Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.

Read more of this story at Slashdot.

Pastel cities trapped in a timeless future-past. Empty apartments drenched in nostalgia. Classic convertibles speeding into a low-res sunset. Femme fatales and mutated monsters doing battle. Deep, dark dungeons and glittering star ships floating in space. All captured in a eerie palette of 4096 colours and somehow, you're sure, from some alternate 1980s world you can't quite remember... Drawn painstakingly one pixel at a time, with a palette of 4096 possible colours, pushing the limits of these 80's era machines memory, these early graphic artists and hackers alike have left an indelible mark on the world of digital art and internet culture, only to be forgotten in the passing of time. But what made this boring business computer from Japan so special?

Enlarge / The 2024, M4-equipped 13-inch iPad Pro. (credit: Samuel Axon)

The new iPad Pro is a technical marvel, with one of the best screens I’ve ever seen, performance that few other machines can touch, and a new, thinner design that no one expected.

It’s a prime example of Apple flexing its engineering and design muscles for all to see. Since it marks the company’s first foray into OLED beyond the iPhone or Watch, and the first time a new M-series chip has debuted on something other than a Mac, it comes across as a tech demo for where the company is headed beyond just tablets.

Still, it remains unclear why most people would spend one, two, or even three thousand dollars on a tablet that, despite its amazing hardware, does less than a comparably priced laptop—or at least does it a little more awkwardly, even if it's impressively quick and has a gorgeous screen.

Read 53 remaining paragraphs | Comments

Enlarge / Many different Apple stickers from many different products and eras. (credit: Andrew Cunningham)

As a noted sticker enthusiast, I’m always on the lookout for news at the intersection of stickers and technology. Which is why this report from 9to5Mac caught my eye: Apple is apparently starting to wind down its decades-long practice of including Apple logo stickers in the box with all of its products.

If you buy a new iPad Air or iPad Pro, you’ll be able to get some stickers if you ask the people at the Apple Store to include them (stores will get a “limited quantity” of stickers they can distribute on request). But the little sticker insert that has come with Macs, iPods, iPhones, iPads, and other devices and accessories for as long as I can remember will stop being one of the default pack-ins.

Apple is apparently cutting down on its sticker distribution to help meet its environmental goals. The stickers are some of the last bits of plastic included in most modern Apple packaging; in recent years, even the plastic backing layer for the stickers has been replaced with wax paper instead. This happened around the same time that the inner layer of packaging wrapped around new Apple devices also shifted from plastic to paper and when plastic-sealed boxes gave way to tear-away paper adhesive strips.

Read 4 remaining paragraphs | Comments

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

Challenges Addressed and Google’s Gemini AI Integration

Enlarge / The new M4 iPad Pro. (credit: Apple)

When Apple announced the Apple M4 chip during its iPad Pro event yesterday, it mentioned that the chip came with "up to" four high-performance CPU cores.

Those short, easily missable words always mean that there's a lower-end version of the chip coming that doesn't include that many CPU cores, and the tech specs page for the new iPad Pro has the full details: iPad Pros with 256GB or 512GB of storage use a version of the M4 with three high-performance CPU cores and six smaller efficiency cores. Only the models with 1TB and 2TB of storage have an M4 with all four high-performance CPU cores enabled.

The 256GB and 512GB models also ship with 8GB of RAM, where the 1TB and 2TB models come with 16GB of memory installed. Though these changes are clearly spelled out on the Tech Specs page, the actual configuration page for the iPad Pros in Apple's online store doesn't give any indication that upgrading storage also upgrades your CPU and RAM.

Read 5 remaining paragraphs | Comments

Hacker Duo Claims Barclays and HSBC Bank Data Breach

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

Enlarge / Apple's latest iPad Air, now in two sizes. The Magic Keyboard accessory is the same one that you use with older iPad Airs and Pros, though they can use the new Apple Pencil Pro. (credit: Andrew Cunningham)

Apple has a new lineup of iPad Pro and Air models for the first time in well over a year. Most people would probably be hard-pressed to tell the new ones from the old ones just by looking at them, but after hands-on sessions with both sizes of both tablets, the small details (especially for the Pros) all add up to a noticeably refined iPad experience.

iPad Airs: Bigger is better

But let's begin with the new Airs since there's a bit less to talk about. The 11-inch iPad Air (technically the sixth-generation model) is mostly the same as the previous-generation A14 and M1 models, design-wise, with identical physical dimensions and weight. It's still the same slim-bezel design Apple introduced with the 2018 iPad Pro, just with a 60 Hz LCD display panel and Touch ID on the power button rather than Face ID.

So when Apple says the device has been "redesigned," the company is mainly referring to the fact that the webcam is now mounted on the long edge of the tablet rather than the short edge. This makes its positioning more laptop-y when it's docked to the Magic Keyboard or some other keyboard.

Read 15 remaining paragraphs | Comments

Enlarge (credit: Apple)

Apple's newest iPad Pro puts an M4 chip inside a thinner frame and is available in new 11-inch and 13-inch sizes, while also upgrading the screens on both to "tandem" OLED displays for more brightness.

Compared to the last iPad Pro, released in early 2022, Apple is highlighting how thin and light these new Pros are. The 11-inch model is 5.3 mm thick and weighs less than a pound, while the 13-inch is 5.1 mm, which Apple says is its thinnest product ever, at 1.28 pounds.

The tandem OLED design, dubbed Ultra Retina XDR, delivers 1000 nits at full-screen brightness, and 1600 nits at peak HDR, equivalent to a high-end Samsung TV. The screens are "nano-texture glass," which is essentially a matte display finish.

Read 5 remaining paragraphs | Comments

Enlarge / The promotional image for Apple's May 7 event. (credit: Apple)

On May 7, Apple will host a product announcement event at 9 am ET. Labeled "Let loose," we expect it will focus on new iPads and iPad accessories.

We won't be liveblogging the stream, but you can expect some news coverage as it happens. Below, we'll go over our educated guesses about why Apple might be doing this.

Why hold an event now?

It's unusual for Apple to host an event shortly before WWDC. New products debut at that event all the time, so if it's just a faster chip and a nicer screen for the iPad Pro and iPad Air, why not wait until June?

Read 20 remaining paragraphs | Comments

Last week on Malwarebytes Labs:

• New Go loader pushes Rhadamanthys stealer
• Canada revisits decision to ban Flipper Zero
• Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now
• 19 million plaintext passwords exposed by incorrectly configured Firebase instances
• Apex Legends Global Series plagued by hackers
• Tax scammer goes after small business owners and self-employed people
• The ‘AT&T breach’—what you need to know
• Upcoming webinar: How a leading architecture firm approaches cybersecurity
• Social media influencers targeted by identity thieves
• Store manager admits SIM swapping his customers

Stay safe!

In February 2024 the Canadian government announced plans to ban the sale of the Flipper Zero, mainly because of its reported use to steal cars.

The Flipper Zero is a portable device that can be used in penetration testing with a focus on wireless devices and access control systems.

If that doesn’t help you understand what it can do, a few examples from the news might help.

Flipper Zero made headlines in October because versions running third-party firmware could be used to crash iPhones running iOS 17 (since resolved in iOS 17.2).

Later, reporters found information that car thieves could use the Flipper Zero to intercept, record, and sometimes mimic the signal of a vehicle’s key fob, and if the car was in a garage, the signal of the garage door opener too.

Importantly, this only works on older car models that use fixed numeric codes for their fobs. Not on cars that use rolling codes, which change the numeric code transmitted from a key fob with each use. As a result, car thieves continued to ignore the Flipper Zero in favour of key fob signal boosters and keyless repeaters which are a lot more powerful.

Oddly enough, the car thieving option was mentioned as the main reason for putting a ban on the Flipper Zero in Canada. Although Canada’s Minister of Innovation, Science, and Industry, François-Philippe Champagne said:

“We are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Very recently, a group of security researchers presented a series of vulnerabilities in the widely used Dormakaba Saflok electronic RFID locks. This vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries, mostly in hotels.

Reportedly, an attacker only needs to read one keycard from the property to perform the attack against any of its doors. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.

Any device capable of reading and writing or emulating MIFARE Classic cards is suitable for this attack. MIFARE is a contactless card technology introduced in 1994. It’s primarly used for transport passes, but its technological capabilities quickly made it one of the most popular smart cards for storing data and providing access control.

One device that can be used for this attack is the Flipper Zero, but an attacker could just as easily use a Proxmark 3 or any NFC capable Android phone.

After an appeal by the security community, Canada now looks like it’s going to move forward with measures to restrict the use of devices like Flipper Zero to legitimate actors only. The specifics will be revealed after deliberation with Canadian companies, online retailers, and the automotive industry.

Conclusions

None of the technology housed within the Flipper Zero is very new, all it does is combine multiple functions into one handheld device. We have never seen any officially confirmed cases of theft using a Flipper Zero. If you want to ban something that helps against car theft, look at keyless repeaters, on the market for a host of car brands and which have no other purpose.

For all the vulnerabilities we described, updates came out that fixed the issues and made the world a safer place, although the patches haven’t been applied everywhere—it’s a lot of work to update all the locks in a hotel, and it’s not feasible to update the fob systems of older cars. Nevertheless, the research by pen testers has led to security improvements, so why would we want to take away their tools?

If we have peaked your interest to buy a Flipper Zero, we urge you to be careful. Due to limited availability there are scammers active that will take your money and send nothing in return.

You can learn more about Flipper Zero by listening to our Lock and Code podcast below. In December 2023, host David Ruiz had a long conversation in with Cooper Quintin, senior public interest technologist with the Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device.

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.

Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.

Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.

The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web. Kevin Breen at Immersive Labs says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.

Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.

Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Exchange Server that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”

Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.

“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.

Rapid7’s lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.

“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”

Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.