Microsoft squashes SmartScreen security bypass bug exploited in the wild

Patch Tuesday Microsoft fixed 149 security flaws in its own products this week, and while Redmond acknowledged one of those vulnerabilities is being actively exploited, we’ve been told another hole is under attack, too.

The bug the IT giant said was being abused in the wild is CVE-2024-26234, described as a proxy driver spoofing vulnerability in Windows. This was reported to Redmond by Christopher Budd of Sophos and is rated 6.7 out of 10 on the CVSS severity scale. Microsoft initially listed it as non-exploited then during the day upgraded that to exploited.

Sophos has published a write-up here about the issue, which expands upon research emitted by infosec outfit Stairwell in January.

In brief, it appears an innocent-looking executable digitally signed by a vendor’s valid Microsoft Hardware Publisher Certificate actually contained a backdoor that uses an embedded proxy server to monitor and intercept network traffic on an infected Windows machine.

It appears someone was able to take that program, sign it using the publisher cert so that the operating system trusted it, then bundle it with marketing/spam software designed to remote-control phones to make them act like online bots, collectively liking posts, following people on social media, and posting comments. Running the program would introduce the backdoor on the victim’s PC. Now, according to Sophos, Microsoft has revoked the software’s certification and assigned the issue CVE-2024-26234.

Wait, there’s more

According to Redmond, that was the only security hole exploited in the wild addressed in its Patch Tuesday for April. But we’re told that isn’t quite right.

Trend Micro’s Zero Day Initiative says a separate vulnerability, spotted and reported by bug hunter Peter Girrus, was under attack in the wild before Microsoft issued a patch this week. “We have evidence this is being exploited in the wild, and I’m listing it as such,” ZDI’s Dustin Childs declared.

Let’s start with the bug ZDI categorizes as being under exploit in the wild.

This one is a SmartScreen prompt security feature bypass vulnerability tracked as CVE-2024-29988, and it received an 8.8 out of 10 CVSS severity rating. While Microsoft says the flaw hasn’t been exploited or publicly disclosed, it does list it as “exploitation more likely.”

Pulling off this bypass requires tricking someone into running malicious files — for example by sending a phishing email or a text message that includes a link to an attacker-controlled website, or a malicious attachment. “In any case an attacker would have no way to force a user to view attacker-controlled content,” Redmond contends.

But, assuming an attacker can fool someone into clicking on a malicious link or opening a malware-laden file, the bug allows them to bypass the SmartScreen security feature in Windows that’s supposed to alert users to any untrusted websites or other threats.

“Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web (MotW),” Childs explained.

This one deserves priority patching.

70 RCEs overall, only three deemed critical

While Microsoft’s monthly patch party fixes 70 CVEs that allow remote code execution (RCE), it only classified three of these as critical-severity bugs and all three are in Microsoft Defender for IoT.

First up: CVE-2024-21322, which received a 7.2 CVSS rating. “Successful exploitation of this vulnerability requires the attacker to be an administrator of the web application,” Redmond warns. “As is best practice, regular validation and audits of administrative groups should be conducted.”

There’s also CVE-2024-21323, an 8.8-rated flaw that we’re told could be exploited by sending a .tar file to a Defender for IoT sensor. “After the extraction process completed, the attacker could then send unsigned update packages and overwrite any file they chose,” Microsoft said.

And the third RCE, again in Defender for IoT and also receiving an 8.8 CVSS rating, is CVE-2024-29053. This one can be triggered by any authenticated attacker — it doesn’t require any elevated privileges — with access to the file upload feature.

Adobe fills 24 holes

Adobe this month issued nine patches that fix 24 CVEs across its products, and none are listed as under attack or publicly known.

One of the fixes is deemed “important” in the following products: After Effects, Photoshop, InDesign, Bridge and Illustrator.

All are at risk of memory leakage.

Two critical vulnerabilities, one in Adobe Commerce and another present in Media Encoder could allow remote code execution.

There’s a whopping 12 CVEs in Experience Manager, and the patches resolve “important” flaws that could result in arbitrary code execution and security feature bypass.

And finally four critical and important CVEs in Animate could lead to code execution, application denial-of-service, and memory leaking.

SAP sails into Patch Tuesday

SAP released a dozen new and updated security notes. Three of the notes are high priority for users.

Of the trio, #3434839 patches a so-called security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (UME) that received an 8.8 CVSS score.

“The ‘Self-Registration’ and ‘Modify your own profile’ features of the UME do not consider existing password requirements and therefore, allow using simple passwords that can be easily cracked,” explained Thomas Fritsch, SAP security researcher at Onapsis. These features are optional and disabled by default.

“The title of the assigned vulnerability seems to be a little bit misleading since the vulnerability is not caused by a configuration issue but by a missing check in the program logic,” he continued.

“Onapsis recommends implementing the note independently of whether one or both features are enabled or not. This ensures security once you decide to enable one of the features.”

Another high priority note, #3421384, fixes an information disclosure vulnerability in SAP BusinessObjects Web Intelligence, while the third high priority one, #3438234, addresses a directory traversal vulnerability in two programs of SAP Asset Accounting.

Fortinet fortifies its follies

Fortinet released updates to fix security holes in FortiOS and FortiProxy.

This includes an insufficiently protected credentials bug tracked as CVE-2023-41677 in FortiOS and FortiProxy. It received a 7.5 CVSS rating and “may allow an attacker to obtain the administrator cookie in rare and specific conditions, via tricking the administrator into visiting a malicious attacker-controlled website through the SSL-VPN,” the vendor warned.

CVE-2023-48784, in the FortiOS command line interface could allow a local attacker with admittedly super-admin privileges and CLI access to execute arbitrary code.

Plus, there’s a patch for CVE-2024-23662 in FortiOS that, if the bug is exploited, can lead to information disclosure.

VMware, Cisco join in the fun

VMware, earlier this month, disclosed three CVEs in its SD-WAN Edge and SD-WAN Orchestrator products. The most serious of the bunch is an unauthenticated command injection vulnerability in SD-WAN Edge tracked as CVE-2024-22246. It can be abused for remote code execution, and received a CVSS rating of 7.4.

Also during the first week of April Cisco issued a bunch of new and updated advisories addressing 12 medium-severity flaws and two high-severity ones.

One of the two, CVE-2024-20348, is a new flaw in the Out-of-Band (OOB) Plug and Play (PnP) feature of Cisco Nexus Dashboard Fabric Controller (NDFC). If exploited, it could allow an unauthenticated, remote attacker to read arbitrary files.

Google gone wild

Rounding out April’s Patchapalooza, albeit over a week early, Google has addressed almost 30 bugs affecting Android devices in this month’s Android Security Bulletin.

“The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google warned. ®

READ MORE HERE