Adobe addressed multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software
The software giant released its Patch Tuesday updates to fix 35 security vulnerabilities 12 of these issues impact Adobe Acrobat and Reader software.
The arbitrary code execution issues fixed by the company includes Use After Free, Improper Input Validation, and Improper Access Control.
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30284 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30310 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34094 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34095 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34096 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34097 |
| Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34098 |
| Improper Access Control (CWE-284) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34099 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34100 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30311 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30312 |
| Out-of-bounds Read (CWE-125) | Memory leak | Moderate | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2024-34101 |
The vulnerabilities were reported by the following experts and research team:
The vulnerabilities impact versions: 24.002.20736 and earlier, and 20.005.30574 and earlier for Windows and macOS operating systems.
Adobe also fixed issues in Adobe Illustrator (APSB24-30), Adobe Aero (APSB24-33), Adobe Dreamweaver (APSB24-39), Adobe Substance 3D Painter (APSB24-31), Adobe Substance 3D Designer (APSB24-35), Adobe Animate (APSB24-36), Adobe FrameMaker (APSB24-37).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Acrobat)
At the end of August 2023, the systems at three hospitals and other medical facilities operated by Singing River Health System (SRHS) were hit by a Rhysida ransomware attack.
The Singing River Health System runs 3 hospitals and 10 clinics and is the second largest employer on the Mississippi Gulf Coast.
“The Singing River Health System’s three hospitals – Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, as well as its dozen-plus medical clinics – are affected by the incident, which began over the weekend. The health system employs about 3,800 people.” reported BankInfoSecurity.
Several services at the impacted hospitals, including laboratory and radiology testing, suffered a significant IT systems outage. At the time, Singing River said it was working to process all paper-ordered lab tests and radiology exams as quickly as possible, based on priority.
On September 13, 2023, the healthcare organization disclosed a data breach and in December 2023, it announced that the incident impacted 252,890 individuals.
In a new update shared by the company with the Maine Attorney General, the organization declared that the total number of persons affected is 895,204.
Potentially compromised information includes name, date of birth, address, Social Security number, medical information, and health insurance information.
SRHS is offering impacted individuals access to credit monitoring services provided by IDX identity theft protection for twelve months at no cost. The company is also providing guidance on preventing identity theft and fraud, including steps to report suspicious incidents and placing fraud alerts or security freezes on credit files. Additionally, they are sharing information on safeguarding against tax fraud, contacting consumer reporting agencies, and obtaining free credit reports. Singing River Health System recommends the impacted individuals to be vigilant by reviewing account statements and monitoring credit reports. Individuals are encouraged to report any incidents of identity theft or fraud to relevant authorities, including the Federal Trade Commission, state Attorney General, and law enforcement.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Rhysida)
Microsoft Patch Tuesday security updates for May 2024 addressed 59 vulnerabilities in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband.
Only one of the vulnerabilities addressed by the IT giant this month is rated Critical, 57 are rated Important, and one is rated Moderate in severity.
Two of the vulnerabilities fixed by Microsoft this month are actively exploited, and one was a publicly disclosed zero-day.
The two actively exploited zero-day vulnerabilities are:
CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability
This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.
An attacker can trigger this issue by tricking a user into loading a malicious file onto a vulnerable system, often through deceptive means like email or instant messenger messages. The attacker then convinces the user to manipulate the file, without necessarily requiring them to click or open it directly.
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.” reads the advisory.
CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
An attacker can exploit this vulnerability to gain SYSTEM privileges.
Microsoft doesn’t share details about the attacks exploiting the above vulnerabilities.
The full list of flaws addressed by Microsoft with the release of Patch Tuesday security updates for May 2024 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.
First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.
“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”
Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.
Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.
CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.
“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.
The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.
Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.
Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.
Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.
Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.
Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.
VMware addressed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day flaws demonstrated at the Pwn2Own Vancouver 2024.
Below are descriptions of the flaws addressed by the virtualization giant
The vendor also provided temporary workarounds, such as disabling Bluetooth support and 3D acceleration, until patches can be applied to address vulnerabilities like CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270. The company doesn’t provide any mitigations to address CVE-2024-22270.
STAR Labs SG and Theori demonstrated these vulnerabilities during the Pwn2Own hacking contest in March 2024.
“VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us.” reads the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
MITRE announced the public release of its EMB3D threat model for embedded devices used in various industries (i.e. Automotive, healthcare, and manufacturing), including critical infrastructure.
The threat model provides a knowledge base of cyber threats to embedded devices. EMB3D serves as a valuable resource for various industries, including critical infrastructure, IoT, automotive, healthcare, and manufacturing, providing insights to vendors, asset owners/operators, test organizations, and security researchers to enhance the security of embedded devices.
Multiple partners have contributed to the design of the threat model, including
The framework can allow vendors, asset owners and operators to improve the security of embedded devices.
“The threat model is intended to be a resource to help vendors, asset owners/operators, test organizations, and security researchers to improve the overall security of embedded devices’ hardware and software. This threat model aims to serve as a central repository of information, defining known threats to embedded devices and their unique device features/properties that enable specific threat actions.” reads the announcement. “By mapping the threats to the associated device features/properties, the user can easily enumerate threat exposure based on the known device features.”
It operates as a public community resource, allowing open access to all information and enabling contributions and revisions from the security community. This collaborative approach ensures that EMB3D
remains up-to-date and comprehensive, serving as a valuable resource for enhancing the security of embedded devices.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mitre)
Google has released emergency security updates to address a high-severity zero-day vulnerability vulnerability, tracked as CVE-2024-4761, in the Chrome browser.
The vulnerability is an out-of-bounds write issue that resides in the V8 JavaScript engine of the Google web browser.
The company confirmed that the flaw is exploited in attacks in the wild.
“CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09″ reads the advisory. “
The company addressed the zero-day flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. Google will roll out updates to all users over the coming days/weeks.
The vulnerability CVE-2024-4671 is the sixth zero-day exploited in attacks fixed by the IT giant this year.
As usual, Google did not publish details about the attacks exploiting the vulnerability.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed” continues the advisory.
Below is the list of actively exploited zero-day flaws in the Chrome browser that have been fixed this year:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chrome)
New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.
The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past
In August 2021 the criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.
In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.
The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.
The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”
The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.
“Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”
To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Phorpiex botnet)
Apple released urgent security updates to address multiple vulnerabilities in iPhones, iPads, macOS. The company also warns of a vulnerability patched in March that the company believes may have been exploited as a zero-day.
The issue impacts older iPhone devices, it is tracked as CVE-2024-23296 and is a memory corruption flaw in the RTKit.
Apple documents at least 16 vulnerabilities on iPhones and iPads and called special attention to CVE-2024-23296, a memory corruption bug in RTKit that the company says “may have been exploited” prior to the availability of patches
— Ryan Naraine (@ryanaraine) May 13, 2024
Story https://t.co/pwTjHWdt0I
The Real-Time Kernel is a component of the operating system responsible for managing and executing tasks with strict timing requirements.
“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.” reads the advisory published by Cupertino firm. “Apple is aware of a report that this issue may have been exploited.”
The IT giant fixed the memory corruption bug with improved validation, it released iOS 16.7.8 and iPadOS 16.7.8.
The company also addressed a logic issue, tracked as CVE-2024-27789, in the Foundation framework. The flaw can be exploited by an app to access user-sensitive data.
The flaw was reported by Mickey Jin (@patch1t), the company addressed the vulnerability with improved checks.
Security patches are available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Apple released security patches to fix other issues in multiple products. The vulnerabilities fixed by the vendor can lead to arbitrary code execution, privilege escalation, denial-of-service attacks, and unauthorized access to data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-06 to 2024-05-13.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
The Police of Finland is investigating a data breach suffered by the City of Helsinki, the security breach occurred during the night of 30 April 2024.
The data breach impacted the City’s Education Division’s computer network. The City of Helsinki reported the incident to the police and the investigation is still ongoing to determine the extent and impact of the incident.
“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.
“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen.
The City already implemented various security measures in response to the security breach.
“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.
The incident exposed tens of millions of files, most of them contain ordinary personal information, but the City believes that the opportunity for abuse of this information is minor. However, some of the compromised documents include confidential information or sensitive personal information.
“These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” reads the statement published by the City of Helsinki. “We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.”
The data in the incident include information dating back several years, potentially compromising individuals who were not current customers or staff members of the Education Division.
According to the announcement, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not installed on the server for unknown reasons. Hannu Heikkinen stated that their security controls and procedures were inadequate, but measures have been implemented to prevent a similar breach in the future. No evidence suggests that the threat actors accessed networks or data from other divisions, but all City of Helsinki networks are being closely monitored.
“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.”
The following image shows an archived version of the East Lothian Courier, which is one of the impacted newspapers, that was published by Reported Future News.
Newsquest Media Group Limited is the second-largest publisher of regional and local newspapers in the United Kingdom. It is owned by the American mass media holding company Gannett. It has 205 brands across the UK, publishing online and in print (165 newspaper brands and 40 magazine brands) and reaches 28 million visitors a month online and 6.5 million readers a week in print. Based in London, Newsquest employs a total of more than 5,500 people across the UK.
Local media websites in the UK are vulnerable to cyber attacks, threat actors can target them to spread fake news.
In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.
“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.
According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.
The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.
According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russian hackers)
Login