Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organizations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organizations still running IE.

"Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing," says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. "For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers."

Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.

"This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use," Schell says. It's hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.

Any organization that hasn't already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. "The end of support means that new vulnerabilities will not get security patches if they don't meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates," she says.

**Bugs Still Abound**

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.

According to Maddie Stone, security researcher at Google's Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.

"It's not clear to me how Microsoft may or may not lock down access to MSHTML in the future," Stone says. "But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year" with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.

Tenable's Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

"Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities," Tills notes.

**The Usual Mitigations**

Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti's Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.

"MSHTML is now just one of many libraries that we have in Windows 11," says Johannes Ullrich, dean of research at the SANS Institute. "Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface," he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.

"IE is still popular enough to be a worthwhile target" for attackers, Ullrich adds.

Even so, the continuing number of zero-days being discovered in IE doesn't necessarily mean that attackers have suddenly intensified their interest in attacking it. "It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase," Ullrich says.

Internet Explorer Now Retired but Still an Attacker Target

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

**How Hermit Works**

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware \[that\] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

**'MaliBot' Targets Online Banking**

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.

Android Spyware 'Hermit' Discovered in Targeted Attacks

Adobe Animate version 22.0.5 (and earlier) is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Adobe Animate | APSB22-24

Bulletin ID

Date Published

Priority

ASPB22-24

June 14, 2022    

3

**Summary**

Adobe has released an update for Adobe Animate. This update resolves a critical vulnerability.  Successful exploitation could lead to arbitrary code execution in the context of the current user.        

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Animate

22.0.5 and earlier versions

Windows and macOS

**Solution**

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate 2021       

21.0.11           

Windows and macOS  

3

Download Center  

Adobe Animate  2022      

22.0.6

Windows and macOS

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30664  

**Acknowledgments**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30664)

**Revisions**

August 21, 2021: Added N-1 version details under the solution section.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-30664: Adobe Security Bulletin

Adobe InCopy versions 17.2 (and earlier) and 16.4.1 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-29

**Bulletin ID**

**Date Published**

**Priority**

APSB22-29

June 14, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses multiple  critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.                      

**Affected versions**

16.4.1 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.3  

Windows  and macOS    

3

Adobe InCopy   

16.4.2  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30650  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30651  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30652  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30653  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30654  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30655  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30656  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30657  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30650, CVE-2022-30651, CVE-2022-30652, CVE-2022-30653, CVE-2022-30654, CVE-2022-30655, CVE-2022-30656, CVE-2022-30657)

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-30650: Adobe Security Bulletin

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

**Security Podcast**

OPC Cybersecurity: Larry O’Brien from ARC talks to with Randy Armstrong of the OPC Foundation

**Security Bulletins**

The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.

All the bulletins that have been published are available here.

**Any vulnerabilities or security concerns should be reported to ‘securityteam AT opcfoundation DOT org’**.  
A PGP key to encrypt any sensitive security report can be found here.

**Security Deep Dive Webinar**

*   See recording here
*   Download slides here  
    

**Java log4j2 vulnerability**

A new a critical vulnerability to the open source log4j2 Java service was announced. This vulnerability (CVE-2021-44228) has been rated with a CVSS score of 10.0.

Information for OPC users can be found here:

*   Classic OPC (including OPC Core Components).
*   OPC UA (including open source code managed by the OPC Foundation).

**Security Analysis by Kaspersky Labs**

On May 10th, 2017 Kaspersky Labs released a report identifying 17 zero day vulnerabilities in OPC Foundation code.

*   The OPC Foundation’s formal response can be found here.
*   The complete list of vulnerabilities along with references to appropriate CVEs can be found here.
*   The process that the OPC Foundation follows when these kinds of concerns are raised can be found here.

**Practical Security Recommendations for Building OPC UA applications**

!!  Updated v3 available !!  

OPC Foundation members and partners have published the whitepaper “Practical Security Recommendations”.

Download here

**January, 2017: First Security Analysis by German Office for Information Security (BSI)**

The BSI reviewed the OPC UA security mechanisms and created an evaluation report. Two analyses were performed for this purpose: In the first part of the project, the specification of the OPC UA was analyzed Protocol version 1.02 on systematic errors. This analysis was divided into the following steps:

*   Analysis of already carried out investigations of IT security by OPC UA
*   Threat analysis (analysis of the objectives and threats, analysis of threats and measures)
*   Analysis of the OPC UA specification in detail with an emphasis on the parts of 2, 4, 6, 7 and 12

The Security working group of the OPC Foundation assessed the findings in the BSI report and initiated necessary measures. Although no major flaws had been detected, these measures will help improve the document and the implementations.

The OPC Foundation responses have been inserted into the original BSI report. Each response is labelled with \[OPC-F\].

All issues that need further work have been recorded in Mantis (the OPC Foundation problem reporting tool). Mantis issue references are marked with (Mantis #XXXX), where XXX is the reference number within mantis.

All issues are planned to be solved with the next OPC UA specification (most likely version 1.04) respectively in the OPC Foundation’s ANSI-C stack for OPC UA, version 1.03.340.

Download the BSI report with the OPC Foundation responses:

*   English
*   German

**February, 2022: Second Security Analysis by German Office for Information Security (BSI)**

**BSI: Subject of the analysis – Chapter 2**  
OPC UA was one of the first protocols to be set as an Industrie 4.0 standard by Plattform Industrie 4.0. Compared to other industrial communication protocols, OPC UA in the variant of the client-server communication paradigm offers integrated security mechanisms for authenticated, integrity-protected and, if necessary, encrypted communication, as well as mechanisms to authorize applications or users for access to the corresponding information models. The specified security mechanisms are basically suitable for ensuring secure communication according to the state of the art. This was already examined and confirmed in 2016 in a study conducted on behalf of the BSI for OPC UA Version 1.02. In addition to the analysis of the standard and a threat analysis, the ANSI C implementation of the OPC Foundation was also examined using static and dynamic code analysis including fuzzing.  
Since this study from 2016, there have been major changes in both the OPC UA specification and the implementations provided by the OPC Foundation. OPC UA is now specified in version 1.04 and the most comprehensive change is certainly the newly added communication paradigm PubSub. Other parts of the standard, which cover certificate management for example, have also undergone major changes. The ANSI C implementation (the implementation examined in the 2016 study) is now only available as a legacy version. In addition, more and more products are appearing with (certified) OPC UA support, although it is not always apparent which security functions have been implemented in each case via the security policies and user identity tokens. This includes, for example, the support of a Global Discovery Server (GDS).  
Based on this initial situation, it makes sense to update the 2016 study and add new aspects to the investigation. The aim of this study is therefore to provide an update of the 2016 study based on version 1.04 of the OPC UA standard.  
For the update of the study, all security-relevant changes to the OPC UA specification from version 1.02 to 1.04 were therefore collected and the new version of the specification was examined for vulnerabilities and improvements analogous to the study from 2016. In agreement with the German Federal Office for Safety, PubSub (Part 14) as a new communication paradigm was not considered as part of the update, since the major differences between the two communication paradigms, client/server and PubSub, would not ensure comparability of the results. In addition, no complete (or certified) implementations were available at the time the study was updated. PubSub and the infrastructure required for it should therefore be examined at a later date as part of a separate analysis.  
In the context of updating the study, an open (open source) implementation of the OPC UA protocol should be investigated using static and dynamic code analysis methods. It has been chosen open62541 \[Open source implementation by Fraunhofer. Note by OPCF: This is not a solution or an offering by the OPC Foundation\] as open implementation for investigation in the updated study. On the one hand, it is investigated whether parts of the vulnerabilities identified in 2016 can also be found in the new implementation, if applicable, but also what other anomalies occur during the tests. Any vulnerabilities found will be implemented as far as possible in proof-of-concept exploits and attacks on the implementation or standard will be demonstrated.  
In addition, a market survey will be conducted to determine which security mechanisms have been implemented in the individual products and what difficulties the manufacturers encountered in doing so. The results are to be recorded in recommendations for action for secure implementation by manufacturers and integrators.

Download the BSI report:

*   English under preparation
*   German

CVE-2022-29862: Security - OPC Foundation

Adobe InDesign versions 17.2.1 (and earlier) and 16.4.1 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB22-30

**Bulletin ID**

**Date Published**

**Priority**

APSB22-30  

June 14, 2022   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.  

**Affected versions**

17.2.1 and earlier versions  

16.4.1 and earlier versions  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

17.3  

Windows and macOS

3

Adobe InDesign

16.4.2  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30658  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30659  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30661  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30662  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30663  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30665  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30660  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30658, CVE-2022-30659, CVE-2022-30661, CVE-2022-30662, CVE-2022-30663, CVE-2022-30665, CVE-2022-30660)

CVE-2022-30658: Adobe Security Bulletin

Attackers could also potentially gain access to various internal services, researcher warns

Attackers could also potentially gain access to various internal services, researcher warns

A memcached injection vulnerability in business webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.

Zimbra, an open source alternative to services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.

Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), has documented how unauthenticated attackers could poison an unsuspecting victim’s cache.

It is then possible to steal cleartext credentials from the Zimbra instance, when the mail client connects to the Zimbra server, as demonstrated in the following proof-of-concept video:

Because newline characters () were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.

Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.

**Escalation risk**

Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.

**RECOMMENDED** Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

The severity of the vulnerability (CVE-2022-27924) is listed as ‘high’ (CVSS 7.5) rather than ‘critical’, but once a mailbox is breached, “attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information”, Scannell warned.

“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”

**Continuous injections**

Attackers could poison victims’ IMAP route cache entries by ascertaining the victim’s email address – an easy enough task with OSINT methods – but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.

“By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” explained Scannell.

“This works because Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.”

**Holding the newline**

The flaw affects both open source and commercial versions of Zimbra in their default configurations.

The flaws were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.

Catch up with the latest security research news

“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” said Scannell. “As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.”

**Sonar disclosed the flaw on June 14.**

Scannell concluded his write-up by observing that cross-site scripting (XSS) and SQL injection flaws arising from a lack of input escaping “have been well known and documented for decades”, but that “other injection vulnerabilities can occur that are less known and can have a critical impact”.

As a consequence, Scannell recommends that developers “be aware of special characters that should be escaped when dealing with technology where less documentation and research about potential vulnerabilities exists”.

The vulnerability has emerged four months after Zimbra released a hotfix for an XSS flaw whose abuse underpinned a series of sophisticated spear-phishing campaigns linked to an unknown Chinese threat group.

Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.

**RELATED** Horde Webmail contains zero-day RCE bug with no patch on the horizon

Business email platform Zimbra patches memcached injection flaw that imperils user credentials

Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of the host.

CVE-2022-28749: Security Bulletin

Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Illustrator | APSB22-26

Bulletin ID

Date Published

Priority

ASPB22-26

June 14,  2022     

3

**Summary**

Adobe has released an update for Adobe Illustrator 2022. This update resolves critical and important vulnerabilities that could lead to arbitrary code execution and memory leak.  
             

**Affected Versions**

**Product**

**Version**

**Platform**

Illustrator 2022  

26.0.2 and earlier versions   

Windows and macOS

Illustrator 2021  

25.4.5 and earlier versions   

Windows and macOS

**Solution**

Adobe categorizes these updates with the following  priority ratings  and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Illustrator 2022    

26.3.1  

Windows and macOS

3

Download Page

Illustrator 2021    

25.4.6  

Windows and macOS

3

Download Page

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30637  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30638  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30639  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30640  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30641  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30642  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30643  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30644  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30645  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30646  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30647  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30648  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30649  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30666  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30667  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30668  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30669  

**Acknowledgments**

Adobe would like to thank the following researcher sfor reporting these issues and for working with Adobe to help protect our customers:   

*   Yonghui Han (tmgr) of Fortinet's FortiGuard Labs (CVE-2022-30649, CVE-2022-30666, CVE-2022-30667, CVE-2022-30668, CVE-2022-30669)
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30637, CVE-2022-30638, CVE-2022-30639, CVE-2022-30640, CVE-2022-30641, CVE-2022-30642, CVE-2022-30643, CVE-2022-30644, CVE-2022-30645, CVE-2022-30646, CVE-2022-30647, CVE-2022-30648)

**Revisions**

March 16, 2022: Added affected & fix versions for Illustrator v25.x

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2022-30669: Adobe Security Bulletin

Adobe After Effects versions 22.0 (and earlier) and 18.4.2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Security Updates Available for Adobe After Effects | APSB21-115

Bulletin ID

Date Published

Priority

ASPB21-115  

December 14, 2021    

3

**Summary**

Adobe has released an update for Adobe After Effects for Windows and macOS. This update addresses  critical and moderate security vulnerabilities. Successful exploitation could lead to arbitrary code execution and privilege escalation in the context of the current user.         

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe After Effects

22.0 and earlier versions     

Windows and macOS

Adobe After Effects  

18.4.2 and earlier versions       

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe After Effects

22.1.1

Windows and macOS

3

Download Center

Adobe After Effects  

18.4.3

Windows and macOS

3

Download Center  

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Access of Memory Location After End of Buffer (CWE-788)   

Arbitrary code execution   

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-43755  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-44188  

Use After Free (CWE-416)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44189  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44190  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44191  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44192  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44193  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44194  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate  

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44195  

Out-of-bounds Read (CWE-125)  

Privilege escalation  

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-43027  

**Acknowledgements**

Adobe would like to thank the following researchers for reporting these issues and for working with Adobe to help protect our customers:  

*   Francis Provencher working with Trend Micro Zero Day Initiative - CVE-2021-43027
*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2021-44188, CVE-2021-44189, CVE-2021-44190, CVE-2021-44191, CVE-2021-44192, CVE-2021-44193, CVE-2021-44194, CVE-2021-44195
*   CQY of Topsec Alpha Team (yjdfy) CVE-2021-43755  

**Revisions: **

December 17, 2021: CVSS Base Scores updated for CVE-2021-44190, CVE-2021-44191, CVE-2021-44192, CVE-2021-44193, CVE-2021-44194, CVE-2021-44195, CVE-2021-44188  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Tag

#zero_day