Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.
The two shortcomings that have come under active exploitation are below –
- CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Spoofing Vulnerability
- CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability
While Microsoft’s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that’s signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.
Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / Helpnet security / SANS internet storm center
Link: https://thehackernews.com/2024/04/microsoft-fixes-149-flaws-in-huge-april.html
Link: https://krebsonsecurity.com/2024/04/aprils-patch-tuesday-brings-record-number-of-fixes/
Link: https://www.securityweek.com/microsoft-patches-two-zero-days-exploited-for-malware-delivery/
Link: https://blog.talosintelligence.com/patch-tuesday-april-2024/
Link. https://www.helpnetsecurity.com/2024/04/09/april-2024-patch-tuesday-cve-2024-29988/
Link: https://isc.sans.edu/diary/April%202024%20Microsoft%20Patch%20Tuesday%20Summary/30822
Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability
Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution.
Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.
“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.
Source: The hacker news / Securityweek / Fortiguard PSIRT
Link: https://thehackernews.com/2024/04/fortinet-has-released-patches-to.html
Link: https://www.securityweek.com/fortinet-patches-critical-rce-vulnerability-in-forticlientlinux/
Link: https://www.fortiguard.com/psirt/FG-IR-23-087
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks
Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.”
“Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global,” Apple said.
“The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.”
The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers.
According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.
Source: The hacker news / Bleeping computer / Dark reading / Apple support blog
Link: https://thehackernews.com/2024/04/apple-expands-spyware-alert-system-to.html
Link: https://www.darkreading.com/vulnerabilities-threats/apple-warns-users-targeted-by-mercenary-spyware
Link: https://support.apple.com/en-us/102174
Critical ‘BatBadBut’ Rust Vulnerability Exposes Windows Systems to Attacks
A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.
The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.
“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory released on April 9, 2024.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”
The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).
Source: The hacker news / Bleeping computer / Dark reading / Flatt tech blog / Rust blog
Link: https://thehackernews.com/2024/04/critical-batbadbut-rust-vulnerability.html
Link: https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
Link. https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program
When we talk about intelligence sharing, we automatically think about spooks, double agents, espionage, and covert operations. But today it is much more of a business imperative to share intelligence, to collaborate with our industry peers and it is perhaps less covert than we previously imagined. Particularly in the relentless war against cybercriminals, it is vital that we share information around cybersecurity threats and vulnerabilities because that is exactly what our adversaries are doing.
Source: Securityweek
Ransomware payouts hit all-time high, but that’s not the whole story
Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.
In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.
Still, it’s not all roses for ransomware gangs. Many top-tier groups are struggling to adapt to talent scarcity, Russia-Ukraine war fatigue and repeated disruptions by law enforcement. Let’s take a look at the state of ransomware security today.
Source: IBM security intelligence
Link: https://securityintelligence.com/articles/ransomware-all-time-high-attackers-struggle/