“Nothing is more permanent than a temporary solution”
Old Russian Proverb
A lot has happened since I last posted a Security Skim. Some of it had to do with life getting in the way, but a lot of it had to do with the fact that I am making some changes to the Security Skim. On top of having a blog post, these articles will also be posted on Substack and YouTube. Wait, did you say Youtube? Yup, in the not-to-distant future, I will be posting these articles in video format as well! More information to come, but for now, let’s get to it.
Apple Zero-Day in the Wild (Please Update Your Devices)
If you haven’t already, please update any devices you have from Apple that you actively use. Even devices that are no longer supported got an update!
Apple released security updates to address two zero-day exploits used against a member of a civil society organization in Washington, D.C., as reported by Citizen Lab, an internet watchdog group specializing in government malware investigations. One of these exploits was a zero-click vulnerability, meaning no user interaction was required for the attack. It was part of an exploit chain used to deliver NSO Group’s malware, Pegasus, and could compromise iPhones running the latest iOS version without any victim interaction. Citizen Lab reported this vulnerability to Apple, which promptly released a patch.
It’s suggested that Apple may have discovered the second vulnerability while investigating the first. Apple also patched the second vulnerability, which it attributed to itself. Citizen Lab referred to this exploit chain as BLASTPASS because it involved PassKit, a framework for integrating Apple Pay into apps.
John Scott-Railton of Citizen Lab emphasized that civil society plays a crucial role in identifying cybersecurity threats for billions of devices worldwide. He also recommended that all iPhone users update their devices. Additionally, both Citizen Lab and Apple’s Security Engineering and Architecture team believed that Lockdown Mode, an opt-in security feature enhancing some protections and blocking others to reduce the risk of targeted attacks, could have prevented these exploits. The exploits were as follows:
ImageIO
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School
Wallet
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A validation issue was addressed with improved logic.
CVE-2023-41061: Apple
Chrome Zero Day (Related to the Apple Zero Day?)
Two Zero Days in less than a week!
Google has released an emergency security update for Chrome 116 to address a critical zero-day vulnerability, marked as CVE-2023-4863. This vulnerability is related to a heap buffer overflow issue in the WebP component of the browser. WebP is an image format supported by modern browsers like Chrome, Firefox, Safari, Edge, and Opera.
Notably, Google stated that there is evidence of an active exploit for CVE-2023-4863 in the wild. The bug was reported to Google on September 6 by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School. Google does not plan to provide a bug bounty for this flaw.
Heap buffer overflow issues occur when an application writes more data to a memory buffer than it can hold, potentially leading to application crashes or arbitrary code execution. Google has not disclosed specific details about the bug or how it is being exploited.
The involvement of SEAR and Citizen Lab in discovering this vulnerability suggests that it may have been exploited by the same commercial spyware vendor NSO, often involved in assisting government agencies with surveillance activities. NSO has been known to typically target Android users with complex exploit chains that may include Chrome exploits.
This is the fourth zero-day vulnerability that Google has patched in Chrome in 2023, following previous patches for vulnerabilities like CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136.
Users are encouraged to update their Chrome browser to the latest version (version 116.0.5845.187 for macOS and Linux, versions 116.0.5845.187/.188 for Windows) to mitigate the risk associated with this zero-day vulnerability.
In the future, I may write about the NSO group. Every year, this company comes up in the news. They seem good at finding security flaws in Apple software to exploit for their spyware. Supposively, they only sell their software to governments. Still, we all know that some governments care less privacy than others.
MGM Shutdown by Cyber Attack (Ongoing)
I don’t have much technical information on this attack. As of this writing, their website is still down, and their casino floors are still affected. The MGM Resorts attack is unusual because it disrupted daily business operations for an extended period, which is not typical of most cyberattacks that focus on data breaches and are often discovered after the fact. If I had to guess, they were either hit with a ransomware attack or the MGM cyber security team took down the affected systems themselves.
The company detected the issue on Sunday evening and initiated an investigation with assistance from cybersecurity experts. Law enforcement, including the FBI, was notified. As of now, the FBI has not provided additional information on the incident.
MGM Resorts is one of the world’s largest casino-hotel companies, generating significant revenue from its properties. In Las Vegas alone, it handles approximately 12 million room nights per year. The cyberattack disrupted crucial reservation systems for hotel rooms and restaurant reservations for over 24 hours. MGM Resorts has not yet provided further details about the incident.
The hospitality sector is a prime target for cybercriminals due to the wealth of personal data it holds, including names, addresses, passports, and credit card information. Previous data breaches have affected major hotel brands, making the industry a lucrative target for cyberattacks.
Microsoft Patch Tuesday (More Zero Days!)
Microsoft faced new zero-day vulnerabilities in its September 2023 Patch Tuesday, and the security response team has identified two of them as actively exploited in the wild:
- CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability:
- This vulnerability is a privilege escalation flaw in Microsoft Streaming Service Proxy, part of the Microsoft Stream video communications service.
- It has a severity score of 7.8/10, according to the Common Vulnerability Scoring System (CVSS).
- An attacker could gain SYSTEM privileges on a compromised system if successfully exploited.
- CVE-2023-36761 – Microsoft Word Information Disclosure Vulnerability:
- This zero-day vulnerability is an information-disclosure issue found in Microsoft Word.
- Exploiting this vulnerability could lead to the disclosure of NTLM hashes, which could potentially be used maliciously.
Microsoft has urged Windows system administrators to apply the available fixes promptly to mitigate these vulnerabilities.
The discovery of the privilege escalation flaw in Microsoft Streaming Service Proxy was credited to IBM X-Force security researcher Valentina Palmiotti and Microsoft’s internal threat-intelligence and malware-hunting teams.
However, Microsoft did not release additional details about the ongoing attacks or indicators of compromise (IOCs) related to these zero-day vulnerabilities, which is standard practice.
In total, Microsoft addressed approximately 65 documented flaws in its September Patch Tuesday, covering a range of software components, including Windows, Microsoft Office, Azure, Exchange Server, and Windows Defender. You can always rely on Microsoft to have an interesting patch Tuesday!
Adobe Again
This wouldn’t be the Security Skim without an Adobe Zero Day now, would it?
Adobe has released security updates to address a zero-day vulnerability in Acrobat and Reader that has been actively exploited in attacks. Here are the key details:
Zero-Day Vulnerability:
- The zero-day vulnerability is tracked as CVE-2023-26369.
- It affects both Windows and macOS systems.
- The vulnerability allows attackers to gain code execution after exploiting an out-of-bounds write weakness.
- Threat actors can exploit it in low-complexity attacks without requiring special privileges.
- However, the flaw can only be exploited by local attackers and requires user interaction.
Affected Products and Versions:
- The vulnerability impacts various versions of Acrobat and Acrobat Reader, including Acrobat DC and Acrobat Reader DC (Continuous), as well as Acrobat 2020 and Acrobat Reader 2020 (Classic).
Adobe’s Response:
- Adobe classified this vulnerability with a maximum priority rating.
- The company strongly advises administrators to install the update as soon as possible, ideally within a 72-hour window from the release of the security advisory.
Additional Vulnerabilities Addressed:
- Adobe also addressed security flaws in Adobe Connect and Adobe Experience Manager software.
- These flaws could allow attackers to gain arbitrary code execution on systems running unpatched software.
- The vulnerabilities fixed in Adobe Connect and Adobe Experience Manager could be used to launch reflected cross-site scripting (XSS) attacks, potentially accessing sensitive information stored by the target’s web browsers.
Adobe has been actively addressing security vulnerabilities in its software, including zero-day exploits. Administrators and users are urged to keep their Adobe software up to date to mitigate these risks and enhance security. Honestly, as much as I love some of Adobes products, I am starting to think that, like Flash, we should kill Acrobat and Reader. Whenever I get a request at work that someone wants to install Acrobat or Reader, I flinch. I know that once those programs are installed on a machine, that machine is instantly one of the most vulnerable machines on the network. It’s definitely up there with Java SE being installed.
Conclusion
I hope you enjoyed the skim, and I will see you all next week. Good luck to all the engineers out there, and until next time, stay safe!