Security Leftovers
-
Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
-
Microsoft warns of unpatched holes in Windows, Office on bumper Patch Tuesday
"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
{loadposition sam08}"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Microsoft also warned of a phishing campaign using Office zero-dat exploits to attack European and North American government and defence agencies.
iTWire's regular Patch Tuesday commentator Satnam Narang said: “Two security feature bypass zero-day vulnerabilities in Microsoft Outlook (CVE-2023-35311) and Windows SmartScreen (CVE-2023-32049) were exploited in the wild by attackers.
"Details about exploitation were not available at the time Patch Tuesday updates were released, but it appears that the attackers were able to use social engineering to convince a target to click on a malicious URL. In both instances, security warning prompts that are designed to help protect users were bypassed."
-
Chinese hackers raided US government email accounts by exploiting Microsoft cloud bug | TechCrunch
The White House confirmed that unclassified U.S. government email accounts were accessed in the raids by Chinese hackers.
-
Former Security Engineer Arrested for $9 Million Crypto Exchange Hack
Former security engineer Shakeeb Ahmed has been arrested on charges related to the defrauding of decentralized crypto exchange Crema Finance.
-
Matthew Garrett: Roots of Trust are difficult [Ed: Yes, never trust a man who wants to stab his colleagues (like Matthew Garrett desired) as it leads to actual stabbings]
The phrase "Root of Trust" turns up at various points in discussions about verified boot and measured boot, and to a first approximation nobody is able to give you a coherent explanation of what it means[1].
-
Apple’s Rapid Security Response Patches Causing Website Access Issues
Apple has pulled its latest Rapid Security Response updates for iOS and macOS after users complained that they can no longer access websites.
-
Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion
Software maker calls special attention to CVE-2023-29300, a deserialization of untrusted data bug with a CVSS severity score of 9.8/10.
-
Personal Information of 11 Million Patients Stolen in Data Breach at HCA Healthcare
HCA Healthcare says the personal information of roughly 11 million patients was stolen in a data breach.
-
Privacy of Printing Services
The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing:
Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they’re collecting and why. Some services, like the New York Public Library and PrintWithMe, do both.
Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some—including Canon, FedEx and Staples—declined to answer basic questions about their privacy practices...
-
Ten years on, Snowden has had tremendous impact – good and bad – on corporate security
Ten years ago, a young man left a nice job, his girlfriend and his home with just his laptops. His fantastic story changed the world and the way we think about our internet privacy.
-
New ‘PyLoose’ fileless malware attacks target cloud workloads
Researchers at cybersecurity firm Wiz Inc. today detailed a newly discovered Python-based fileless malware that’s targeting cloud workloads. Dubbed “PyLoose,” the attack is said to be the first publicly documented Python-based fileless attack targeting cloud workloads in the wild.
-
Growing reliance on satellites requires new approach to cybersecurity in space, expert says
Experts call for improvements to space cybersecurity as sectors such as energy, agriculture and finance rely more on satellite networks.
-
Verifying Software Integrity With Sigstore [Ed: Sigstore's mission is actually dangerous as it will facilitate censorship of software, not improve real security]
Signing code is very important to defend against supply chain attacks, but it’s also one of the most cumbersome to implement for internal development.
-
ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities
ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products.
-
Microsoft blithely signing malicious drivers with legitimate certificates
The security firm pointed out that the other drivers — 32 of which were signed by WHCP — were rootkits. "Many of these rootkits were designed to stealthily monitor sensitive data sent over the Internet," it said.
"Upon discovering these malicious drivers, X-Ops immediately reported the issue to Microsoft, who resolved the issue in their most recent Patch Tuesday.
Christopher Budd, director, threat research, Sophos X-Ops, said: “Since October last year, we’ve noticed a concerning rise in threat actors taking advantage of malicious signed drivers to carry out various cyber attacks, including [the use of] ransomware.
"We believed that attackers would continue to leverage this attack vector, and that has indeed been the case. Because drivers often communicate with the ‘core’ of the operating system and load before security software, when they are abused, they can be particularly effective at disabling security protections — especially when signed by a trusted authority.
"Many of the malicious drivers we’ve discovered were specifically designed to target and ‘take out’ EDR products, leaving the affected systems vulnerable to a range of malicious activity.
"Obtaining a signature for a malicious driver is difficult, so this technique is primarily used by advanced threat actors in targeted attacks.
-
Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.