Expert(s):
Senior Research Engineerfeature_status*/ ?>
Tenable

Comments Dotted : 13
November 12, 2020

Experts Reacted Microsoft’s New Patch Tuesday Format: “A Bad Move” And “Disappointing”
Chaining vulnerabilities is an important tactic for threat actors.
This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the.....Read More
This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year. Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.  Read Less
October 08, 2020

Multiple Vulnerabilities In HP Device Manager – Expert Insight
HP Device Manager is a popular software solution used to manage HP Thin Clients remotely.
HP Device Manager is a popular software solution used to manage HP Thin Clients remotely. The three vulnerabilities disclosed in HP’s recent security bulletin by themselves are notable. However, a pair of the flaws, CVE-2020-6926 and CVE-2020-6927, when combined could allow an attacker to gain remote command execution on the vulnerable system through the HP Device Manager. HP has so far released patches for the 5.0.x branch of HP Device Manager, so organizations using this particular.....Read More
HP Device Manager is a popular software solution used to manage HP Thin Clients remotely. The three vulnerabilities disclosed in HP’s recent security bulletin by themselves are notable. However, a pair of the flaws, CVE-2020-6926 and CVE-2020-6927, when combined could allow an attacker to gain remote command execution on the vulnerable system through the HP Device Manager. HP has so far released patches for the 5.0.x branch of HP Device Manager, so organizations using this particular branch release should upgrade to 5.0.4 as soon as possible. If an organization is using a previous version of HP Device Manager, there are mitigation steps in HP’s security bulletin that can be taken to protect against these attacks until a patch becomes available.  Read Less
May 19, 2020

Industry Experts On Verizon DBiR 2020
Ransomware increased by 2.6% from last year, landing at number three in most common Malware breach.
The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited.....Read More
The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities. It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of. As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene. Ransomware increased by 2.6% from last year, landing at number three in the most common Malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore. Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true. Another notable finding is that 43% of breaches involved web applications. This is often fueled by the exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73% of cloud breaches, while most of those were the result of breached credentials.  Read Less
April 28, 2020

Comment: Symlink Race Bugs Discovered In 28 Antivirus Products
To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition.
To weaponise the “symlink race” flaws found in 28 popular antivirus products, attackers would first need to establish a local presence on the victim’s system or include the malicious code as part of malware to create a directory junction (Windows) or symlink (macOS/Linux). This code could be used to remove important system files including those associated with the operating system or antivirus software itself. In doing so, the machine may be rendered useless or the antivirus product would .....Read More
To weaponise the “symlink race” flaws found in 28 popular antivirus products, attackers would first need to establish a local presence on the victim’s system or include the malicious code as part of malware to create a directory junction (Windows) or symlink (macOS/Linux). This code could be used to remove important system files including those associated with the operating system or antivirus software itself. In doing so, the machine may be rendered useless or the antivirus product would be disarmed. To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition. However, researchers found in some cases that timing wasn’t necessary if the malicious code was continually running over and over, it would eventually lead to successful exploitation. It’s positive that most of the vendors have worked to address this particular issue in their products. Unfortunately, because antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals.  Read Less
April 23, 2020

Expert Insight On iPhone Zero-Day Hack Found In The Wild
Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application.
The recent disclosure that multiple zero-days in the Apple iOS Mail application were exploited in the wild is significant and noteworthy. One of the flaws can be exploited without user interaction (also known as zero click) on iOS 13. The vulnerabilities also affect iOS 12, though interaction is required in most cases. Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with.....Read More
The recent disclosure that multiple zero-days in the Apple iOS Mail application were exploited in the wild is significant and noteworthy. One of the flaws can be exploited without user interaction (also known as zero click) on iOS 13. The vulnerabilities also affect iOS 12, though interaction is required in most cases. Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet. While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail.  Read Less
April 16, 2020

Comment: Microsoft Battles 3 Zero Days Under Active Exploit In April’s Patch Tuesday
There are multiple scenarios in which this vulnerability could be exploited.
This month’s Patch Tuesday is another considerable release, with Microsoft fixing 113 vulnerabilities, 19 of them rated as critical and 94 rated as important. Three of these vulnerabilities were exploited in the wild. Microsoft released a patch for CVE-2020-1020, a remote code execution vulnerability in the Adobe Font Manager Library that was first made public on March 23, when Microsoft published an advisory detailing its in-the-wild exploitation. Microsoft also patched CVE-2020-0938,.....Read More
This month’s Patch Tuesday is another considerable release, with Microsoft fixing 113 vulnerabilities, 19 of them rated as critical and 94 rated as important. Three of these vulnerabilities were exploited in the wild. Microsoft released a patch for CVE-2020-1020, a remote code execution vulnerability in the Adobe Font Manager Library that was first made public on March 23, when Microsoft published an advisory detailing its in-the-wild exploitation. Microsoft also patched CVE-2020-0938, another remote code execution vulnerability in Adobe Font Manager Library that was also exploited in the wild. Though both affect Adobe Font Manager Library, there is currently no confirmation that the two are related to the same set of in-the-wild attacks. "To exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane. Additionally, Microsoft patched CVE-2020-0968, a memory corruption vulnerability in Internet Explorer. This flaw exists due to the improper handling of objects in memory by the scripting engine. There are multiple scenarios in which this vulnerability could be exploited. The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.  Read Less
March 11, 2020

Expert Insight On Microsoft Leaks Info On Wormable Windows SMBv3 CVE-2020-0796 Flaw
The flaw was identified as CVE-2020-0796, though it is unclear whether or not Microsoft will use this identifier once their patch is released.
Microsoft released ADV200005, a security advisory for a critical remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3). An unauthenticated attacker could exploit the flaw by sending a specially crafted packet to the vulnerable SMBv3 server. At this time, there is no patch available. However, Microsoft provided workaround instructions to help prevent attackers from exploiting the vulnerability which include disabling compression for SMBv3 as well as blocking TCP.....Read More
Microsoft released ADV200005, a security advisory for a critical remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3). An unauthenticated attacker could exploit the flaw by sending a specially crafted packet to the vulnerable SMBv3 server. At this time, there is no patch available. However, Microsoft provided workaround instructions to help prevent attackers from exploiting the vulnerability which include disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall. Microsoft cautions that these fixes only prevent potential exploitation server side, and will not protect vulnerable SMB clients. Microsoft notes that in order to exploit an SMB Client, the attacker would need to configure a malicious SMB server and convince users to connect to it. The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog. Soon after the accidental disclosure, references to it were removed from the blog post. The flaw was identified as CVE-2020-0796, though it is unclear whether or not Microsoft will use this identifier once their patch is released. This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks. It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown. At this point, organisations would be wise to review and implement the workarounds Microsoft has provided and begin prioritising patch management for the flaw once patches are released.  Read Less
February 13, 2020

Microsoft’s February 2020 Patch Tuesday Fixes 99 Security Bugs – Expert Insight
Microsoft also patched CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange.
This month’s Patch Tuesday release contains updates for a staggering 99 CVEs, 12 of which are rated as critical. This is one of the largest Patch Tuesday releases we’ve seen in recent times. Microsoft released a patch for CVE-2020-0674, a memory corruption vulnerability in Internet Explorer that Microsoft issued an advisory for in January, cautioning that the flaw had been exploited in the wild. At the time, Microsoft only provided mitigation instructions and did not release an out-of-band.....Read More
This month’s Patch Tuesday release contains updates for a staggering 99 CVEs, 12 of which are rated as critical. This is one of the largest Patch Tuesday releases we’ve seen in recent times. Microsoft released a patch for CVE-2020-0674, a memory corruption vulnerability in Internet Explorer that Microsoft issued an advisory for in January, cautioning that the flaw had been exploited in the wild. At the time, Microsoft only provided mitigation instructions and did not release an out-of-band patch. Details about the in-the-wild exploitation of the flaw are still not known, but it is important for organizations to apply these patches as soon as possible. Additionally, multiple vulnerabilities in Remote Desktop were patched, including two remote code execution vulnerabilities that are likely to be exploited, according to Microsoft. These flaws, identified as CVE-2020-0681 and CVE-2020-0734, exist in Remote Desktop Client. Exploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker, or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it. Microsoft also patched CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange. To exploit this vulnerability, an attacker would need to send a specially crafted email to a vulnerable Exchange server. Exploitation of the flaw would lead to arbitrary code execution in the context of the System user, granting an attacker the ability to create a new account, install programs, and view, change or delete data.  Read Less
January 10, 2020

Comments On Microsoft Will ‘End Of Life’ Support For Windows 7 And Windows Server 2008 On January 14
In December 2019, Microsoft released fixes for CVE-2019-1458, an elevation of privilege vulnerability.
With Microsoft discontinuing support for Windows 7 and Windows Server 2008 on January 14, it is imperative that consumers and businesses take steps to ensure their systems are not vulnerable. In December 2019, Microsoft released fixes for CVE-2019-1458, an elevation of privilege vulnerability that was exploited in the wild. It affects both Windows 7 and Windows 2008 systems. Users of Windows 7 and Windows Server 2008 who opt not to migrate to newer versions are at risk of being preyed upon by.....Read More
With Microsoft discontinuing support for Windows 7 and Windows Server 2008 on January 14, it is imperative that consumers and businesses take steps to ensure their systems are not vulnerable. In December 2019, Microsoft released fixes for CVE-2019-1458, an elevation of privilege vulnerability that was exploited in the wild. It affects both Windows 7 and Windows 2008 systems. Users of Windows 7 and Windows Server 2008 who opt not to migrate to newer versions are at risk of being preyed upon by bad actors, leaving them vulnerable to attacks especially since these systems won’t be supported by Microsoft. We strongly encourage consumers and businesses to take stock of what Windows 7 or Windows Server 2008 assets remain and make immediate plans for migration.  Read Less
November 14, 2019

Expert On Microsoft’s November 2019 Patch Tuesday Fixes IE Zero-day, 74 Flaws
CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office.
This month’s Patch Tuesday release contains updates for nearly 75 CVEs. One of the vulnerabilities, CVE-2019-1429, was first exploited in the wild as a zero day and could enable an attacker to execute arbitrary code under the same privileges of the current user. If the user has administrative rights, an attacker would be able to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. An attacker would.....Read More
This month’s Patch Tuesday release contains updates for nearly 75 CVEs. One of the vulnerabilities, CVE-2019-1429, was first exploited in the wild as a zero day and could enable an attacker to execute arbitrary code under the same privileges of the current user. If the user has administrative rights, an attacker would be able to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. An attacker would need to convince a user to visit a website containing the exploit code using Internet Explorer in order to exploit the flaw. CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents. An attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac. Successful exploitation would allow an attacker to execute arbitrary code on the victim’s system.  Read Less