Search This Blog

Showing posts with label Zero- day vulnerability. Show all posts

Apple’s Big Sur 11.4 Patches a Security Flaw that Could be Exploited to Take Screenshots

 

Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple's Transparency Consent and Control (TCC) architecture, which manages app permissions. 

According to Jamf's blog, the issue was identified when the XCSSET spyware "used this bypass especially for the purpose of taking screenshots of the user's desktop without requiring additional permissions." By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC. 

Researchers identified this activity while analyzing XCSSET "after detecting a considerable spike of identified variations observed in the wild". In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said. 

Last August, Trend Micro researchers identified the XCSSET malware after they detected fraudsters introducing malware into Xcode developer projects, causing infestations to spread. They recognized the virus as part of a package known as XCSSET, which can hijack the Safari web browser and inject JavaScript payloads that can steal passwords, bank data, and personal information, as well as execute ransomware and other dangerous functionalities. 

At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS' System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS). 

According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.

Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”

Microsoft Fixes LPE Vulnerability Impacting Windows 7 and Server 2008

 

Microsoft quietly patched a local privilege escalation (LPE) flaw that affects both Windows 7 and Server 2008 R2 computers. This LPE flaw (which has yet to be assigned a CVE ID) is caused by a misconfiguration of two service registry keys, and it enables local attackers to escalate privileges on fully patched devices. 

On Windows 7 and Windows Server 2008R2, security researcher Clément Labro discovered that insecure permissions on the registry keys of the RpcEptMapper and DnsCache services enable attackers to trick the RPC Endpoint Mapper service into loading malicious DLLs. Attackers can execute arbitrary code in the sense of the Windows Management Instrumentation (WMI) service, which runs with LOCAL SYSTEM permissions, by leveraging this flaw. 

“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it,” 0patch co-founder Mitja Kolsek explained when the flaw was first announced as a zero-day in November. 

Labro said he discovered the zero-day after releasing an update to PrivescCheck, a method for checking basic Windows protection misconfigurations that can be used by malware for privilege escalation. Labro said he didn't realize the latest tests were highlighting an unpatched privilege escalation process until he started looking at a series of warnings that appeared days after the update on older systems like Windows 7. 

Both Windows 7 and Windows Server 2008 R2 had passed their end-of-life (EOL) deadlines, and Microsoft had stopped offering free software patches for them. While the company's ESU (Extended Support Updates) paid support service included some security updates for Windows 7 users, no patch for this problem was announced at the time. 

Although Microsoft quietly solved the RpcEptMapper registry key vulnerability (as discovered by 0patch) in the April 2021 Windows Updates (ESU) release by modifying permissions for groups Authenticated Users and Users to no longer require 'Create Subkey,' the organization has yet to resolve the DnsCache vulnerability. Since February, an open-source exploit tool for the Windows 7 / 2008R2 RpcEptMapper registry key vulnerability has been available. 

However, "at this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries," as Labro said.

Apple Patches-Up Three Actively Exploited And Identified Zero-Day Vulnerabilities In its iPhone, iPod and iPad Devices

 

This month Apple released iOS 14.2 and iPad 14.2, which patched up a sum total of 24 vulnerabilities in different parts of the OSes, including sound, crash reporter, kernel, and foundation. 

The multinational technology has fixed up three identified zero-day vulnerabilities in its iPhone, iPod, and iPad devices possibly associated with a spate of related flaws very recently found by the Google Project Zero team that additionally had an impact over Google Chrome and Windows. 

Ben Hawkes from Google Project Zero who was able to identify the zero-day vulnerabilities as "CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel advantage escalation)," he said in a tweet. 

Apple likewise offered credit to Project Zero for recognizing these particular defects in its security update and gave a little more detail on each.

CVE-2020-27930 is 'a memory corruption flaw' in the FontParser on iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and iPad mini 4 and later, as indicated by Apple. 

The vulnerabilities take into account an attacker to process a “maliciously crafted font” that can prompt arbitrary code execution.

Apple described CVE-2020-27950 as a memory initialization issue in the iOS kernel that influences iPhone 6s and later, iPod tough 7th generation, iPad Air 2 and later, and iPad smaller than usual 4 and later. 

The defect would permit a pernicious application to reveal kernel memory, according to the company. The Apple update comes along with the time of updates by Google over the last two weeks to fix various zero days in Google Chrome for both the desktop and Android versions of the browser. 

Shane Huntley from Google's Threat Analysis Group claims that the recently fixed Apple zero-day flaws are identified with three Google Chrome zero-days and one Windows zero-day likewise uncovered over the last two weeks, possibly as a component of a similar exploit chain.

“Targeted exploitation in the wild similar to the other recently reported 0days,” he tweeted, adding that the attacks are “not related to any election targeting.” 

It is however critical to take into notice that both Apple and Google have had an infamous past with regards to vulnerability revelation. 

The two tech monsters famously butted heads a year ago over two zero-day bugs in the iPhone iOS after Google Project Zero analysts guaranteed that they had been exploited for quite a long time.