Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.
According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.
Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.
This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.
Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.
On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.
Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.
“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”
The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.
Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.
According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.
Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.
For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.
Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.
“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”
Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.
Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.
Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.
Satnam Narang, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the Windows Search Security feature.
“Microsoft also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE,” Narang said. “Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritize patching this vulnerability and applying the defense-in-depth update as soon as possible.”
Redmond patched another flaw that is already seeing active attacks — CVE-2023-38180 — a weakness in .NET and Visual Studio that leads to a denial-of-service condition on vulnerable servers.
“Although the attacker would need to be on the same network as the target system, this vulnerability does not require the attacker to have acquired user privileges,” on the target system, wrote Nikolas Cemerikic, cyber security engineer at Immersive Labs.
Narang said the software giant also patched six vulnerabilities in Microsoft Exchange Server, including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (threat) score of 9.8 out of a possible 10, even though Microsoft rates it as an important flaw, not critical.
“An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts,” Narang said. “Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”
Experts at security firm Automox called attention to CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service that can be exploited remotely and without privileges to execute code on vulnerable Windows 10, 11 and Server 2008-2022 systems. Microsoft says it considers this vulnerability “less likely” to be exploited, and Automox says while the message queuing service is not enabled by default in Windows and is less common today, any device with it enabled is at critical risk.
Separately, Adobe has issued a critical security update for Acrobat and Reader that resolves at least 30 security vulnerabilities in those products. Adobe said it is not aware of any exploits in the wild targeting these flaws. The company also issued security updates for Adobe Commerce and Adobe Dimension.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a fair chance other readers have experienced the same and may chime in here with useful tips.
Additional reading:
-SANS Internet Storm Center listing of each Microsoft vulnerability patched today, indexed by severity and affected component.
–AskWoody.com, which keeps tabs on any developing problems related to the availability or installation of these updates.
One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.
KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.
The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.
Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.
“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘___fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”
Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.
Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on LinkedIn before forwarding to the phishing webpage.
As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).
The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.
In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.
According to the latest figures from Check Point Software, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.
An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.
If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.