NewsBites Volume XXV – Issue 16

Top of the News

2023-02-22

Researchers Find New Class of Privilege Elevation Bug in iOS and macOS

Researchers from Trellix have discovered a new class of bug that affects Apple’s iOS and macOS. The bugs can allow attackers to bypass code signing, gain elevated privileges, and execute code. The Trellix Advanced Research Center vulnerability team writes that the bugs “represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else.”

Editor's Note

Apple patched these flaws with its January updates, but did not disclose these flaws until last week. Last week, Apple updated the related advisories declaring that they patched these vulnerabilities.

Johannes Ullrich

The more time (i.e. decades) you spend in the industry watching things like this the more you are not shocked when mitigations are broken. Pointer Authentication was very much a game changer in exploit mitigation on this platform. Side stepping it to introduce a new class of bugs is fascinating and not surprising. Maybe what is surprising is that the technique was circling around for 4 years before this type of article came out. It is a patched set of bugs and you should keep your phones updated.

Moses Frost

These exploits are mitigated in iOS/iPadOS 16.3 and macOS 13.2. If you are still allowing devices to stay on iOS 15 or earlier it’s time to update. Note that updates to these new OS versions may require hardware replacements, so check your compatibility, keeping in mind getting new x86 Apple desktops is problematic.

Lee Neely

In the ancient days [1990s and earlier] you could look at the number of hours spent finding the next bug in a piece of software over time and see a knee in the curve – the point where it could be considered stable/secure enough to release. Of course, that was when new versions of software came out yearly or less, and complexity of code was much lower overall. There really are no more knees in the software risk curve – using software means and will always mean continual patching to reduce risk. That’s why browsers and cloud services update themselves so frequently.

John Pescatore

An example of security researchers properly disclosing a class of vulnerabilities to the software vendor. The result: affected software reviewed, software changes made, patch released, and researchers given appropriate credit for finding the class of vulnerabilities. Kudos to Trellix security researchers.

Curtis Dukes

As I understand it, this class of vulnerability can be exploited only by rogue applications, not from the user or network interfaces. Do I have that right?

William Hugh Murray

Chrome Update Includes Fix for Critical Flaw

On Wednesday, February 22, Google released Chrome Stable Channel Desktop Update for Windows 110.0.5481.177/.178) and Mac (110.0.5481.177). The newest version of the browser includes fixes for 10 security issues, including a critical use after free issue in Prompts (CVE-2023-0941).

US Defense Dept. Inspector General Finds Officials Did Not Identify Cloud Services Risks

A recent audit report from the US Department of Defense (DoD) Office of Inspector General (DODIG) examines DoD’s compliance with security requirements when using commercial cloud services. DOGIG found “that Army, Navy, Air Force, and Marine Corps authorizing officials (AOs) "did not review all required documentation to consider the commercial cloud service offerings' (CSOs’) risks to their systems when granting and reassessing authorization to operate on a periodic basis thereafter. Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DoD authorization processes and continuous monitoring activities.”

The Rest of the Week's News

2023-02-23

Microsoft: Remove Some Antivirus Exclusions from Exchange Server

Microsoft’s Exchange Team is recommending that admins remove some antivirus exclusions on Exchange Server. They write that they have ”found some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes are no longer needed, and that it would be much better to scan these files and folders. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues.”

Editor's Note

This advisory is probably one of the more concerning ones. With so many Exchange issues it would make sense to focus on AV, but how many admins are willing to claw back exclusions? A tool would be helpful from the AV vendors if it were possible.

Moses Frost

This is a step in the right direction for those of us hanging onto local Exchange deployments. Go through the update from Microsoft (link below) and make sure you have the minimum number of areas excluded from scans. Also verify you need to continue local instances of Exchange, and the plans to retire them.

Lee Neely

At the root of this recommendation is the fact that many Exchange servers remain unpatched worldwide allowing adversaries to exploit. I’m sorry but there is no other way around it, if you’re going to have effective cyber defense, you have to have a timely patch management process.

Curtis Dukes

Synopsys 2023 Open Source Security and Risk Analysis Report

In the eighth edition of its Open Source Security and Risk Analysis report, Synopsys “examines the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions and highlights trends in open source usage across 17 industries.” The report notes that the last five years have seen a significant growth in open source use as well as an increase in high-risk vulnerabilities. It also observes that the majority of codebases do not receive code quality and security patches.

US Military eMails Exposed via Unsecured Azure Server

An inadequately protected Azure server was exposing sensitive US Department of Defense (DoD) emails for two weeks; the issue has been mitigated. The server, which is part of the Microsoft Azure government clous for DoD customers, was not protected by a password. The Defense Department’s U.S. Special Operations Command (USSOCOM) has launched an investigation.

Fortinet Vulnerability is Being Actively Exploited; Apply Updates Now

Hackers are exploiting a known vulnerability in Fortinet’s FortiNAC (network access control) just days after Fortinet released a fix for the issue. The critical file name and path control issue was could be exploited to attain remote code execution.

US Department of Justice Arrests, Extradites Alleged Malware Developer

The US Department of Justice (DoJ) announced that it has arrested and extradited a Russian citizen for allegedly developing and using malware. Dariy Pankov is charged with conspiracy, access device fraud, and computer fraud. He will also forfeit nearly 360,000 USD.

CISA Adds Three Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three security issues to its Known Exploited Vulnerabilities (KEV) catalog: a code injection issue (CVE-2022-41223) and a command injection issue (CVE-2022-40765) in Mitel’s MiVoice Connect, and a code execution issue (CVE-2022-47986) in IBM’s Aspera Faspex file transfer tool. All three vulnerabilities have mitigation deadlines of March 14. 2023.

NSA Advice for Securing Home Networks

The US National Security Agency (NSA) has published an information sheet, Best Practices for Securing Your Home Network. The guidance was developed to help remote workers ensure they have taken necessary security precautions. The information sheet includes suggested cybersecurity-aware behaviors, configuration guidelines, and mitigations.