In The Trend of VM July 2024: 3 CVEs in Windows, Ghostscript, and Acronis Cyber Infrastructure
00:00 Greetings and explanation of what trending vulnerabilities are
00:33 Spoofing in Windows MSHTML Platform (CVE-2024-38112)
❗ CVSS score: 7.5, high danger level
A spoofing vulnerability in the engine for processing and displaying HTML pages of the Microsoft Windows MSHTML Platform. This is a vulnerability from the July Microsoft Patch Tuesday. According to Check Point, attackers use special “.url” files in their attacks, the icon of which is similar to the icon of a pdf documents. If the user clicks on the file and ignores 2 uninformative warning notifications, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows, that creates the user interface and operates the malware.
What is HTA? This is a Microsoft Windows application that is an HTML document. The application is displayed in a separate window using the Microsoft Internet Explorer engine. This window does not contain familiar browser interface elements (menus, address bars, toolbars, etc.). The most dangerous thing is that most Internet Explorer security restrictions do not apply to HTA. The HTA application (and therefore the attacker) can create, modify, delete files and entries in the Windows system registry.
Why does the link open in Internet Explorer? This is all due to the processing of the “mhtml:“ prefix in the “.url“ file. The July update blocks this.
Check Point experts found examples of such “.url” files as far back as January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url“ files to archives with PDF books and distribute them through websites, instant messengers and phishing emails.
02:23 Arbitrary Code Execution in Artifex Ghostscript (CVE-2024-29510)
❗ CVSS score: 6.3, medium danger level
Arbitrary code execution vulnerability in Artifex Ghostscript. Memory corruption allows an attacker to bypass the SAFER sandbox and execute arbitrary code. Ghostscript is an interpreter for PostScript and PDF documents. It is used in various software, for example, ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, CUPS, etc. It is available for many operating systems. It is difficult to say exactly how widespread it is. But it is clear that it is VERY widespread. For example, thanks to CUPS, it is included in almost every Linux distribution and is often installed by default. If we take computers running Linux alone, there will already be billions of them. And here it’s not limited to Linux. This is a very large-scale problem.
• Ghostscript , which fixes the vulnerability, was released on May 2.
• 2 months later, on July 2, Codean Labs experts published a detailed analysis of this vulnerability and PoC. In the video demonstration, they run the calculator by opening a special ps file with the ghostscript utility or a special odt file in LibreOffice.
• On July 10, a functional exploit appeared on GitHub. And on July 19, a module appeared in Metasploit.
According to Security Affairs and some other sites, the vulnerability is being exploited in the wild. But, they all refer to a single microblog post from some developer from Portland. I think more reliable evidence of exploitation in attacks will soon appear.
03:55 Arbitrary Code Execution in Acronis Cyber Infrastructure (CVE-2023-45249)
❗ CVSS score - 9.8, critically dangerous vulnerability
Arbitrary code execution vulnerability in the Acronis Cyber Infrastructure hyperconverged platform. Due to the default passwords used, a remote unauthenticated attacker can gain access to the Acronis Cyber Infrastructure (ACI) server and execute arbitrary code on it. ACI is a hyperconverged platform for storage, backup, compute, virtualization and networking functions.
• Patches that correct this vulnerability were released on October 30, 2023.
• 9-10 months later, on July 24 of this year, Acronis noted in a bulletin that the vulnerability showed signs of exploitation in the wild. They write that the purpose of the exploitation was to install a cryptominer. On July 29, the vulnerability was added to CISA KEV.
A number of sources report 20,000 service providers using ACI. I haven’t found any evidence of this. There may be confusion here with Acronis Cyber Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention.
Subscribe to the avleonovcom Telegram channel “Vulnerability Management and more“! All links are there! #TrendVulns #PositiveTechnologies #Microsoft #Windows #InternetExplorer #Ghostscript #Artifex #CodeanLabs #Metasploit #Acronis #ACI
64 views
781
276
7 months ago 00:04:44 1
No milk, no eggs, no butter! Easy vegan soft cake (fasting dessert)
7 months ago 00:04:38 1
Amazing orange cake 🍊 (fasting recipe) ready in 5 minutes. Just mix orange juice with flour
7 months ago 00:26:16 1
The Long EZ is a Fast and insanely Fuel Efficient Airplane To Own
7 months ago 00:05:50 1
OIL PAINTING TIME-LAPSE || “Blossom”
7 months ago 00:52:46 1
Ukraine’s Army is Done and Destroyed - Terrorist Attack in Moscow | Scott Ritter
7 months ago 00:00:27 1
Skibidi Toilet
7 months ago 00:06:24 1
Wikus Wreaks Havoc In The Suit | District 9 | Voyage
7 months ago 00:01:08 1
Death Toilet 4: Brown Snakes on a Plane Official Movie Trailer
7 months ago 00:09:42 1
Русский врач раскрыл заговор медиков. Шокирующие записи Пирогова
7 months ago 01:00:09 1
Sleeping Bunnies and other Kids Songs! | Animal Song | HeyKids Nursery Rhymes | 1 Hour
7 months ago 00:07:51 1
“Kalinka“ - Yevgeny Belyaev & the Alexandrov Red Army Choir (1965)
7 months ago 00:04:00 1
LÉON – Lift You Up (Live from the Fade Into A Dream Tour)
7 months ago 00:06:56 1
I WILL STAND AND FIGHT FOR ALL WHO CAN’T | New Earth Project
7 months ago 10:03:21 1
Escaping the Galaxy | Living in Calm Space | Balanced Soothing Space Sounds for Sleep | 10 hours
7 months ago 00:02:23 1
The Beatles - She Loves You [Come To Town, ABC Cinema, Manchester, United Kingdom]
7 months ago 00:03:13 1
Roll Over Beethoven Live! The Beatles
7 months ago 00:01:42 1
Майя Кристалинская и Иосиф Кобзон - По Ангаре /1963, СССР/
7 months ago 00:10:13 1
Award-winning CG short film about body image | “Roberto“ by Carmen Córdoba González
7 months ago 00:03:46 1
Donna Summer - I Feel Love (VJ’s Edit) [Remastered]
7 months ago 00:04:41 1
District 9 4K HDR | Prawn Eviction Scene
7 months ago 00:40:31 1
Tragic! Ultimate Near Miss Video Of Truck Crashes Filmed Seconds Before Disaster That Terrify You!
7 months ago 00:02:29 1
Света — Что мне делать (Remix)
7 months ago 00:06:48 1
Easy patchwork sewing instructions for beginners. It’s easy to follow.
7 months ago 00:00:08 1
Product Link in Bio ( # 1470) @MaviGadgets ▶️ Turbo Strong Airflow Screen Hanging Cooling Fan