vulnerabilities were reported by Zhe Jin from Qihoo 360, a Chinese internet security services provider; for one of these, Jin received a bounty of $10,000 for CVE-2020-6462 which is a use-after-free error in the Chrome task scheduling component. The second one, CVE-2020-6461 was also of a similar use-after-free form but this one affected storage, according to the update notice from Prudhvikumar Bommana, Google Chome Technical Program Manager. 

Google has confirmed that the update will be pushed for all the users in the upcoming days and weeks, however, users are advised to remain proactive and keep looking up for updates to be applied manually by going to Help | About Google Chrome, where you can find the version you are currently running and an option to check for further updates. After installing the latest version, simply restart the web browser, and there you go being safeguarded against both the flaws.

Chrome Zero-Day Attack; Google Advises to Update Immediately!




Chrome releases its latest version and the researchers request all the users to immediately update their versions of the famous browser.

The latest version is 72.0.3626.121 and was released in the very beginning of March 2019.

All that needs to be done to upgrade the older version is, type the specific URL chrome://settings/help which will inform the user what version is currently on.

All these alarm signs are blaring because of a recent zero-day security vulnerability that has emerged.

CVE-2019-5786 has been identified as the vulnerability and Google says it’s aware of it and hence is warning off its users.

A vulnerability happens to be a bug which corrupts the software in a way which reduces security. Whereas, an exploit is just a way of using the vulnerability to get past the security provisions.

All the vulnerabilities pose a threat to the system even if it means producing thousands of unwanted messages.

All exploits emerge from vulnerabilities but all vulnerabilities are not a fruit of exploits.

If made to work the malicious way, vulnerabilities could be forced to do a lot more than just creating error messages.

Zero-day is a vulnerability that the cyber-cons found a way to misuse before the researchers could find an appropriate solution for it.

Meaning that a Zero-day is an attack of which even the best researchers can’t find the solutions.

These attacks are usually found out weeks or even months later they start functioning on the network.

The bug is trying to be fixed by Google and restrictions are being retained until the bug exists.

The vulnerability includes a memory mismanagement bug in a part of Chrome by the name of “FileReader”.

This “FileReader” aids the web developers in springing up menus and dialogs.

The attacker could take control of a lot when it comes to this particular bug. It’s not just restricted to reading from files and goes far as “Remote Code Execution”.

Meaning, any malware could be implanted onto the victim’s system without any warning, pop-up or dialog.

All that could be done to save your system is keeping systems up-to-date at all times.

Also, always keep checking for updates and patches to fix vulnerabilities.

Microsoft released security updates to fix critical vulnerabilities

Recently Microsoft addressed vulnerabilities in their recent products . Some of the bugs were  severe to the extent that they can enable code execution at the remote server .

Wolfgang Kandek, CTO of Qualys confirmed that the highest priority patch is MS15-097 , which includes critical bug fixes for Windows Vista, Windows Server 2008, Microsoft Office 2007 and 2010, and Lync 2007, 2010, and 2013.

Talking about bugs, there  was a Win32k memory leak, named CVE -2015-2546 found in all versions of window was deemed important and discussed in open. One of the  other flaws was CVE-2015-2545, a microsoft Office malformed EPS file. This bug allowed remote code execution and has been fixed in bulletin MS15-099 along with other bug fixes.

Other bulletins that has bug fixes have been released , namely MS15-094 through MS15-103 . MS15-094 addresses all the issues regarding browsers ,that is vulnerability in internet explorer and Edge browser has been fixed in this bulletin . MS15-098 bulletin addresses remote code execution for journal bug , MS15-103 addresses problems in exchange servers like microsoft outlook .

Mozilla released Security Updates to Fix Vulnerability in Firefox

Mozilla has urged its users to update their browser to Firefox 39.0.3 as the company recently fixed a critical vulnerability that has been exploited in the wild. The fix has also been shipped in Firefox ESR 38.1.1.

The company wrote in its Security Blog that the vulnerability came from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer.

“Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files,” the post read.

Those files were surprisingly developer focused for an exploit launched on a general audience news site, though of course the company has no idea that where else the malicious ad might have been deployed.

According to the blog post, the flaw looks for s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients on Windows. Similarly, on Linux,  it targets usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.

“If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used,” the company added.

However, the company confirmed that Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.

Microsoft provides urgent security fix for Windows

Microsoft has recently provided a security fix for its Windows operating systems to plug a lapse in security that allowed hackers access to a victims computer.

Microsoft has said that the vulnerability present in their operating system would have allowed a hacker to gain complete access to an affected computer.

The vulnerability is present in Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT. These operating systems represent two out of three computers in the world that run a Microsoft operating system.

The company had previously provided an update like this in November 2014 also.

The flaw is said to exist in the final version of Windows 10 also that will be available to users from July 29.

The security fix will be done through Windows Update