Login
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.
Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.
Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].
On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.
Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.
Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).
Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.
“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”
CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.
CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”
A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.
Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.
By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.
Related tags
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.
According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.
Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.
This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.
Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.
On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.
Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.
“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”
The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.
Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.
According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.
Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.
For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.
Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.
“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”
FreshRSS