Warning added to Python documentation was deemed preferable to a patch

Adam Bannister 22 September 2022 at 15:39 UTC  
Updated: 22 September 2022 at 15:57 UTC

Warning added to Python documentation was deemed preferable to a patch

An estimated 350,000 open source repositories are affected by a 15-year old path traversal vulnerability in Python’s tarfile module, according to security researchers.

Having “stumbled across” the unpatched issue while investigating an unrelated vulnerability, they initially thought the flaw was a new zero-day bug before realizing it actually dated back to 2007.

Originally designated a severity score of CVSS 6.8, CVE-2007-4559 allows attackers to gain code execution from the file-write “in most cases”, said Trellix researcher Kasimir Schulz in a blog post published yesterday (September 21).

Catch up with the latest open source software security news

Schulz explained how Trellix researchers successfully achieved this outcome against wireless protocol analyzer Universal Radio Hacker, IT infrastructure management service Polemarch, and Spyder IDE, an open-source development environment for scientific programming.

**Patching marathon**

In a separate Trellix blog post, Douglas McKee said 61% of a sample of around 300,000 files containing the tarfile module, which makes it possible to read and write tar archives, were vulnerable to the bug.

Trellix has created patches for around 11,000 projects and anticipates that a further 70,000 projects will receive a fix in the coming weeks.

The vulnerability arose “from two or three lines of code using unsanitized or the built-in defaults of ,” explains a third Trellix blog post by Charles McFarland. “Failure to write any safety code to sanitize the members files before calling or results in a directory traversal vulnerability, enabling a bad actor access to the file system.”

If an attacker adds ‘’ with the separator for the operating system (‘’ or ‘’) into the file name, they can escape the directory the file is supposed to be extracted into.

**Just a warning**

However, a Python bug thread from 2007, which has been reopened in recent days, concluded with a maintainer asserting that “tarfile.py does nothing wrong, its behaviour conforms to the pax definition and pathname resolution guidelines in POSIX. There is no known or possible practical exploit”.

The maintainer did add a warning to the Python documentation, which remains in place, that urges developers to “never extract archives from untrusted sources without prior inspection”.

**Corner cases**

Trellix’s McKee acknowledged that there are legitimate use cases for preserving behavior that could be abused for malicious purposes. However, he said, “in this instance I believe the risk outweighs the reward for accommodating a few corner cases”, especially given “most” third party online tutorials seemed to “incorrectly demonstrate the insecure use of the tarfile module”.

Trellix created and open-sourced a tool to aid the research and patching process that automatically detects the vulnerability in source code by leveraging AST intermediate representation.

Called Creosote, the utility provides a means to scan closed source repositories too.

“This vulnerability is incredibly easy to exploit” and prevalent in the wild, making Python’s tarfile module “a massive supply chain issue threatening infrastructure around the world”, concluded Schulz.

YOU MIGHT ALSO LIKE Parse Server fixes brute-forcing bug that put sensitive user data at risk

Tarfile path traversal bug from 2007 still present in 350k open source repos

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks 5G-Native Security Now Available on Microsoft Azure Private Multi-Access Edge Compute

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.

Released September 12, 2022

**Contacts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved checks.

CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32911: Zweig of Kunlun Lab

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher

**Maps**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas, breakpointhq.com

**MediaLibrary**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

**Safari**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a malicious website may lead to address bar spoofing

Description: This issue was addressed with improved checks.

CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati

**Safari Extensions**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**Shortcuts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32872: Elite Tech Guru

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

CVE-2022-32872: About the security content of iOS 15.7 and iPadOS 15.7

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.

This document describes the security content of Safari 16.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16**

Released September 12, 2022

**Safari Extensions**

Available for: macOS Big Sur and macOS Monterey

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243236  
CVE-2022-32891: @real\_as3617, an anonymous researcher

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 12, 2022

CVE-2022-32912: About the security content of Safari 16

Categories: Business
EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources. Let’s dive into the basics of three common detection and response solutions.



(Read more...)




The post EDR vs MDR vs XDR – What’s the Difference? appeared first on Malwarebytes Labs.

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

**Endpoint Detection and Response (EDR)**

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

**Managed Detection and Response (MDR)**

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

**Extended Detection and Response (XDR)**

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

**What is the difference between EDR vs MDR vs XDR?**

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

**EDR vs MDR**

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

**MDR vs XDR**

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

**Tips for choosing a threat detection and response tool for your business**

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?  
• How much visibility does my organization need?  
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?  
• What are the resource constraints of my organization?  
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

**Featured articles **

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

EDR vs MDR vs XDR – What’s the Difference?

An origin validation error vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to cause a denial-of-service on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

September 14th, 2022

**Trend Micro Apex One Origin Validation Error Denial-of-Service Vulnerability****ZDI-22-1189  
ZDI-CAN-16314**

CVE ID

CVE-2022-40140

CVSS SCORE

5.5, (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Apex One NT Listener service. The issue results from insufficient validation of the origin of commands. An attacker can leverage this vulnerability to delete the Security Agent from the endpoint.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291528  

DISCLOSURE TIMELINE

*   2022-02-09 - Vulnerability reported to vendor
*   2022-09-14 - Coordinated public release of advisory

CREDIT

Simon Zuckerbraun - Trend Micro Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-40140: ZDI-22-1189

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine. 

This vulnerability is similar to, but not the same as CVE-2022-35234.

August 31st, 2022

**Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-1176  
ZDI-CAN-16605**

CVE ID

CVE-2022-37347

CVSS SCORE

4.4, (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Maximum Security  

VULNERABILITY DETAILS

This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the User Mode Hooking Monitor Engine. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://helpcenter.trendmicro.com/en-us/article/tmka-11058  

DISCLOSURE TIMELINE

*   2022-02-16 - Vulnerability reported to vendor
*   2022-08-31 - Coordinated public release of advisory

CREDIT

Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-37347: ZDI-22-1176

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine. 

This vulnerability is similar to, but not the same as CVE-2022-37347.

August 31st, 2022

**Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-1177  
ZDI-CAN-16606**

CVE ID

CVE-2022-37348

CVSS SCORE

4.4, (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Maximum Security  

VULNERABILITY DETAILS

This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the User Mode Hooking Monitor Engine. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://helpcenter.trendmicro.com/en-us/article/tmka-11058  

DISCLOSURE TIMELINE

*   2022-02-16 - Vulnerability reported to vendor
*   2022-08-31 - Coordinated public release of advisory

CREDIT

Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative  

BACK TO ADVISORIES

Tag

#zero_day