Microsoft and Adobe release a wave of patches, ransomware gangs and a Google Pixel shipping issue... all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft Releases August 2024 Security Updates
Microsoft has released security updates to address 90 vulnerabilities in Microsoft products. The security updates include ten zero-day vulnerabilities, of which six are actively exploited vulnerabilities and four are publicly disclosed vulnerabilities. The following platforms are known to be affected: Microsoft Windows, Microsoft Windows Server, Microsoft Office, Microsoft Teams, Windows BitLocker, Windows Kerberos, Windows Secure Boot, Windows Security Center, Windows SmartScreen, Visual Studio, and other Microsoft products. Affected organisations are encouraged to review Microsoft’s August 2024 Security Update Summary and apply the relevant updates. Microsoft has reported that six vulnerabilities are under active exploitation. These are:
- CVE-2024-38189 (Microsoft Project Remote Code Execution)
- CVE-2024-38178 (Scripting Engine Memory Corruption)
- CVE-2024-38193 (Windows Ancillary Function Driver for WinSock Elevation of Privilege)
- CVE-2024-38106 (Windows Kernel Elevation of Privilege)
- CVE-2024-38107 (Windows Power Dependency Coordinator Elevation of Privilege)
- CVE-2024-38213 (Windows Mark of the Web Security Feature Bypass)
Adobe Releases Security Updates for Acrobat and Reader
Adobe has released security updates addressing 8 critical vulnerabilities (CVE-2024-39383, CVE-2024-39422, CVE-2024-39423, CVE-2024-39424, CVE-2024-39425, CVE-2024-39426, CVE-2024-41830, CVE-2024-41831) in Acrobat and Reader. The vulnerabilities have a maximum CVSSv3 score of 8.1 and successful exploitation could lead to arbitrary code execution (ACE) or privilege escalation. The following platforms are known to be affected; Adobe Reader DC – prior to 24.002.21005, Adobe Reader 2020 – prior to 20.005.30655, Acrobat DC – prior to 24.002.21005, Acrobat 2024 – prior to 24.001.30159 and Acrobat 2020 – prior to 20.005.30655. Affected organisations are encouraged to review the Adobe Security Bulletin and apply the relevant updates.
Cyber Attacks
Ransomware gang deploys new malware to kill security software
RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system. This technique is very popular among various threat actors, ranging from financially motivated ransomware gangs to state-backed hacking groups. Sophos also found that EDRKillShifter can deliver various driver payloads based on the attackers’ needs and that the malware’s language property suggests it was compiled on a computer with Russian localization.
Fake X content warnings on Ukraine war, earthquakes used as clickbait
X has always had a bot problem, but now scammers are utilizing the Ukraine war and earthquake warnings in Japan to entice users into clicking on fake content warnings and videos that lead to scam adult sites, malicious browser extensions, and shady affiliate sites. For months, X has been flooded with posts that contain what appears at first glance to be a pornographic video but, when clicked on, brings you to fake adult sites. As tracked by X users “Slava Bonkus” and “Cyber TM,” the scammers have now also started creating posts pretending to contain sensational information about the Ukrainian forces invading Kursk or warnings about an earthquake in Nankai Trough, Japan.
In Other News...
Google Pixel Devices Shipped with Vulnerable App, Leaving Millions at Risk
A large percentage of Google’s own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called “Showcase.apk” that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify. “The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level,” it said in an analysis published jointly with Palantir Technologies and Trail of Bits. “The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable.”
SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
SolarWinds has released patches to address a critical security vulnerability in its Web Help Desk software that could be exploited to execute arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-28986 (CVSS score: 9.8), has been described as a deserialization bug. “SolarWinds Web Help Desk was found to be susceptible to a Java deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,” the company said in an advisory. “While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing”. The flaw impacts all versions of SolarWinds Web Help Desk including and prior to 12.8.3. It has been addressed in hotfix version 12.8.3 HF 1.