Google has announced the introduction of Device Bound Session Credentials (DBSC).

Google has announced the introduction of Device Bound Session Credentials (DBSC) to secure Chrome users against cookie theft.

In January we reported how hackers found a way to gain unauthorized access to Google accounts, bypassing multi-factor authentication (MFA), by stealing authentication cookies with info-stealer malware. An authentication cookie is added to a web browser after a user proves who they are by logging in. It tells a website that a user _has already logged in_, so they aren’t asked for their username and password over and over again. A cybercriminal with an authentication cookie for a website doesn’t need a password, because the website thinks they’ve already logged in. It doesn’t even matter if the owner of the account changes their password.

At the time, Google said it would take action:

> “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers reportedly updated their methods to counter Google’s fraud detection measures.

The idea that malware could steal authentication cookies and send them to a criminal did not sit well with Google. In its announcement it explains that, “because of the way cookies and operating systems interact, primarily on desktop operating systems, Chrome and other browsers cannot protect them against malware that has the same level of access as the browser itself.”

So it turned to another solution. And if the simplicity of the solution is any indication for its effectiveness, then this should be a good one.

It works by using cryptography to limit the use of an authentication cookie to the device that first created it. When a user visits a website and starts a session, the browser creates two cryptographic keys—one public, one private. The private key is stored on the device in a way that is hard to export, and the public key is given to the website. The website uses the public key to verify that the browser using the authentication cookie has the private key. In order to use a stolen cookie, a thief would also need to steal the private key, so the more robust the “hard to export” bit gets, the safer your cookies will be.

Google stated in its announcement that it thinks this will substantially reduce the success rate of cookie theft malware. This would force attackers to act locally on a device, which makes on-device detection and cleanup more effective, both for anti-malware software as well as for enterprise managed devices.

As such, Device Bound Session Credentials fits in well with Google’s strategy to phase out third-party cookies.

Development of the project is done in the open at Github with the goal of DBSC becoming an open web standard. The goal is to have a fully working trial ready by the end of 2024. Google says that identity providers such as Okta, and browsers such as Microsoft Edge, have expressed interest in DBSC as they want to secure their users against cookie theft.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google Chrome gets &#8216;Device Bound Session Credentials&#8217; to stop cookie theft 

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

Source: Anatolyi Deryenko via Alamy Stock Phot

It's clear from the comments by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, and from documents leaked from a Chinese hacker-for-hire ring, that there's a growing threat from and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly's assessment that "we've made it easy on" attackers through poor software design. To secure our systems and prevent a whole-of-society or whole-of-economy attack like the one that Easterly and her peers descripted to Congress, it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

Cybersecurity statistics from 2023 paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero-days) were identified. Even software designed to keep users and networks secure was not immune from compromise. CISA opened 2024 with an emergency directive for federal departments and agencies to patch a series of vulnerabilities in VPN software designed for securing employee connections to federal networks. In the coming months, it's also likely that the creation of a market for hacks and hacked data by the likes of iSoon, as well as the growing offensive threat posed by AI, will make cyber defense even more challenging.

As CISA articulated in its Secure by Design initiative, vendors are the first step to creating technologies that are both secure and usable. Taking security into account along with performance and features from day one of a product's development will not only help build a secure technology stack but will also ensure that products truly balance security and performance instead of creating hurdles to good user experience masquerading as security features. But even CISA's ambitions to bring Secure by Design to life as a regulatory framework is insufficient to drive the sea change that's needed to turn the tide against emboldened and AI-empowered hackers — without support from the market, even the most well-intentioned and well-informed regulations will devolve into a box-checking enterprise.

**Cyber-Risk Is Business Risk**

To secure our economy and privately operated infrastructure, businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. By increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes. In doing so, cybersecurity will become less of a last-minute hurdle to business effectiveness and more of an enabler to build a technology ecosystem and operations model that are both successful and secure.

As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency incur unnecessary risk for their companies; in return, cybersecurity professionals must proactively look for technology that provides users a good experience while isolating them from technical risks. Both groups need to collaborate to create education for their workforces that are based on a real-time understanding of the risks they face and empowering good decisions about those risks rather than annual, quarterly, or monthly training that too often runs in the background while employees do their "real jobs."

The final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens. While CISA and the US government writ large have put much of the burden for secure development and secure decisions on companies, citizens must realize that the cybersecurity stakes go far beyond individual credit cards and bank accounts. The doomsday scenario of a simultaneous power, water, and communications disruption brings these stakes into focus, and day-to-day citizens must be willing to increase their cyber literacy and compliance to stop this scenario from unfolding. Just as we accept and comply with the incessant tones that remind us to buckle our seatbelts when driving, we must accept minor cybersecurity "nudges" like multifactor authentication of sensitive work and personal.

It's easy to catastrophize the consequences a Chinese cyberattack could bring — and it's certainly worth talking about response, resiliency, and recovery policies. It's hard to look in the mirror and realize that, in the rush to develop, purchase, and consume feature-rich technology, we've made it "easy" for our adversaries. But this doesn't have to be the case. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for the hackers and safer for ourselves.

**About the Author(s)**

Field CTO, Garrison Technology

Adam Maruyama is a cybersecurity and national security professional and the current Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.

Why Cybersecurity Is a Whole-of-Society Issue

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware.
The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said.
"By binding authentication sessions to the

Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.

Source: Bits and Splits via Shutterstock

Attackers are once again abusing Google Ads to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.

Researchers from AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors' access-related data to calculate ad traffic.

However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for distributing malicious code, the researchers found.

Ads related to the campaign have already been deleted. But when they were still active, "clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file," according to ASEC.

In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker's server.

**Redirects to Stealer Downloads**

The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.

Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion\_software\_x64\_.exe Slack\_software\_x64\_.exe; Trello\_software\_x64\_.exe; and GoodNotes\_software\_x64\_32.exe.

"Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses," ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.

The ultimate payload of the campaign is the Rhadamanthys stealer, which gets injected into legitimate Windows files via the "%system32%" path, according to ASEC. This allows the stealer to exfiltrate users' private data without their knowledge, the researchers noted.

Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.

**Pay Attention to Ad-Delivered URLs**

The campaign is certainly not the first time that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely won't be the last. In fact, a campaign identified in January 2023 also used website redirects from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.

Attackers have even abused the "dynamic search ads" feature of the service to amplify the effect of malicious campaigns by creating targeted ads to deliver a flood of malware.

Indeed, as "all search engines that provide tracking to calculate ad traffic can be used to distribute malware," users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should "pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad's banner" to avoid falling for a malicious campaign, according to the post.

ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "

Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

The Incognito Mode Myth Has Fully Unraveled

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5648-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMarch 28, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-2625 CVE-2024-2626 CVE-2024-2627 CVE-2024-2628                  CVE-2024-2629 CVE-2024-2630 CVE-2024-2631 CVE-2024-2883                  CVE-2024-2885 CVE-2024-2886 CVE-2024-2887Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 123.0.6312.86-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYGFvAACgkQZF0CR8Nudjc4yw//QS0lNQXR6HDrTB4GhrM3/7RhL4bT1jqK6HYorygFd8n26FiOA5H7YJCaegO0rQuQLHl85HnT4pJel65VJvqhITkgPOw5v0B85URBKgcdJvL+WPElZlWXizXmvHRbOjVEjCt0Nxp2InG00diJSEWAVpaenUSmoedEi51OTYO7JZLQjrjBWkztwNVMPZEEQNnIim8aqOwfYS+lPL8gzE2abXcoulX1CJMHnCmxfRCpIhP3VwhFKdSB9ciiqAJ74Craq6oQ51Mm7gtIf9ofmFa7ACAoQq5KmiIqhuGpspiVYfekuIq1/rVfTXXlNBXmbZ7OVXUZZgm1YjY6mxNk+ZVRWWAMvy6OgSzypBjy5CobO/QC1FzlF2otZmB6pdrbl0IjOij5rQOz9qK1Q1+P7Lin/TMJXQ4ZxNAFo2zkhsH1gq1sjijgqfMgFaVqouYUpIpl1RNzQYn6/m0rmwOQqnsnZFabCxJmFOqd9ocO9p0FpQvcpZY8qolAoAesDIvAc79l+EAeMw1oYombWUsv01yacpfiCUd72+fl/n5YFcKPFSjvysZ8bOmCAhzEVg2SOlkps3H3vmESD0Fk08tnaqhPj7G81m0iauolEIxdd4XDeMPuKNgVqpSdOOpTNjan+p3pUZZqjWGMaJaqtI5EEbeTT0THoN43oWPujsv/NUPlXRs==0ca3-----END PGP SIGNATURE-----

Debian Security Advisory 5648-1

Intel PowerGadget version 3.6 suffers from a local privilege escalation vulnerability.

    Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by MSI installer in repair modeAffected Products: Intel PowerGadgetAffected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on ‎Monday, ‎February ‎1, ‎2021 9:43:20 PM (this seems to be the latest version), earlier versions might be affected as well.Affected Platforms: WindowsCommon Vulnerability Scoring System (CVSS) Base Score (CVSSv3): 7.8 HIGHRisk score (CVSSv3): 7.8 HIGH AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1)I have reported this issue to Intel, but since the product has been marked End of Life since October 2023, it is not going to receive a security update nor a security advisory. Intel said that they are OK with me making this finding public, under the condition that I would emphasize that the product is EOL.Description and steps to replicate:On systems where Intel PowerGadget is installed from an MSI package, a local interactive regular user is able to run the MSI installer file in the "repair" mode and hijack the conhost.exe process (which is created by an instance of sc.exe the installer calls during the process) by quickly left-clicking on the console window that pops up for a split second in the late stage of the process. Left-clicking on the conhost.exe console window area freezes the console (meaning it prevents the sc.exe process from exiting). That process is running as NT AUTHORITY/SYSTEM. From there, it is possible to run a web browser by clicking on one of the links in the small GUI window that can be called by right-clicking on the console window bar and entering "properties". Once a web browser is spawn, attacker can call up the "Open" dialog and in that way get a fully working escape to explorer. From there they can, for example, browse through C:\Windows\System32 and right-click on cmd.exe and run it, obtaining as SYSTEM shell.Now - an important detail - on most recent builds of Windows neither Edge nor Internet Explorer will spawn as SYSTEM (this is a mitigation from Microsoft); thus for successful exploitation another browser has to already be present in the system. As you can see I pick Chrome and then spawn an instance of cmd.exe, which turns out to be running as SYSTEM. Also, when doing this, DO NOT check "always use this app" in that dialog, as if you pick the wrong one (e.g. Edge or IE), it will be saved as the default http/https handler for SYSTEM and from then further attacks like this won't work if you want to repeat the POC - unless you reverse that change somewhere in the registry.This class of Local Privilege Escalations is described by Mandiant in this article: https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers.To run the installer in repair mode, one needs to identify the proper MSI file. After normal installation, it is by default present in C:\Windows\Installer directory, under a random name. The proper file can be identified by attributes like control sum, size or "author" information.The exploitation process is illustrated in the screenshots below, reflecting the the steps taken to attain a SYSTEM shell (no exploit development is required, the issue can be exploited using GUI).Recommendation:Technically, as per the reference, it is recommended to change the way the sc.exe is called, using the WixQuietExec() method (see the second reference). In such case the conhost.exe window will not be visible to the user, thus making it impossible to perform any GUI interaction and an escape.I am, however, aware that this product is no longer maintained since October 2023 (https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html) and that includes security updates. Still, I believe a security advisory and CVE should be released just to make users and administrators aware why they need to replace PowerGadget with Intel Performance Counter Monitor.Another possible (short-term) mitigation is to disable MSI (https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi).References:https://hackingiscool.pl/intel-powergadget-3-6-local-privilege-escalation/https://www.mandiant.com/resources/blog/privileges-third-party-windows-installershttps://wixtoolset.org/docs/v3/customactions/qtexec/https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html)https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi

Intel PowerGadget 3.6 Local Privilege Escalation

By Deeba Ahmed
Critical Microsoft SharePoint Flaw Exploited: Patch Now, CISA Urges!
This is a post from HackRead.com Read the original post: CISA Urges Patching Microsoft SharePoint Vulnerability (CVE-2023-24955)

Critical Microsoft SharePoint Server Flaw (CVE-2023-24955) Actively Exploited! CISA Urges Patch by April 16th. Learn why patching is crucial and how to secure your servers.

The Cybersecurity and Infrastructure Security Agency (CISA) is urging all US federal civilian agencies to patch a critical vulnerability (tracked as CVE-2023-24955) in the Microsoft SharePoint Server by April 16, 2024. 

CISA has added CVE-2023-24955 to its Known Exploited Vulnerabilities (KEV) catalogue after confirming its active exploitation in the wild.

For your information CISA’s KEV catalog is designed for US Federal Civilian Executive Branch (FCEB) agencies but can be utilized by all organizations, including private ones, to enhance their vulnerability management efforts.

****Vulnerability Details****

CVE-2023-24955 (CVSS score 7.2) is a code injection vulnerability allowing remote code execution (RCE) on vulnerable Microsoft SharePoint servers. An authenticated attacker with Site Owner privileges can execute arbitrary code remotely on SharePoint servers. This means attackers could potentially take full control of affected systems, steal data, or launch further attacks within a network. It is a critical flaw already addressed by Microsoft in its May 2023 Patch Tuesday updates. 

**Why Such Urgency**

CISA’s demand for an immediate patch reflects the potential for widespread damage if the vulnerability is not addressed. CISA has warned about two Microsoft SharePoint code injection vulnerabilities, CVE-2023-24955 and CVE-2023-29357 (a privilege escalation flaw in SharePoint Server), being exploited by malicious cyber actors, posing significant risks to federal enterprises. It is worth noting that CVE-2023-29357 was added to CISA’s KEV list in January 2024.

STAR Labs’ security researcher Nguyễn Tiến Giang (Janggggg) exploited both CVE-2023-24955 and CVE-2023-29357 in March 2023 at Pwn2Own Vancouver to achieve pre-authentication RCE on a patched device running SharePoint 2019, earning a $100,000 reward. Giang published a technical analysis and PoC exploit in December 2023 whereas in September 2023, a standalone PoC exploit for CVE-2023-29357 was published on GitHub. 

Microsoft released patches in May and June 2023 to address both issues. However, it seems some organizations, including US federal agencies, have not yet applied the patch. 

****What Should Users Do?****

This incident underscores the importance of timely patching for critical vulnerabilities and the potential impact of such vulnerabilities on government agencies. 

Microsoft SharePoint Server users, particularly those in high-risk environments such as government agencies, are advised to patch their systems immediately, enable two-factor authentication, and keep software updated to minimize the risk of similar attacks.

****Expert Opinion****

Cybersecurity expert Ray Kelly from the Synopsys Software Integrity Group emphasizes the importance of patching and updating software regularly, especially for private and public-facing servers handling sensitive data.

“This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data. These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers,” Ray explained.

“However, it’s important to point out that security patches for these vulnerabilities have been available since last Summer. The fact that CISA is now warning us about active exploitation indicates that many organizations have failed to apply the necessary security updates promptly. Malicious actors will always look for the easy targets and an unpatched server will always be easing pickings for them,” he added.

1.  CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
2.  CISA Warns of Exploited Vulnerabilities in Chrome Browser
3.  CISA Advisories Highlight Vulnerabilities in Top ICS Products
4.  CISA Publishes List of Free Cybersecurity Tools and Services
5.  CISA Warns of Flaws in Propump , Controls’ Osprey Pump Controller

Tag

#chrome