Threat Report 12/10/24
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution Multiple vulnerabilities have been discovered in Google Android...
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
Affected Systems:
Visual Studio
Windows Server Service
Windows Distributed File System (DFS)
Windows Kernel
Windows Themes
Winlogon
Windows Remote Access Connection Manager
Windows DHCP Server
Windows Event Logging Service
Windows Link Layer Topology Discovery Protocol
Windows Container Manager Service
Microsoft WDAC OLE DB provider for SQL
Windows Wi-Fi Driver
Windows Win32K - GRFX
Windows Standards-Based Storage Management Service
Windows Kernel-Mode Drivers
Windows Cloud Files Mini Filter Driver
Windows Win32 Kernel Subsystem
Windows NT OS Kernel
Microsoft Streaming Service
Windows Storage
Windows Routing and Remote Access Service (RRAS)
Windows Cryptographic Services
Microsoft Windows Speech
Microsoft Office SharePoint
Microsoft Office
Microsoft Office Word
Microsoft Office Outlook
Dynamics Business Central
Azure Storage Library
Azure File Sync
Azure Monitor
Azure SDK
Microsoft Dynamics
Windows Perception Service
Azure Data Science Virtual Machines
Risk
Remediation Recommendations
References
Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for remote code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyper-converged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Affected Systems:
VMware vCenter Server versions prior to 8.0 U2d
VMware vCenter Server versions prior to 8.0 U1e
VMware vCenter Server versions prior to 7.0 U3r
VMware Cloud Foundation (VMware vCenter Server) versions prior to KB88287
Risk
Remediation Recommendations
References
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Affected Systems:
Adobe Photoshop 2023 24.7.3 and earlier versions for Windows and macOS
Adobe Photoshop 2024 24.7 and earlier versions for Windows and macOS
Adobe Experience Manager (AEM) 6.5.20 and earlier versions
Adobe Audition 24.2 and earlier versions for Windows and macOS
Adobe Audition 23.6.4 and earlier versions for Windows and macOS
Adobe Media Encoder 24.3 and earlier versions for Windows and macOS
Adobe Media Encoder 23.6.5 and earlier versions for Windows and macOS
Adobe FrameMaker Publishing Server 2022.2 and earlier versions for Windows
Adobe FrameMaker Publishing Server 2020 Update 3 and earlier versions for Windows
Adobe Commerce 2.4.7 and earlier
Adobe Commerce 2.4.6-p5 and earlier
Adobe Commerce 2.4.5-p7 and earlier
Adobe Commerce 2.4.4-p8 and earlier
Adobe Commerce 2.4.3-ext-7 and earlier*
Adobe Commerce 2.4.2-ext-7 and earlier*
Adobe Commerce 2.4.1-ext-7 and earlier*
Adobe Commerce 2.4.0-ext-7 and earlier*
Adobe Commerce 2.3.7-p4-ext-7 and earlier*
Adobe Commerce Webhooks Plugin 1.2.0 to 1.4.0
Magento Open Source 2.4.7 and earlier
Magento Open Source 2.4.6-p5 and earlier
Magento Open Source 2.4.5-p7 and earlier
Magento Open Source 2.4.4-p8 and earlier
ColdFusion 2023 Update 8
ColdFusion 2021 Update 14
Adobe Substance 3D Stager 3.0.2 for Windows and macOS
Creative Cloud Desktop Application 6.2.0.554 for Windows
Acrobat Android 24.4.2.33155 and earlier versions for all android versions
Risk
Remediation Recommendations
References
https://helpx.adobe.com/security/products/photoshop/apsb24-27.html
https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html
https://helpx.adobe.com/security/products/audition/apsb24-32.html
https://helpx.adobe.com/security/products/media-encoder/apsb24-34.html
https://helpx.adobe.com/security/products/framemaker-publishing-server/apsb24-38.html
https://helpx.adobe.com/security/products/magento/apsb24-40.html
https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb24-43.html
https://helpx.adobe.com/security/products/creative-cloud/apsb24-44.html
https://helpx.adobe.com/security/products/acrobat-android/apsb24-50.html
ProPublica has published a report outlining claims by former Microsoft employee Andrew Harris that Microsoft prioritized profit over security, leaving the US government open to the 2020 SolarWinds attack. Harris says he uncovered a severe flaw in Microsoft's Active Directory Federation Services (AD FS) that allowed attackers to forge Security Assertion Markup Language (SAML) tokens. The Russian state-sponsored threat actor behind the SolarWinds hack exploited the flaw discovered by Harris to breach several US Federal agencies, including the National Nuclear Security Administration and the National Institutes of Health.
Harris says he urged Microsoft for years to apply a temporary fix by disabling single-sign-on (SSO), but the company declined in order to pursue a long-term alternative. ProPublica states that at the time, "The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing."
Volexity says the Pakistan-aligned threat actor UTA0137 is targeting Indian government entities with a new strain of Linux malware dubbed "DISGOMOJI." Notably, the malware uses an emoji-based protocol to receive commands from Discord. For example, a "Man Running" emoji is sent to run a command, while a camera emoji is used to take a screenshot.
The researchers note, "The use of Linux malware for initial access paired with decoy documents (suggesting a phishing context) is uncommon, as the attacker would only do this if they know the target is a Linux desktop user. Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop."
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution Multiple vulnerabilities have been discovered in Google Android...
Critical Patches Issued for Microsoft Products Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could...
Multiple Vulnerabilities in Microsoft Edge (Chromium-Based) Could Allow for Arbitrary Code Execution Multiple vulnerabilities have been discovered...