Microsoft Patches 26 Critical Bugs in Big March Update
2020-03-10T21:19:39
ID THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44 Type threatpost Reporter Tom Spring Modified 2020-03-10T21:19:39
Description
Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update – 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.
This month’s haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike last month, Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.
Within the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.
As for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.
“The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user,” wrote Jay Goodman, strategic product marketing at Automox, via email. “What this means is that an attacker could run malicious code directly on the user’s system. If the user is logged in with administrative rights, those rights would extend to the code.”
As for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. “[It] will give the user complete control over many aspects of the device,” Melick said.
As for the other critical bugs, 17 fixes are tied to Microsoft’s browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys’ Patch Tuesday team.
Jain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. “An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user,” he noted.
Todd Schell, senior product manager for security at Ivanti, pointed out that the Word issue “could be exploited through the Preview Pane in Outlook, making it a more interesting target for threat actors.”
He also noted that Microsoft announced a vulnerability in its Remote Desktop Connection Manager (CVE-2020-0765) that the software giant said it won’t fix. “They do not plan to release an update to fix the issue,” he said in a prepared statement. “The product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.”
This month Microsoft offered its usual perfunctory advice:
“Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack,” it wrote. Besides suggesting to users not to visit untrusted sites or click on suspect links, it recommends, “apply the principle of least privilege to all systems and services.”
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
{"id": "THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44", "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Patches 26 Critical Bugs in Big March Update", "description": "Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update \u2013 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.\n\nThis month\u2019s haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike [last month](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>), Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.\n\nWithin the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.\n\n\u201cThe vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user,\u201d wrote Jay Goodman, strategic product marketing at Automox, via email. \u201cWhat this means is that an attacker could run malicious code directly on the user\u2019s system. If the user is logged in with administrative rights, those rights would extend to the code.\u201d\n\nAs for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. \u201c[It] will give the user complete control over many aspects of the device,\u201d Melick said.\n\nAs for the other critical bugs, 17 fixes are tied to Microsoft\u2019s browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys\u2019 Patch Tuesday team.\n\nJain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. \u201cAn attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user,\u201d he noted.\n\nTodd Schell, senior product manager for security at Ivanti, pointed out that the Word issue \u201ccould be exploited through the Preview Pane in Outlook, making it a more interesting target for threat actors.\u201d\n\nHe also noted that Microsoft announced a vulnerability in its Remote Desktop Connection Manager (CVE-2020-0765) that the software giant said it won\u2019t fix. \u201cThey do not plan to release an update to fix the issue,\u201d he said in a prepared statement. \u201cThe product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.\u201d\n\nThis month Microsoft offered its usual perfunctory advice:\n\n\u201cApply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack,\u201d it wrote. Besides suggesting to users not to visit untrusted sites or click on suspect links, it recommends, \u201capply the principle of least privilege to all systems and services.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "published": "2020-03-10T21:19:39", "modified": "2020-03-10T21:19:39", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/microsoft-patches-bugs-march-update/153597/", "reporter": "Tom Spring", "references": ["https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/", "https://threatpost.com/newsletter-sign/", "https://attendee.gotowebinar.com/register/3191336203359293954?source=art", "https://attendee.gotowebinar.com/register/3191336203359293954?source=art"], "cvelist": ["CVE-2020-0765", "CVE-2020-0824", "CVE-2020-0833", "CVE-2020-0847", "CVE-2020-0852", "CVE-2020-5135"], "lastseen": "2020-10-14T22:27:41", "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "THREATPOST:D4868E3B9B62DFBA16E6DD7067C0B09B", "THREATPOST:4F35D1FB8D4F6424F1ADA90F6ED4DF55", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "THREATPOST:E07387431E59AD0A09420F7EFA295856"]}, {"type": "cve", "idList": ["CVE-2020-0765", "CVE-2020-5135", "CVE-2020-0824", "CVE-2020-0852", "CVE-2020-0833", "CVE-2020-0847"]}, {"type": "thn", "idList": ["THN:3D9F7E987C17A81C15F0745D108233C7"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_MAR_OFFICE_WEB.NASL", "SMB_NT_MS20_MAR_INTERNET_EXPLORER.NASL"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0833", "MS:CVE-2020-0852", "MS:CVE-2020-0847", "MS:CVE-2020-0824", "MS:CVE-2020-0765"]}, {"type": "kaspersky", "idList": ["KLA11686", "KLA11681"]}, {"type": "mskb", "idList": ["KB4484277", "KB4484270"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816598"]}, {"type": "krebs", "idList": ["KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2"]}], "modified": "2020-10-14T22:27:41", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-10-14T22:27:41", "rev": 2}, "vulnersScore": 6.3}}
{"cve": [{"lastseen": "2020-10-03T12:55:46", "description": "A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0850, CVE-2020-0851, CVE-2020-0855, CVE-2020-0892.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-12T16:15:00", "title": "CVE-2020-0852", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0852"], "modified": "2020-03-16T19:16:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2019", "cpe:/a:microsoft:office_online_server:1.0", "cpe:/a:microsoft:office:2016", "cpe:/a:microsoft:office:2019"], "id": "CVE-2020-0852", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0852", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_online_server:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:*:mac_os:*:*"]}, {"lastseen": "2020-10-03T12:55:46", "description": "A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.", "edition": 4, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-12T16:15:00", "title": "CVE-2020-0824", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0824"], "modified": "2020-03-17T13:21:00", "cpe": ["cpe:/a:microsoft:internet_explorer:11"], "id": "CVE-2020-0824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0824", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T22:03:03", "description": "An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity, aka 'Remote Desktop Connection Manager Information Disclosure Vulnerability'.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-12T16:15:00", "title": "CVE-2020-0765", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0765"], "modified": "2020-03-17T14:32:00", "cpe": ["cpe:/a:microsoft:remote_desktop_connection_manager:2.7"], "id": "CVE-2020-0765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0765", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:remote_desktop_connection_manager:2.7:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:46", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0848.", "edition": 4, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-12T16:15:00", "title": "CVE-2020-0833", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0833"], "modified": "2020-03-18T13:50:00", "cpe": ["cpe:/a:microsoft:internet_explorer:11"], "id": "CVE-2020-0833", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0833", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T22:03:15", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-12T11:15:00", "title": "CVE-2020-5135", "type": "cve", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-23T00:55:00", "cpe": ["cpe:/o:sonicwall:sonicos:7.0.0.0", "cpe:/o:sonicwall:sonicos:6.5.1.11", "cpe:/o:sonicwall:sonicosv:6.5.4.4", "cpe:/o:sonicwall:sonicos:6.0.5.3", "cpe:/o:sonicwall:sonicos:6.5.4.7"], "id": "CVE-2020-5135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sonicwall:sonicos:6.0.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:7.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicosv:6.5.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.1.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:46", "description": "A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'VBScript Remote Code Execution Vulnerability'.", "edition": 4, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-12T16:15:00", "title": "CVE-2020-0847", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0847"], "modified": "2020-03-18T16:57:00", "cpe": ["cpe:/a:microsoft:internet_explorer:11", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2020-0847", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0847", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2020-03-11T18:04:31", "bulletinFamily": "info", "cvelist": ["CVE-2019-19781", "CVE-2020-0765", "CVE-2020-0824", "CVE-2020-0833", "CVE-2020-0847", "CVE-2020-0852"], "description": "Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update \u2013 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.\n\nThis month\u2019s haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike [last month](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>), Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.\n\nWithin the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.\n\n\u201cThe vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user,\u201d wrote Jay Goodman, strategic product marketing at Automox, via email. \u201cWhat this means is that an attacker could run malicious code directly on the user\u2019s system. If the user is logged in with administrative rights, those rights would extend to the code.\u201d\n\nAs for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. \u201c[It] will give the user complete control over many aspects of the device,\u201d Melick said.\n\nAs for the other critical bugs, 17 fixes are tied to Microsoft\u2019s browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys\u2019 Patch Tuesday team.\n\nJain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. \u201cAn attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user,\u201d he noted.\n\nTodd Schell, senior product manager for security at Ivanti, pointed out that the Word issue \u201ccould be exploited through the Preview Pane in Outlook, making it a more interesting target for threat actors.\u201d\n\nHe also noted that Microsoft announced a vulnerability in its Remote Desktop Connection Manager (CVE-2020-0765) that the software giant said it won\u2019t fix. \u201cThey do not plan to release an update to fix the issue,\u201d he said in a prepared statement. \u201cThe product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.\u201d\n\nThis month Microsoft offered its usual perfunctory advice:\n\n\u201cApply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack,\u201d it wrote. Besides suggesting to users not to visit untrusted sites or click on suspect links, it recommends, \u201capply the principle of least privilege to all systems and services.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "modified": "2020-03-10T21:19:39", "published": "2020-03-10T21:19:39", "id": "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "href": "https://threatpost.com/microsoft-patches-bugs-march-update/153597/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-patches-bugs-march-update", "type": "threatpost", "title": "Microsoft Patches 26 Critical Bugs in Big March Update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-11T13:15:24", "bulletinFamily": "info", "cvelist": ["CVE-2020-0833"], "description": "Sound security budget planning and execution are essential for the CIO\u2019s/CISO\u2019s success. Now, for the first time, The Ultimate Security Budget Plan & Track Excel template ([**download here**](<https://go.cynet.com/the-ultimate-security-budget-template/?utm_source=threatpost>)) provides security executives a clear and intuitive tool to keep track of planned vs. actual spend, ensuring that security needs are addressed while maintaining the budgetary frame.\n\nThe dynamic nature of the threat landscape and the possibility of the organization being subject to a critical attack, make an unexpected investment in additional products, staff, or services a highly likely scenario that should be considered. Integrating this factor within the initial planning is a challenge many CISOs encounter.\n\nThe Ultimate Security Budget Plan & Track template is an excel spreadsheet that comes pre-packaged with the required formulas to continuously measure, on a monthly basis, the planned and actual security investments, providing immediate visibility into any mismatch between the two. In addition, for each month there is a summary, displaying the percentage of how much of the overall annual budget has been already consumed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/10150625/The-Ultimate-Security-Budget-Excel-Template.png>)\n\nThe Ultimate Security Budget Plan & Track Excel divides security spending into three buckets:\n\n * **Products** \u2013 already deployed as well as planned projects for the coming year\n * **Staff** \u2013 ongoing retainment of the security team, investments in their professional development, and security training to the organization\u2019s workforce\n * **Services** \u2013 any type of 3rd party services, from product deployment and management to IR and auditing.\n\nNaturally, there is no one size fits all, and while the template is pre-populated with common products, staff, and services categories with examples it is meant to be used as a starting point from which each CISO can make modifications and adjustments based on their organization\u2019s unique needs.\n\nIn order to get started, the following steps are required:\n\n 1. 1. Insert the annual cybersecurity budget in the dedicated cell\n 2. Go through the three spend sections and add the names of the products, staff and services you use (feel free to modify these sections based on your needs)\n 1. Enter your planned spending for every month\n 2. At the end of every month, enter your actual spending. If it exceeds the planned one, the cell should become red.\n 3. At the end of each month, get clear visibility into your expected annual spent (actual spend so far + planned spent until the end of the year) vs. The annual allocated budget.\n\n[Download The Ultimate Security Budget Plan & Track here](<https://go.cynet.com/the-ultimate-security-budget-template/?utm_source=threatpost>)\n", "modified": "2020-03-11T13:00:34", "published": "2020-03-11T13:00:34", "id": "THREATPOST:4F35D1FB8D4F6424F1ADA90F6ED4DF55", "href": "https://threatpost.com/the-ultimate-security-budget-excel-template-the-easiest-way-to-plan-and-monitor-your-security-spending/153558/?utm_source=rss&utm_medium=rss&utm_campaign=the-ultimate-security-budget-excel-template-the-easiest-way-to-plan-and-monitor-your-security-spending", "type": "threatpost", "title": "The Ultimate Security Budget Excel Template", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T23:46:43", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain,\u201d he said. \u201cNVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\u201d\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "modified": "2020-10-29T23:15:17", "published": "2020-10-29T23:15:17", "id": "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "href": "https://threatpost.com/nvidia-critical-bug-hpc/160762/", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:30:12", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.\n\nTouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.\n\n\u201cSoftware and network vulnerabilities are often the more-obvious focus of organizations\u2019 security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,\u201d Katie Teitler, senior analyst at TAG Cyber, said via email. \u201cThis could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.\u201d\n\n## Unsigned Firmware Updates: A Growing Problem\n\nFirmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,\u201d explained researchers at Eclypsium, in vulnerability research [released on Tuesday](<https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/>). \u201cThis means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.\u201d\n\nThe scenario for an attack is thus a simple one. First, an attacker gains access to a device via any method, be it physical access, malware that allows remote code execution and so on, and, with basic user privileges, the attacker can write malicious firmware to a vulnerable component. If the component doesn\u2019t require the firmware to be properly signed, the attacker\u2019s code is loaded. Depending on the peripheral in question, this can lead to a range of malicious activity.\n\n\u201cFor example, malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect or alter traffic leading to a loss of data, man-in-the-middle and other attacks,\u201d according to the research. \u201cPCI-based devices could enable [Direct Memory Access (DMA) attacks](<https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/>) that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user\u2019s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.\u201d\n\nFurther, firmware attacks allow malicious activity to fly under the radar of endpoint protections; as recently seen in the [latest campaigns using the RobbinHood ransomware](<https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/>), vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference.\n\nJesse Michael, principal researcher at Eclypsium, told Threatpost that the kinds of attacks that these bugs enable are not insignificant. For instance, the Black Energy attack that brought down part of the power grid in Ukraine used an unsigned firmware update to break serial-to-Ethernet adapters that were used to control relays.\n\n\u201cA similar incident occurred with Saudi Aramco,\u201d he said. \u201cThis made the system much harder to bring back online.\u201d He added that firmware-based attacks have seen a 7.5-time increase in firmware/hardware CVEs from three years ago.\n\n## New Vulnerabilities\n\nEclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware (pr2812761-tm3288-011-0808.img) and TrackPoint firmware (PSG5E5_RANKA_fv06.bin).\n\n\u201cWe discovered that the Touchpad and TrackPoint use insecure firmware update mechanisms,\u201d according to the research. \u201cSpecifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components.\u201d\n\nMeanwhile, the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop are unencrypted and lack authenticity checks, Eclypsium noted. The device\u2019s firmware updater is composed of SunplusIT\u2019s Windows-based firmware update tool along with the firmware image, and both have issues.\n\n\u201cThe firmware image does not include any form of cryptographic signature or other authenticity information,\u201d according to the report. \u201cThe Windows-based firmware update tool accepts firmware files that have been modified to adjust USB descriptor contents. This ability to modify USB descriptors can be leveraged to disable the device or cause it to be identified as a different type of USB device. Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious.\u201d\n\nAlso, the SunplusIT firmware updater can successfully update a device even as a normal user, rather than requiring administrator access \u2013 a violation of best practices.\n\nEclypsium researchers also found that the firmware of the Wi-Fi adapter on Dell XPS 15 9560 laptops running Windows 10 has a bug. While Windows 10 will confirm that the drivers are correctly signed, that\u2019s where the security checks stop. So, if the drivers are correctly signed, a small certificate icon is displayed next to the driver when viewed in the device manager. If they aren\u2019t correctly signed, a user can still successfully load them \u2013 the icon merely goes away. This means that a privileged attacker could easily replace driver files.\n\nAnd finally, the researchers also took a look at the Linux Vendor Firmware Service, which is a secure portal that allows hardware vendors to upload firmware updates. An analysis showed multiple insecure updates and drivers.\n\n\u201cFrom this resource we can focus specifically on update protocols and easily review which are signed and which are not,\u201d the researchers wrote. \u201cWhile we can see that some of the update protocols are related to transport, many others are protocols used for the actual update process. For example, VLI USB Hub firmware is unsigned.\u201d\n\n## Vendor Response\n\nEclypsium researchers notified HP of the webcam firmware vulnerability on August 4, and Lenovo of the TouchPad/TrackPoint vulnerability on Lenovo on June 13.\n\n\u201cWe expect some vendors will issue CVEs, but none have as of yet,\u201d Jesse Michael, principal researcher at Eclypsium, told Threatpost. \u201cFor these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes. From what we\u2019ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable. Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.\u201d\n\nEclypsium also reported the Wi-Fi issue to both Qualcomm, who provides the chipset and driver for the wireless card, and to Microsoft, which checks that such drivers are signed.\n\n\u201cQualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware,\u201d Michael said. \u201cThey stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.\u201d The result is that this will likely go unaddressed, since each is pointing the responsibility back to the other.\n\nBottom line: Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity, and provides multiple pathways for malicious actors to compromise laptops and servers.\n\n\u201cOnce firmware on any of these components is infected, the malware stays undetected by any software security controls,\u201d Michael said. \u201cDespite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware.\u201d\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n", "modified": "2020-02-18T11:00:08", "published": "2020-02-18T11:00:08", "id": "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "href": "https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/", "type": "threatpost", "title": "Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)The Mootbot botnet has been using a pair of zero-day exploits to compromise multiple types of fiber routers. According to researchers, other botnets have attempted to do the same, but have so far failed.\n\nAccording to researchers at NetLab 360, the operators of the Mootbot botnet in late February started to exploit a zero-day bug found in nine different types of fiber routers used to provide internet access and Wi-Fi to homes and businesses (including the Netlink GPON router). The flaw is a remote code-execution bug with a public proof-of-concept (PoC) exploit \u2013 but for it to be used successfully to compromise a target router, it must be paired with a second vulnerability.\n\n\u201cIt is likely most of the vendors are OEM products of the same original vendor,\u201d the firm explained in a [recent posting](<https://blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/>). However, NetLab 360 said that it wouldn\u2019t release the original vendor\u2019s name nor details of the second bug, because the vendor told the security firm that it didn\u2019t see the bug as viable.\n\n\u201cOn March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT,\u201d according to the analysis. \u201cWe also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different). So they won\u2019t take this case from us.\u201d\n\nDespite that initial assessment, a PoC code for the bug emerged on ExploitDB a day later. And a day after that, on March 19, the firm saw attacks in the wild using the PoC to attempt to spread the Gafgyt botnet. A few days later, the botnet had adopted the PoC as part of a worming attempt to move from router to router. Meanwhile, on March 24, another wave of exploit attempts emerged using the PoC, this time trying to spread the Fbot botnet.\n\n\u201cThe PoC lefts out a crucial prerequisite \u2013 another vulnerability needs to be used together with this PoC for it to work,\u201d researchers explained. \u201cSo, a successful execution of the injected commands will not have the target device compromised.\u201d\n\nMoobot is a new botnet family based on [Mirai botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>), which targets internet of things (IoT) devices. While most IoT botnets go after gear that may have weak or default passwords, Mootbot stands out for its use of zero-day exploits, researchers said. It\u2019s worth noting that the malware [was also seen in March](<https://threatpost.com/hackers-exploited-0-day-cctv-camera/154051/>) using multiple zero days to target LILIN DVR and IP cameras.\n\nThough it didn\u2019t release details of the second success factor in the kill chain, NetLab 360 recommended that to protect against the threat, users that have fiber-based internet access routers should check and update their device firmware, and check whether there are default accounts that should be disabled.\n\nJack Mannino, CEO at nVisium, told Threatpost that the [focus on routers](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>) offers attackers certain advantages.\n\n\u201cControlling network infrastructure will always be an appealing attacker goal because of the springboard it provides for launching future attacks,\u201d he said. \u201cAs a software developer, it\u2019s important to consider that the networks your users access your product from may be compromised, and build this into your threat models. Whether it\u2019s the level of access it provides to network traffic, or the chokepoints and amplifiers for DDoS attacks they present, previous botnets, such as Mirai, gave us a glimpse into what these campaigns can achieve. More security teams focus on their Patch Tuesday fixes than updating the devices they frequently expose directly to the internet.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-20T20:51:59", "published": "2020-04-20T20:51:59", "id": "THREATPOST:E95F180BE3CA693890795666169A5F04", "href": "https://threatpost.com/mootbot-fiber-routers-zero-days/154962/", "type": "threatpost", "title": "Mootbot Botnet Targets Fiber Routers with Dual Zero-Days", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:31", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.\n\nSoundCloud recently [sold a $75 million stake](<https://techcrunch.com/2020/02/11/music-streaming-pioneer-soundcloud-raises-75m-from-pandora-owner-siriusxm/>) to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.\n\nAccording to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe broken authentication issue has to do with not having a set number of login tries before locking someone out of the account \u2013 which opens the door to unlimited brute-force attacks from cybercriminals trying to guess passwords.\n\n\u201cThe /sign-in/password endpoint of api-v2.soundcloud.com does not implement proper account lockout based on failed authentication attempts,\u201d according to Silva, in [an analysis](<https://www.checkmarx.com/blog/checkmarx-research-soundcloud-api-security-advisory>) posted Tuesday. \u201cIt solely relies on rate limiting which can be evaded using several combinations of use_agent, device_id and signature.\u201d\n\nThat means that credential stuffing \u2014 the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services \u2014 could have become a real issue. Digital Shadows [recently pointed out](<https://threatpost.com/password-breaches-fueling-booming-credential-stuffing-business/125900/>) that the market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.\n\nCheckmarx also found a related user enumeration weakness that could be used to verify valid user account IDs as well, making it even easier to hack accounts. An attacker can exploit this to guess account names and then probe whether or not they actually exist.\n\n\u201cBoth /sign-in/identifier and /users/password_reset endpoints of api-v2.soundcloud.com can be used to enumerate user accounts,\u201d explained the firm. \u201cIn both cases, the endpoints provide different responses depending on whether the requested user account identifier exists or not.\u201d\n\nThe rate-limiting issue meanwhile has to do with SoundCloud not limiting how many song results can be retrieved in certain searchers.\n\nFor instance, the /me/play-history/tracks API endpoint, which allows users to view recently played songs, doesn\u2019t enforce rate limiting. Thus, an attacker can send a large number of POST requests from a single machine/IP address, or can use a high-volume GET request to return hundreds of tracks at once. This can not only potentially overwhelm the API if several of these are sent at the same time, but it could also be used to artificially inflate the statistics for demand for certain tracks or artists.\n\n\u201cThe lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks,\u201d according to Checkmarx. \u201cFrom a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics.\u201d\n\nA related issue has to do with the /tracks endpoint of api-v2.soundcloud.com, which Silva said does not implement proper resources limiting \u2013 also potentially leading to DoS.\n\n\u201cSince no validation is performed regarding the number of tracks IDs in the ids list, it is possible to manipulate the list to retrieve an arbitrary number of tracks in a single request,\u201d he said, adding that in testing, researchers were able to retrieve up to 689 tracks in a single request.\n\n\u201cUsing a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer, will make the target\u2019s system services unavailable,\u201d Silva explained.\n\nThe improper input validation issue meanwhile would allow the attacker to use extra-long character strings when filling in the description, title and genre forms while uploading songs, according to the research. An exploit could make use of this to carry out cross-site scripting attacks or SQL injection.\n\n\u201cThe /tracks/{track_urn} endpoint of api-v2.soundcloud.com does not properly validate and enforce the length of [these] properties,\u201d Silva explained. \u201cIssuing requests directly to the API server puts the attacker in control of an additional 61960 bytes (total of 66160 bytes).\u201d\n\nFor its part, SoundCloud promptly fixed the problem and sent out a statement: \u201cAt SoundCloud, the security of our users\u2019 accounts is extremely important to us. We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "modified": "2020-02-12T18:48:59", "published": "2020-02-12T18:48:59", "id": "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "href": "https://threatpost.com/soundcloud-dos-account-takeover/152838/", "type": "threatpost", "title": "SoundCloud Tackles DoS, Account Takeover Issues", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:12", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nThe plugin\u2019s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.\n\nThe bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to [an analysis](<https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/>) from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw exists in the Adning plugin\u2019s ability to allow users to upload banner images, researchers said.\n\n\u201cIn order to provide this functionality, it used an AJAX action, _ning_upload_image,\u201d according to the researchers. \u201cUnfortunately, this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.\u201d\n\nThis function also allowed the user to supply the \u201callowed\u201d file types \u2013 which means that an unauthenticated attacker could upload malicious code by sending a POST request to wp-admin/admin-ajax.php.\n\nThis could be performed \u201cwith the action parameter set to _ning_upload_image the allowed_file_types set to php and a files parameter containing a malicious PHP file,\u201d researchers said. \u201cAlternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.\u201d\n\n## **A Second Bug**\n\nWordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.\n\nCarrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.\n\n\u201cIn order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook,\u201d according to the analysis. \u201cAs with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.\u201d\n\nAlso, according to Wordfence, if an attacker were able to delete the specific file wp-config.php, the site would be reset, offering attackers an opportunity to set it up again. They could use their own remote databases under their control, effectively replacing the site\u2019s content with their own content.\n\n\u201cThis might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist,\u201d according to Wordfence. \u201cHowever, since the previously mentioned arbitrary file-upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.\u201d\n\n## **WordPress Plugins: A Weak Link**\n\nWordPress plugins continue to crop up with concerning vulnerabilities that put sites at risk. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>). Also that month, a pair of security vulnerabilities (one of them critical), in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.\n\nIn March, another critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nAnd in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-08T20:12:05", "published": "2020-07-08T20:12:05", "id": "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "href": "https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/", "type": "threatpost", "title": "Advertising Plugin for WordPress Threatens Full Site Takeovers", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:31", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January.\n\nSSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.\n\nAccording to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S.\n\n[](<https://threatpost.com/newsletter-sign/>) \n\u201cFritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk,\u201d Harpaz explained, [in a posting](<https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/>) on Wednesday. Once the server is compromised, \u201cthe malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.\u201d\n\nIt also can drop additional payloads, such as cryptominers.\n\n## **Swimming in a Unique Pond**\n\nFritzFrog is a P2P botnet, meaning that it has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there\u2019s no single point-of-failure and no command-and-control server (C2).\n\n\u201cFritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,\u201d Harpaz said. She added, \u201cThe P2P protocol is completely proprietary, relying on no known P2P protocols such as \u03bcTP.\u201d\n\nAs far as the other technical details go, Guardicore analyzed the botnet by injecting its own nodes into the mix, giving researchers the ability to participate in the ongoing P2P traffic and see how it was built.\n\nThey discovered that almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn\u2019t use IRC like IRCflu; it operates in-memory unlike another [cryptomining botnet, DDG](<https://threatpost.com/p2p-ddg-botnet-unstoppable/154650/>); and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.\n\nAdditionally, its fileless payload is unusual. Harpaz wrote that files are shared over the network to both infect new machines and run new malicious payloads on compromised ones \u2013 and that this is accomplished completely in-memory using blobs.\n\n\u201cWhen a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,\u201d according to the researcher. \u201cThen, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs \u2013 it assembles the file using a special module named Assemble and runs it.\u201d\n\nOne the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet: \u201cInstead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim\u2019s machine,\u201d according to the analysis. \u201cFrom this point on, any command sent over SSH will be used as netcat\u2019s input, thus transmitted to the malware.\u201d\n\nMeanwhile, the botnet constantly updates itself with databases of targets and breached machines as it worms through the internet.\n\n\u201cNodes in the FritzFrog network keep in close contact with each other,\u201d Harpaz noted. \u201cThey constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to \u2018crack\u2019 the same target machine.\u201d\n\nFurther, it was built with an extensive dictionary of breached names and passwords for brute-forcing purposes, making it highly aggressive (\u201cBy comparison, DDG, a recently discovered P2P botnet, used only the username \u2018root,'\u201d said Harpaz).\n\nThe malware also spawns multiple threads to perform various tasks simultaneously. For instance, an IP address in the target queue will be fed to a Cracker module, which in turn will scan the machine attached to the IP address and try to brute-force it; a machine which was successfully breached is queued for malware infection by the DeployMgmt module; and a machine which was successfully infected will be added to the P2P network by the Owned module.\n\nIn the event of a reboot of the compromised system, the malware leaves a backdoor behind, whose login credentials are saved by the network peers.\n\n\u201cThe malware adds a public SSH-RSA key to the authorized_keys file,\u201d according to the research. \u201cThis simple backdoor allows the attackers \u2013 who own the secret private key \u2013 for passwordless authentication, in case the original password was modified.\u201d\n\nThe malware also monitors the file system state on infected machines, periodically checking for available RAM, uptime, SSH logins and CPU-usage statistics. Other nodes take this information and uses it to determine whether to run a cryptominer or not.\n\nIf it decides to run a cryptominer, the malware runs a separate process called \u201clibexec\u201d to mine the Monero cryptocurrency with an XMRig spinoff. Though this secondary infection is what the botnet has so far been used for, its architecture means that it could also install any other type of malware on infected nodes, should its authors decide to do so.\n\nIn all, FritzFrog is highly advanced, Harpaz said, but there\u2019s a simple way to ward off a compromise: \u201cWeak passwords are the immediate enabler of FritzFrog\u2019s attacks,\u201d she said. \u201cWe recommend choosing strong passwords and using public key authentication, which is much safer.\u201d\n\nAdmins should also remove FritzFrog\u2019s public key from the authorized_keys file, preventing the attackers from accessing the machine, she said. And, \u201crouters and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.\u201d\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "modified": "2020-08-19T20:46:31", "published": "2020-08-19T20:46:31", "id": "THREATPOST:639CADC540E81321048EB418C2EC7586", "href": "https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/", "type": "threatpost", "title": "FritzFrog Botnet Attacks Millions of SSH Servers", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:09:04", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "Researchers have discovered the latest cryptojacking malware gambit from TeamTNT, called Black-T. The variant builds on the group\u2019s typical approach, with a few new \u2014 and sophisticated \u2014 extras.\n\nTeamTNT is known for its targeting of Amazon Web Services (AWS) credentials, to break into the cloud and use it to mine for the [Monero](<https://threatpost.com/monero-cybercrime-mining-malware/141116/>) cryptocurrency. But according to researchers with Palo Alto Network\u2019s Unit 42, with [Black-T](<https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/>), the group has added in additional capabilities to its tactics, techniques and procedures (TTPs). These include the addition of sophisticated network scanners; the targeting of competitor XMR mining tools on the network; and the use of password scrapers.\n\nWhat TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn\u2019t plan to slow down anytime soon.\n\nIn August, [TeamTNT was identified by researchers](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum. Just last month, TeamTNT was discovered to have been leveraging a common open-source cloud monitoring tool called [Weave Scope, to infiltrate the cloud](<https://threatpost.com/teamtnt-remote-takeover-cloud-instances/159075/>) and execute commands without breaching the server.\n\nBlack-T represents a notable jump forward in the operation\u2019s sophistication, researchers said.\n\nOnce deployed, the first order of business for Black-T is to disable any other malware competing for processing power, including Kinsing, Kswapd0, ntpd miner, redis-backup miner, auditd miner, Migration miner, the Crux worm and Crux worm miner. Ironically, the fact that TeamTNT identified these competitors in their malware gives security professionals a critical heads-up to be on the lookout for potential threats from these groups, Unit 42 said.\n\nThis kind of cyberjacking turf warfare isn\u2019t new, but it appears to be accelerating.\n\n\u201cThe battle for cloud resources will continue well into the future,\u201d Nathaniel Quist, senior threat researcher for Unit 42 said. \u201cIn the past, attacker groups like [Rocke](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) and [Pacha](<https://www.paloaltonetworks.com/resources/research/digital-executive-summary-unit-42-cloud-threat-report-spring-2020>) would battle for resources. TeamTNT is battling with Kinsing malware and Crux worm today. I believe that this battle for resources will increase and attacker groups will look for other opportunities to use cloud resources. We can see this now with TeamTNT collecting passwords and AWS credentials in an attempt to expand and maintain a cloud presence.\u201d\n\nAfter it eliminates the competition, Black-T installs masscan, libpcap to listen to various resources on the network, including pnscan, zgrab, Docker and jq (the latter is a flexible command-line JSON processor, according to Unit 42).\n\n\u201cTeamTNT is investing more resources into scanning operations, likely with the intent to identify and compromise more cloud systems,\u201d Quist added. \u201cZmap is a known open-source scanning solution and with the creation of zgrab, a GoLang tool written for zmap, it is attempting to capitalize on the added benefits of the Go programming language, such as speed and performance increases. It is likely that TeamTNT actors are attempting to refine their scanning capabilities to make them faster, more accurate and less resource-intensive.\u201d\n\nNext, Black-T fetches various downloads: Beta to create a new directory; the mimipy and mimipenquin password scraping tools; and the XMR mining software called bd.\n\n\u201cThe inclusion of memory password-scraping tools should be considered an evolution of tactics,\u201d Quist said. \u201cTeamTNT has already integrated the collection and exfiltration of AWS credentials from compromised cloud systems, which provides post-exploitation capabilities. By adding memory password-scraping capabilities, TeamTNT actors are increasing their chances in gaining persistence within cloud environments.\u201d\n\nThe use of [worms](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) like masscan or pnscan by TeamTNT isn\u2019t new, but Unit 42 noticed Black-T adds a new scanning port. Researchers wonder whether this signals the group has figured out how to target Android devices as well.\n\nAs remote work and cost savings continue to drive computing to the cloud, more groups like TeamTNT are sure to emerge ready to take advantage, according to Quist. Admins should take steps to ensure that [Docker](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) and daemon APIs, as well as any other sensitive network services, aren\u2019t exposed, so that the cloud can be protected from the next evolution of cloud cryptojackers, he added.\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar. **\n", "modified": "2020-10-05T19:47:05", "published": "2020-10-05T19:47:05", "id": "THREATPOST:D4F89B42660582EFECA648A891470AD4", "href": "https://threatpost.com/blackt-cryptojacker-teamtnt/159853/", "type": "threatpost", "title": "Black-T Malware Emerges From Cryptojacker Group TeamTNT", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:07:48", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.\n\nThe bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the [CvSS severity scale](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1>), according to researchers at Sick.Codes, a security resource for developers.\n\nThe HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content \u201cover-the-top,\u201d i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full \u201csmart TV\u201d experience. It retails for under $100.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nThe vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said [in a posting](<https://sick.codes/sick-2020-004/>) this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top \u2013 specifically, when connected to the device through the serial port (UART), or while using the [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>) (adb), as an unprivileged user.\n\nadb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.\n\n\u201cA local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the \u2018shell\u2019 user without entering a username or password,\u201d researchers explained. \u201cOnce logged in as the \u2018shell\u2019 user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).\u201d\n\nOnce endowed with root privileges, the attacker can view any of the information for the apps the user is signed into \u2013 paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.\n\n\u201cFor example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,\u201d researchers explained.\n\nThus far, the issue has not been addressed.\n\nThe vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, [www.hindotech.com](<http://www.hindotech.com>), was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States \u2013 and received no response.\n\nThreatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.\n\nThis is only the latest entertainment-related security bug. Last week, researchers disclosed the [\u2018WarezTheRemote\u2019 attack](<https://threatpost.com/comcast-tv-remote-homes-snooping/159899/>), affecting Comcast\u2019s XR11 voice remote control. A security flaw would allow attackers to remotely snoop in on victims\u2019 private conversations.\n\nThe flaw stems from Comcast\u2019s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "modified": "2020-10-13T16:36:15", "published": "2020-10-13T16:36:15", "id": "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "href": "https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/", "type": "threatpost", "title": "Authentication Bug Opens Android Smart-TV Box to Data Theft", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2020-11-18T06:37:06", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at October 15, 2020 10:48pm UTC reported:\n\nThere\u2019s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If [Positive Technologies](<https://twitter.com/ptswarm/status/1316838270538575877>) or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, \u201cpatch fast but don\u2019t panic\u201d is good advice, as it always is with VPNs. There\u2019s full analysis for this bug in the [Rapid7 Analysis tab here](<https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135#rapid7-analysis>).\n\nAssessed Attacker Value: 4 \n\n", "modified": "2020-10-28T00:00:00", "published": "2020-10-12T00:00:00", "id": "AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "href": "https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135", "type": "attackerkb", "title": "CVE-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-03-11T09:36:37", "bulletinFamily": "info", "cvelist": ["CVE-2020-0684", "CVE-2020-0765", "CVE-2020-0811", "CVE-2020-0816", "CVE-2020-0824", "CVE-2020-0833", "CVE-2020-0852"], "description": "[](<https://1.bp.blogspot.com/-4ckjphl3u00/XmihmPQvGoI/AAAAAAAAAEM/FNCUH0gjUqgTXZguRlhCOdWkdDGrENMgQCLcBGAsYHQ/s728-e100/windows-software-update.jpg>)\n\nMicrosoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software\u2014making March 2020 edition the biggest ever Patch Tuesday in the company's history. \n \nOf the 115 bugs spanning its various products \u2014 Microsoft Windows, Edge browser, Internet Explorer, Exchange Server, Office, Azure, Windows Defender, and Visual Studio \u2014 that received new patches, 26 have been rated as critical, 88 received a severity of important, and one is moderate in severity. \n \nHowever, [unlike last month](<https://thehackernews.com/2020/02/microsoft-windows-updates.html>), none of the vulnerabilities the tech giant patched this month are listed as being publicly known or under active attack at the time of release. \n\n\n \nIt's worth highlighting that the patch addresses critical flaws that could be potentially exploited by bad actors to execute malicious code by specially crafted LNK files and word documents. \n \nTitled \"LNK Remote Code Execution Vulnerability\" ([CVE-2020-0684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0684>)), the flaw allows an attacker to create malicious LNK shortcut files that can perform code execution. \n \n\"The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary,\" Microsoft detailed in its advisory. \"When the user opens this drive(or remote share) in Windows Explorer or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice on the target system.\" \n \nThe other bug, Microsoft Word Remote Code Execution Vulnerability ([CVE-2020-0852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852>)), allows the malware to execute code on a system by merely viewing a specially crafted Word file in the Preview Pane with the same permissions as the currently logged-on user. Microsoft has warned that Microsoft Outlook Preview Pane is also an attack vector for this vulnerability. \n \nElsewhere, the Redmond-based company also issued fixes for remote code execution vulnerabilities tied to Internet Explorer ([CVE-2020-0833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0833>), [CVE-2020-0824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0824>)), Chakra scripting engine ([CVE-2020-0811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0811>)), and Edge browser ([CVE-2020-0816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0816>)). \n\n\n \nOne other bug worthy of note is [CVE-2020-0765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0765>) impacting Remote Desktop Connection Manager (RDCMan), for which there is no fix. \"Microsoft is not planning on fixing this vulnerability in RDCMan and has deprecated the application. Microsoft recommends using supported Remote Desktop clients and exercising caution when opening RDCMan configuration files (.rdg),\" the disclosure reads. \n \nIt's recommended that users and system administrators test and apply the latest security patches as soon as possible to prevent malware or miscreants from exploiting them to gain complete, remote control over vulnerable computers without any intervention. \n \nFor installing the [latest security updates](<https://support.microsoft.com/en-in/help/4027667/windows-10-update>), Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n", "modified": "2020-03-11T08:31:20", "published": "2020-03-11T08:31:00", "id": "THN:3D9F7E987C17A81C15F0745D108233C7", "href": "https://thehackernews.com/2020/03/microsoft-patch-tuesday-march-2020.html", "type": "thn", "title": "Microsoft Issues March 2020 Updates to Patch 115 Security Flaws", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2020-04-18T10:09:16", "description": "The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)", "edition": 4, "cvss3": {"score": 7.5, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "title": "Security Updates for Internet Explorer (March 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0768", "CVE-2020-0830", "CVE-2020-0832", "CVE-2020-0824", "CVE-2020-0847", "CVE-2020-0833"], "modified": "2020-03-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/134377", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134377);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/17\");\n\n script_cve_id(\n \"CVE-2020-0768\",\n \"CVE-2020-0824\",\n \"CVE-2020-0830\",\n \"CVE-2020-0832\",\n \"CVE-2020-0833\",\n \"CVE-2020-0847\"\n );\n script_xref(name:\"MSKB\", value:\"4541509\");\n script_xref(name:\"MSKB\", value:\"4541510\");\n script_xref(name:\"MSKB\", value:\"4540671\");\n script_xref(name:\"MSFT\", value:\"MS20-4541509\");\n script_xref(name:\"MSFT\", value:\"MS20-4541510\");\n script_xref(name:\"MSFT\", value:\"MS20-4540671\");\n\n script_name(english:\"Security Updates for Internet Explorer (March 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-0824)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0847)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0832, CVE-2020-0833)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0768, CVE-2020-0830)\");\n # https://support.microsoft.com/en-us/help/4540671/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a14d7a85\");\n # https://support.microsoft.com/en-us/help/4541510/windows-server-2012-update-kb4541510\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?438d05ee\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4541509/windows-8-1-kb4541509\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB4540671\n -KB4541509 \n -KB4541510\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0847\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS20-03';\nkbs = make_list(\n '4540671',\n '4541509',\n '4541510'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19649\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4540671\") ||\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22975\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4540671\") ||\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19649\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4540671\")\n )\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4540671 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4541509 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS20-03', kb:'4541509', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4541510 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS20-03', kb:'4541510', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-24T09:30:51", "description": "According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected\nby a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), \nand potentially execute arbitrary code by sending a malicious request to the firewall. \nThis vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v \nand Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-16T00:00:00", "title": "SonicWall SonicOS Buffer Overflow Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-5135"], "modified": "2020-10-16T00:00:00", "cpe": ["cpe:/o:sonicwall:sonicos"], "id": "SONICWALL_SNWLID-2020-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/141474", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141474);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2020-5135\");\n\n script_name(english:\"SonicWall SonicOS Buffer Overflow Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a Buffer Overflow vulnerability, leading to Denial of Service, \nand potentially to Arbitrary Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected\nby a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), \nand potentially execute arbitrary code by sending a malicious request to the firewall. \nThis vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v \nand Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c667b9f5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the vendor security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5135\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sonicwall:sonicos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\");\n script_require_keys(\"Host/OS\");\n\n exit(0);\n}\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif (os !~ \"^SonicOS\" ) audit(AUDIT_OS_NOT, \"SonicWall SonicOS\");\n\n# SonicOS Enhanced 6.0.5.3-94o on a SonicWALL NSA 220\nmatch = pregmatch(pattern:\"^SonicOS(?: Enhanced)? (([0-9.]+)(-[^ ]*)?) on a SonicWALL\", string:os);\nif (isnull(match)) exit(1, \"Failed to identify the version of SonicOS.\");\nversion = match[1];\n\nfix = NULL;\n\n\nif (version =~ \"^6\\.\")\n{\n # SonicOS 6.0.5.3-93o and earlier\n # fixex in SonicOS 6.0.5.3-94o\n if (version =~ \"^6\\.0\\.5\\.3-([0-8]?[0-9]|9[0-3])o\")\n fix = \"6.0.5.3-94o\"; \n # SonicOS 6.5.1.11-4n and earlier\n # fixed in SonicOS 6.5.1.12-1n\n else if (version =~ \"^6\\.5\\.1\\.11-\\d+n\")\n fix = \"SonicOS 6.5.1.12-1n\";\n # SonicOS 6.5.4.7-79n and earlier\n # fixed in SonicOS 6.5.4.7-83n\n else if (version =~ \"^6\\.5\\.4\\.7-[0-7]?[0-9]n\")\n fix = \"6.5.4.7-83n\";\n # SonicOSv 6.5.4.4-44v-21-794 and earlier\n # fixed in SonicOS 6.5.4.v-21s-987\n # XXX not sure how I can check for this version,\n # as version and fix formats look different\n #else if (version =~ \"^6\\.5\\.4\\.4\")\n # fix = \"6.5.4.v-21s-987\";\n}\n# SonicOS 7.0.0.0-1\n# fixed in 7.0.0.0-2\nelse if (version =~ \"^7\\.0\\.0\\.0-[01]$\")\n{\n fix = \"7.0.0.0-2\";\n}\n\nif (isnull(fix))\n audit(AUDIT_DEVICE_NOT_VULN, \"SonicWALL \", \"SonicOS \" + version);\n#if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\nelse\n{\n port = 0;\n report =\n '\\n Installed SonicOS version : ' + version +\n '\\n Fixed SonicOS version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-20T10:40:36", "description": "The Microsoft Office Web Apps installation on the remote\nhost is missing security updates. It is, therefore, affected\nby multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in\n Microsoft Word software when it fails to properly handle\n objects in memory. An attacker who successfully\n exploited the vulnerability could use a specially\n crafted file to perform actions in the security context\n of the current user. For example, the file could then\n take actions on behalf of the logged-on user with the\n same permissions as the current user. (CVE-2020-0850,\n CVE-2020-0892)\n\n - A remote code execution vulnerability exists in\n Microsoft Word software when it fails to properly handle\n objects in memory. An attacker who successfully\n exploited the vulnerability could use a specially\n crafted file to perform actions in the security context\n of the current user. For example, the file could then\n take actions on behalf of the logged-on user with the\n same permissions as the current user. (CVE-2020-0852)", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "title": "Security Updates for Microsoft Office Web Apps (March 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0892", "CVE-2020-0850", "CVE-2020-0852"], "modified": "2020-03-10T00:00:00", "cpe": ["cpe:/a:microsoft:office_web_apps"], "id": "SMB_NT_MS20_MAR_OFFICE_WEB.NASL", "href": "https://www.tenable.com/plugins/nessus/134379", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134379);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/19\");\n\n script_cve_id(\"CVE-2020-0850\", \"CVE-2020-0852\", \"CVE-2020-0892\");\n script_xref(name:\"MSKB\", value:\"4484270\");\n script_xref(name:\"MSKB\", value:\"4475602\");\n script_xref(name:\"MSFT\", value:\"MS20-4484270\");\n script_xref(name:\"MSFT\", value:\"MS20-4475602\");\n\n script_name(english:\"Security Updates for Microsoft Office Web Apps (March 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Web Apps installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Web Apps installation on the remote\nhost is missing security updates. It is, therefore, affected\nby multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in\n Microsoft Word software when it fails to properly handle\n objects in memory. An attacker who successfully\n exploited the vulnerability could use a specially\n crafted file to perform actions in the security context\n of the current user. For example, the file could then\n take actions on behalf of the logged-on user with the\n same permissions as the current user. (CVE-2020-0850,\n CVE-2020-0892)\n\n - A remote code execution vulnerability exists in\n Microsoft Word software when it fails to properly handle\n objects in memory. An attacker who successfully\n exploited the vulnerability could use a specially\n crafted file to perform actions in the security context\n of the current user. For example, the file could then\n take actions on behalf of the logged-on user with the\n same permissions as the current user. (CVE-2020-0852)\");\n # https://support.microsoft.com/en-us/help/4484270/security-update-for-office-online-server-march-10-2020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c9e7117b\");\n # https://support.microsoft.com/en-us/help/4475602/security-update-for-sharepoint-server-2010-office-web-apps\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?acaea58a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4484270\n -KB4475602\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0892\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_owa_installed.nbin\", \"microsoft_office_compatibility_pack_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-03';\nkbs = make_list(\n '4461633',\n '4475602'\n);\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\nport = kb_smb_transport();\n\n# Get installs of Office Web Apps\nowa_installs = get_installs(app_name:'Microsoft Office Web Apps');\n\nif (!empty_or_null(owa_installs))\n{\n foreach owa_install (owa_installs[1])\n {\n if (owa_install['Product'] == '2010')\n {\n owa_2010_path = owa_install['path'];\n owa_2010_sp = owa_install['SP'];\n }\n else if (owa_install['Product'] == '2016') # Is stored as 2016, yes.\n {\n owa_2019_path = owa_install['path'];\n owa_2019_sp = owa_install['SP'];\n }\n }\n}\nvuln = FALSE;\n\n####################################################################\n# Office Web Apps 2010 SP2\n####################################################################\nif (owa_2010_path && (!isnull(owa_2010_sp) && owa_2010_sp == '2'))\n{\n path = hotfix_append_path(path:owa_2010_path, value:'14.0\\\\WebServices\\\\ConversionService\\\\Bin\\\\Converter');\n if (hotfix_check_fversion(file:'msoserver.dll', version:'14.0.7246.5000', min_version:'14.0.0.0', path:path, kb:'4475602', product:'Office Web Apps 2010') == HCF_OLDER)\n vuln = TRUE;\n}\n\n\n####################################################################\n# Office Online Server\n####################################################################\nif (owa_2019_path && (!isnull(owa_2019_sp) && owa_2019_sp == '0'))\n{\n path = hotfix_append_path(path:owa_2019_path, value:\"ExcelServicesEcs\\bin\");\n if (hotfix_check_fversion(file:'xlsrv.dll', version:'16.0.10357.20002', min_version:'16.0.10000.0', path:path, kb:'4461633', product:'Office Online Server') == HCF_OLDER)\n vuln = TRUE;\n}\n\nif (vuln)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-18T08:31:14", "description": "The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is,\ntherefore, affected by multiple remote code execution vulnerabilities in Microsoft Word software due to failure to\nproperly handle objects in memory. An attacker could use a specially crafted file to perform actions in the security \ncontext of the current user. To exploit this issue, an attacker would have to convince the user to click a link, \ntypically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the \nspecially crafted file.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-11T00:00:00", "title": "Security Updates for Microsoft Office Products (March 2020) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0892", "CVE-2020-0855", "CVE-2020-0850", "CVE-2020-0852", "CVE-2020-0851"], "modified": "2020-03-11T00:00:00", "cpe": ["cpe:/a:microsoft:word", "cpe:/a:microsoft:onenote", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:outlook", "cpe:/a:microsoft:office", "cpe:/a:microsoft:excel", "cpe:/o:apple:mac_os_x"], "id": "MACOS_MS20_MAR_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/134408", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134408);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/17\");\n\n script_cve_id(\n \"CVE-2020-0850\",\n \"CVE-2020-0851\",\n \"CVE-2020-0852\",\n \"CVE-2020-0855\",\n \"CVE-2020-0892\"\n );\n\n script_name(english:\"Security Updates for Microsoft Office Products (March 2020) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is,\ntherefore, affected by multiple remote code execution vulnerabilities in Microsoft Word software due to failure to\nproperly handle objects in memory. An attacker could use a specially crafted file to perform actions in the security \ncontext of the current user. To exploit this issue, an attacker would have to convince the user to click a link, \ntypically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the \nspecially crafted file.\");\n # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-for-mac#march-10-2020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?267d9c1d\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac#march-10-2020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?07e51711\");\n # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-2016-mac#march-10-2020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?64424563\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0892\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:outlook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:onenote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\");\n script_require_ports(\"installed_sw/Microsoft Word\", \"installed_sw/Microsoft Excel\", \"installed_sw/Microsoft PowerPoint\", \"installed_sw/Microsoft OneNote\", \"installed_sw/Microsoft Outlook\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nos = get_kb_item_or_exit('Host/MacOSX/Version');\napps = make_list(\n 'Microsoft Word',\n 'Microsoft Excel',\n 'Microsoft PowerPoint',\n 'Microsoft OneNote',\n 'Microsoft Outlook'\n);\nreport = '';\n\n#2016\nmin_ver_16 = '16';\nfix_ver_16 = '16.16.20';\nfix_disp_16 = '16.16.20 (20030700)';\n\n#2019\nmin_ver_19 = '16.17.0';\nfix_ver_19 = '16.35';\nfix_disp_19 = '16.35 (20030802)';\n\nforeach app (apps)\n{\n installs = get_installs(app_name:app);\n if (isnull(installs[1]))\n continue;\n\n foreach install (installs[1])\n {\n version = install['version'];\n\n if (ver_compare(ver:version, minver:min_ver_19, fix:fix_ver_19, strict:FALSE) < 0)\n {\n app_label = app + ' for Mac 2019';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_19;\n }\n else if (ver_compare(ver:version, minver:min_ver_16, fix:fix_ver_16, strict:FALSE) < 0)\n {\n app_label = app + ' for Mac 2016';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_16;\n }\n }\n}\nif (empty(report))\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (os =~ \"^Mac OS X 10\\.[0-9](\\.|$)\")\n report += '\\n Note : Update will require Mac OS X 10.10.0 or later.\\n';\n\nsecurity_report_v4(severity:SECURITY_HOLE, port:0, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2020-08-07T11:45:29", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0852"], "description": "A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.\n\nTo exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.\n\nNote that Microsoft Outlook Preview Pane is an attack vector for this vulnerability.\n\nThe security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.\n", "edition": 2, "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0852", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852", "published": "2020-03-10T07:00:00", "title": "Microsoft Word Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:45:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0833"], "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "edition": 2, "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0833", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0833", "published": "2020-03-10T07:00:00", "title": "Scripting Engine Memory Corruption Vulnerability", "type": "mscve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0824"], "description": "A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.\n\nThe security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.\n", "edition": 2, "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0824", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0824", "published": "2020-03-10T07:00:00", "title": "Internet Explorer Memory Corruption Vulnerability", "type": "mscve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:45:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0765"], "description": "An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.\n\nTo exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.\n", "edition": 2, "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0765", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0765", "published": "2020-03-10T07:00:00", "title": "Remote Desktop Connection Manager Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:48:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0847"], "description": "A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "edition": 2, "modified": "2020-03-10T07:00:00", "id": "MS:CVE-2020-0847", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0847", "published": "2020-03-10T07:00:00", "title": "VBScript Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:51:53", "bulletinFamily": "info", "cvelist": ["CVE-2020-0765"], "description": "### *Detect date*:\n03/10/2020\n\n### *Severity*:\nWarning\n\n### *Description*:\nAn information disclosure vulnerability was found in Remote Desktop Connection Manager. Malicious users can exploit this vulnerability to obtain sensitive information.\n\n### *Affected products*:\nRemote Desktop Connection Manager 2.7\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0765](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0765>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Remote Desktop Connection Manager](<https://threats.kaspersky.com/en/product/Remote-Desktop-Connection-Manager/>)\n\n### *CVE-IDS*:\n[CVE-2020-0765](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0765>)0.0Unknown\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-05-22T00:00:00", "published": "2020-03-10T00:00:00", "id": "KLA11686", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11686", "title": "\r KLA11686Information disclosure vulnerability in Microsoft RDC Manager ", "type": "kaspersky", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-09-02T11:50:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-0816", "CVE-2020-0828", "CVE-2020-0826", "CVE-2020-0768", "CVE-2020-0823", "CVE-2020-0830", "CVE-2020-0832", "CVE-2020-0811", "CVE-2020-0829", "CVE-2020-0824", "CVE-2020-0813", "CVE-2020-0848", "CVE-2020-0847", "CVE-2020-0827", "CVE-2020-0831", "CVE-2020-0825", "CVE-2020-0812", "CVE-2020-0833"], "description": "### *Detect date*:\n03/10/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nInternet Explorer 11 \nInternet Explorer 9 \nMicrosoft Edge (EdgeHTML-based) \nChakraCore\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0829](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0829>) \n[CVE-2020-0811](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0811>) \n[CVE-2020-0812](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0812>) \n[CVE-2020-0813](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0813>) \n[CVE-2020-0816](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0816>) \n[CVE-2020-0828](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0828>) \n[CVE-2020-0832](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0832>) \n[CVE-2020-0833](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0833>) \n[CVE-2020-0830](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0830>) \n[CVE-2020-0831](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0831>) \n[CVE-2020-0825](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0825>) \n[CVE-2020-0824](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0824>) \n[CVE-2020-0768](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0768>) \n[CVE-2020-0826](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0826>) \n[CVE-2020-0847](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0847>) \n[CVE-2020-0827](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0827>) \n[CVE-2020-0848](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0848>) \n[CVE-2020-0823](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0823>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2020-0829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0829>)0.0Unknown \n[CVE-2020-0811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0811>)0.0Unknown \n[CVE-2020-0812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0812>)0.0Unknown \n[CVE-2020-0813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0813>)0.0Unknown \n[CVE-2020-0816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0816>)0.0Unknown \n[CVE-2020-0828](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0828>)0.0Unknown \n[CVE-2020-0832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0832>)0.0Unknown \n[CVE-2020-0833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0833>)0.0Unknown \n[CVE-2020-0830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0830>)0.0Unknown \n[CVE-2020-0831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0831>)0.0Unknown \n[CVE-2020-0825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0825>)0.0Unknown \n[CVE-2020-0824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0824>)0.0Unknown \n[CVE-2020-0768](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0768>)0.0Unknown \n[CVE-2020-0826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0826>)0.0Unknown \n[CVE-2020-0847](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0847>)0.0Unknown \n[CVE-2020-0827](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0827>)0.0Unknown \n[CVE-2020-0848](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0848>)0.0Unknown \n[CVE-2020-0823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0823>)0.0Unknown\n\n### *KB list*:\n[4538461](<http://support.microsoft.com/kb/4538461>) \n[4541510](<http://support.microsoft.com/kb/4541510>) \n[4540689](<http://support.microsoft.com/kb/4540689>) \n[4541509](<http://support.microsoft.com/kb/4541509>) \n[4540681](<http://support.microsoft.com/kb/4540681>) \n[4540693](<http://support.microsoft.com/kb/4540693>) \n[4540673](<http://support.microsoft.com/kb/4540673>) \n[4540670](<http://support.microsoft.com/kb/4540670>) \n[4540671](<http://support.microsoft.com/kb/4540671>) \n[4540688](<http://support.microsoft.com/kb/4540688>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2020-03-10T00:00:00", "id": "KLA11681", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11681", "title": "\r KLA11681Multiple vulnerabilities in Microsoft Browser ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ptsecurity": [{"lastseen": "2021-01-19T12:41:48", "bulletinFamily": "info", "cvelist": ["CVE-2020-5135"], "description": "# PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS\n\nSonicOS, SonicOSv \n\n**Severity:**\n\nSeverity level: High \nImpact: Denial of service and potential arbitrary code execution in SonicOS \nAccess Vector: Remote\n\nCVSS v3.0 \nBase Score: 9,4 \nVector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) \nCVE-2020-5135\n\n**Vulnerability description:**\n\nThe vulnerability, which is associated with buffer overflow in SonicOS, allows a remote attacker to cause a denial of service (DoS) and potentially execute arbitrary code.\n\n**Advisory status:**\n\n26.06.2020 - Vendor notification date \n12.10.2020 - Security advisory publication date (<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) \n\n**Credits:**\n\nThe vulnerability was discovered by Nikita Abramov, Positive Research Center (Positive Technologies Company)\n", "edition": 2, "modified": "1970-01-01T00:00:00", "published": "2020-12-10T00:00:00", "id": "PT-2020-29", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-29/", "title": "PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS", "type": "ptsecurity", "cvss": {}}], "securelist": [{"lastseen": "2020-11-19T10:27:24", "bulletinFamily": "blog", "cvelist": ["CVE-2020-5135"], "description": "\n\nTrying to make predictions about the future is a tricky business. However, while we don't have a crystal ball that can reveal the future, we can try to make educated guesses using the trends that we have observed over the last 12 months to identify areas that attackers are likely to seek to exploit in the near future.\n\nLet's start by reflecting on [our predictions for 2020](<https://securelist.com/advanced-threat-predictions-for-2020/95055/>). \n \n\n\n * **The next level of false flag attacks** \nThis year, we haven't seen anything as dramatic as the forging of a malicious module to make it look like the work of another threat actor, as was the case with [Olympic Destroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>). However, the use of false flags has undoubtedly become an established method used by APT groups to try to deflect attention away from their activities. Notable examples this year include the campaigns of MontysThree and [DeathStalker](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>). Interestingly, in the DeathStalker case, the actor incorporated certificate metadata from the infamous Sofacy in their infrastructure, trading covertness for the chance of having their operation falsely attributed.\n\n * **From ransomware to targeted ransomware** \nLast year, we highlighted the shift towards targeted ransomware and predicted that attackers would use more aggressive methods to extort money from their victims. This year, hardly a week has gone by without news of an attempt to extort money from large organizations, including recent [attacks on a number of US hospitals](<https://www.techradar.com/news/ryuk-ransomware-returns-and-takes-multiple-us-hospitals-offline>). We've also seen the emergence of 'brokers' who offer to [negotiate with the attackers](<https://www.bbc.co.uk/news/technology-53214783>), to try to reduce the cost of the ransom fee. Some attackers seem to apply greater pressure by stealing data before encrypting it and threatening to publish it; and in a recent incident, affecting a large psychotherapy practice, [the attackers posted sensitive data of patients](<https://threatpost.com/vastaamo-hackers-blackmailing-therapy-patients/160536/>).\n\n * **New online banking and payments attack vectors** \nWe haven't seen any dramatic attacks on payment systems this year. Nevertheless, financial institutions continue to be targeted by specialist cybercrime groups such as FIN7, CobaltGroup, Silence and Magecart, as well as APT threat actors such as Lazarus.\n\n * **More infrastructure attacks and attacks against non-PC targets** \nAPT threat actors have not confined their activities to Windows, as illustrated by the extension of Lazarus's MATA framework, the development of Turla's Penquin_x64 backdoor and the targeting of European supercomputing centers in May. We also saw the use of multiplatform, multi-architecture tools such as Termite and Earthworm in operation [TunnelSnake](<https://securelist.com/apt-trends-report-q3-2020/99204/>). These tools are capable of creating tunnels, transferring data and spawning remote shells on the targeted machines, supporting x86, x64, MIPS(ES), SH-4, PowerPC, SPARC and M68k. On top of this, we also discovered the framework we dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>), which includes a compromised UEFI firmware image designed to drop malware onto infected computers.\n\n * **Increased attacks in regions that lie along the trade routes between Asia and Europe** \nIn 2020, we observed several APT threat actors target countries that had previously drawn less attention. We saw various malware used by Chinese-speaking actors used against government targets in Kuwait, Ethiopia, Algeria, Myanmar and the Middle East. We also observed StrongPity deploying a new, improved version of their main implant called StrongPity4. In 2020 we found victims infected with StrongPity4 outside Turkey, located in the Middle East.\n\n * **Increasing sophistication of attack methods** \nIn addition to the UEFI malware mentioned above, we have also seen the use of legitimate cloud services (YouTube, Google Docs, Dropbox, Firebase) as part of the attack infrastructure (either geo-fencing attacks or hosting malware and used for C2 communications).\n\n * **A further change of focus towards mobile attacks** \nThis is apparent from the reports we have published this year. From year to year we have seen more and more APT actors develop tools to target mobile devices. Threat actors this year included OceanLotus, the threat actor behind [TwoSail Junk](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>), as well as Transparent Tribe, OrigamiElephant and many others.\n\n * **The abuse of personal information: from deep fakes to DNA leaks** \nLeaked/stolen personal information is being used more than ever before in up-close and personal attacks. Threat actors are less afraid than ever to engage in active ongoing communications with their victims, as part of their spear-phishing operations, in their efforts to compromise target systems. We have seen this, for example, in Lazarus's ThreatNeedle activities and in DeathStalker's efforts to pressure victims into enabling macros. Criminals have [used AI software to mimic the voice of a senior executive](<https://www.computing.co.uk/news/3081119/ai-mimick-voice-crime>), tricking a manager into transferring more than \u00a3240,000 into a bank account controlled by fraudsters; and [governments and law enforcement agencies have used facial recognition software for surveillance](<https://www.google.com/url?q=https://cyberblogindia.in/facial-recognition-incidents-of-abuse-issues/&sa=D&ust=1604679900047000&usg=AOvVaw1cRKsUQ1UuirnO1ulgCIP6>).\n\nTurning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.\n\n## APT threat actors will buy initial network access from cybercriminals\n\nIn the last year, we have observed many targeted ransomware attacks using generic malware, such as Trickbot, to gain a foothold in target networks. We have also observed connections between targeted ransomware attacks and well-established underground networks like Genesis that typically trade in stolen credentials. We believe APT actors will start using the same method to compromise their targets. Organizations should pay increased attention to generic malware and perform basic incident response activities on each compromised computer to ensure generic malware has not been used deploy sophisticated threats.\n\n## More countries using legal indictments as part of their cyberstrategy\n\nSome years ago we predicted that governments would resort to "naming and shaming", to draw attention to the activities of hostile APT groups. We have seen several cases of this over the last 12 months. We think that US Cyber Command's "persistent engagement" strategy will begin to bear fruit in the coming year and lead other states to follow suit, not least as "tit for tat" retaliation to US indictments. Persistent engagement involves publicly releasing reports about adversary tools and activities. US Cyber Command has argued that warfare in cyberspace is of a fundamentally different nature, and requires full-time engagement with adversaries to disrupt their operations. One of the ways they do so is by providing indicators that the threat intelligence community can use to bootstrap new investigations - in a sense, it is a way of orienting private research through intelligence declassification.\n\nTools "burned" in this way become harder to use for the attackers, and can undermine past campaigns that might otherwise have stayed under the radar. Faced with this new threat, adversaries planning attacks must factor in additional costs (the heightened possibility of losing tools or these tools being exposed) in their risk/gain calculus.\n\nExposing toolsets of APT groups is nothing new: [successive leaks by Shadow Brokers](<https://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers>) provide a striking example. However, it is the first time it has been done in an official capacity through state agencies. While quantifying the effects of deterrence is impossible, especially without access to diplomatic channels where such matters are discussed, we believe that more countries will follow this strategy in 2021. First, states traditionally aligned with the US may start replicating the process, and then, later on, the targets of such disclosures could follow suit as a form of retaliation.\n\n## More Silicon Valley companies will take action against zero-day brokers\n\nUntil recently, zero-day brokers have traded exploits for well-known commercial products; and big companies such as Microsoft, Google, Facebook and others have seemingly paid little attention to the trade. However, in the last year or so, there have been high-profile cases where accounts were allegedly compromised using WhatsApp vulnerabilities - including [Jeff Bezos](<https://www.forbes.com/sites/thomasbrewster/2020/01/22/if-jeff-bezos-iphone-can-be-hacked-over-whatsapp-so-can-yours/?sh=289de209795d>) and [Jamal Khashoggi](<https://edition.cnn.com/videos/world/2019/01/12/jamal-khashoggi-whatsapp-phone-malware-oren-liebermann-pkg-vpx.cnn>). In October 2019, WhatsApp filed a [lawsuit accusing Israel-based NSO Group of having exploited a vulnerability in its software](<https://techcrunch.com/2019/10/29/whatsapp-spyware-nso-group/?guccounter=1>); and that the technology sold by NSO was used to target more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. A [US judge subsequently ruled that the lawsuit could proceed](<https://www.theguardian.com/technology/2020/jul/17/us-judge-whatsapp-lawsuit-against-israeli-spyware-firm-nso-can-proceed>). The outcome of the case could have far-reaching consequences, not least of which could be to lead other firms to take legal action against companies that deal in zero-day exploits. We think that mounting public pressure, and the risk of reputation damage, may lead other companies to follow WhatsApp's lead and take action against zero-day brokers, to demonstrate to their customers that they are seeking to protect them.\n\n## Increased targeting of network appliances\n\nWith the trend towards overall improvement of organizational security, we think that actors will focus more on exploiting vulnerabilities in network appliances such as VPN gateways. We're already starting to see this happen - see [here](<https://www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/>), [here ](<https://www.zdnet.com/article/hacker-groups-chain-vpn-and-windows-bugs-to-attack-us-government-networks/>)and [here ](<https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/>)for further details. This goes hand-in-hand with the shift towards working from home, requiring more companies to rely on a VPN setup in their business. The increased focus on remote working, and reliance on VPNs, opens up another potential attack vector: [the harvesting of user credentials through real-world social engineering approaches such as "vishing"](<https://krebsonsecurity.com/wp-content/uploads/2020/08/fbi-cisa-vishing.pdf>) to obtain access to corporate VPNs. In some cases, this might allow the attacker to even accomplish their espionage goals without deploying malware in the victim's environment.\n\n## The emergence of 5G vulnerabilities\n\n5G has attracted a lot of attention this year, with the US exerting a lot of pressure on friendly states to discourage them from buying Huawei products. In many countries, there were also numerous scare stories about possible health risks, etc. This focus on 5G security means that researchers, both public and private, are definitely looking at the products of Huawei and others, for signs of implementation problems, crypto flaws and even backdoors. Any such flaws will certainly receive massive media attention. As usage of 5G increases, and more devices become dependent on the connectivity it provides, attackers will have a greater incentive to look for vulnerabilities that they can exploit.\n\n## Demanding money "with menaces"\n\nWe have seen several changes and refinements in the tactics used by ransomware gangs over the years. Most notably, attacks have evolved from random, speculative attacks distributed to a large number of potential victims, to highly targeted attacks that demand a considerably greater payout from a single victim at a time. The victims are carefully selected, based on their ability to pay, their reliance on the data encrypted and the wider impact an attack will have. And no sector is considered off limits, [notwithstanding the promises ransomware gangs made not to target hospitals](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/>). The delivery method is also customized to fit the targeted organization, as we have seen with attacks on medical centers and hospitals throughout the year.\n\nWe have also seen ransomware gangs seeking to obtain greater leverage by threatening to [publish stolen data](<https://www.theregister.com/2020/06/24/maze_ransomware_gang_vt_aerospace_rant/>) if a company fails to pay the ransom demanded by the attackers. This trend is likely to develop further as ransomware gangs seek to maximize their return on investment.\n\nThe ransomware problem has become so prevalent that the OFAC (Office of Foreign Assets Control) [released instructions](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001>) for victims and clarified that paying ransoms could constitute a breach of international sanctions. We interpret this announcement as the beginning of a wider crackdown on the cybercrime world by US authorities.\n\nThis year, the [Maze](<https://securelist.com/maze-ransomware/99137/>) and Sodinokibi gangs both pioneered an "affiliate" model involving collaboration between groups. Nevertheless, the ransomware eco-system remains very diverse. It's possible that in the future we will see a concentration of major ransomware players who will start to focus their activities and obtain APT-like capabilities. However, for some time to come, smaller gangs will continue to adopt the established approach that relies on piggybacking botnets and sourcing third-party ransomware.\n\n## More disruptive attacks\n\nMore and more aspects of our lives are becoming dependent on technology and connectivity to the internet. As a result, we present a much wider attack surface than ever before. It's likely, therefore, that we will see more disruptive attacks in the future. On the one hand, this disruption could be the result of a directed, orchestrated attack, designed to affect critical infrastructure. On the other hand, it could be collateral damage that occurs as a side-effect of a large-volume ransomware attack targeting organizations that we use in our day-to-day lives, such as educational institutions, supermarkets, postal services and public transportation.\n\n## Attackers will continue to exploit the COVID-19 pandemic\n\nThe world has been turned upside down by COVID-19, which has impacted nearly every aspect of our lives this year. Attackers of all kinds were quick to seize the opportunity to exploit the keen interest in this topic, including APT threat actors. As we have noted before, this did not mark a change in TTPs, but simply a persistent topic of interest that they could use as a social engineering lure. The pandemic will continue to affect our lives for some time to come; and threat actors will continue to exploit this to gain a foothold in target systems. During the last six months, there have been reports of APT groups targeting COVID-19 research centers. The UK National Cyber Security Centre (NCSC) stated that APT29 (aka the Dukes and Cozy Bear) [targeted COVID-19 vaccine development](<https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf>). This will remain a target of strategic interest to them for as long as the pandemic lasts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/19093045/KSB-2020_APT-predictions-map.png>)", "modified": "2020-11-19T10:00:48", "published": "2020-11-19T10:00:48", "id": "SECURELIST:100DB957ACFED2B9DC6D860183E5B88F", "href": "https://securelist.com/apt-predictions-for-2021/99387/", "type": "securelist", "title": "Advanced Threat predictions for 2021", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-06-05T15:41:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0892", "CVE-2020-0850", "CVE-2020-0852"], "description": "This host is missing a critical security\n update according to Microsoft KB4484277.", "modified": "2020-06-04T00:00:00", "published": "2020-03-11T00:00:00", "id": "OPENVAS:1361412562310816598", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816598", "type": "openvas", "title": "Microsoft SharePoint Enterprise Server 2016 Multiple RCE Vulnerabilities (KB4484277)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816598\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0850\", \"CVE-2020-0892\", \"CVE-2020-0852\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-11 10:10:57 +0000 (Wed, 11 Mar 2020)\");\n script_name(\"Microsoft SharePoint Enterprise Server 2016 Multiple RCE Vulnerabilities (KB4484277)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4484277.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists when Microsoft Word\n software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers to\n use a specially crafted file to perform actions in the security context of the\n current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft SharePoint Server 2019.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4484277\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif( ! infos = get_app_version_and_location( cpe:'cpe:/a:microsoft:sharepoint_server') ) exit( 0 );\n\nshareVer = infos['version'];\nif(shareVer !~ \"^16\\.\"){\n exit(0);\n}\n\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path)\n{\n if(!os_arch = get_kb_item(\"SMB/Windows/Arch\")){\n exit(0);\n }\n\n if(\"x86\" >< os_arch){\n key_list = make_list(\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\");\n }\n else if(\"x64\" >< os_arch){\n key_list = make_list(\"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\");\n }\n\n foreach key(key_list)\n {\n path = registry_get_sz(key:key, item:\"ProgramFilesDir\");\n if(path)\n {\n path = path + \"\\Microsoft Office Servers\\16.0\\WebServices\\ConversionServices\\1033\";\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserverintl.dll\");\n if(dllVer) {\n break;\n }\n }\n }\n} else {\n path = path + \"\\16.0\\WebServices\\ConversionServices\\1033\";\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserverintl.dll\");\n}\n\nif(dllVer =~ \"^16\\.0\\.\" && version_in_range(version:dllVer, test_version:\"16.0.10337.12109\", test_version2:\"16.0.10357.20003\"))\n{\n report = report_fixed_ver(file_checked:path + \"\\msoserverintl.dll\",\n file_version:dllVer, vulnerable_range:\"16.0.10337.12109 - 16.0.10357.20003\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T15:41:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0892", "CVE-2020-0855", "CVE-2020-0850", "CVE-2020-0852", "CVE-2020-0851"], "description": "This host is missing a critical security\n update for Microsoft Office 2016 and Office 2019 on Mac OSX according to\n Microsoft security update March 2020", "modified": "2020-06-04T00:00:00", "published": "2020-03-11T00:00:00", "id": "OPENVAS:1361412562310815582", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815582", "type": "openvas", "title": "Microsoft Office Remote Code Execution Vulnerabilities Mar20 (Mac OS X)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815582\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0850\", \"CVE-2020-0851\", \"CVE-2020-0855\", \"CVE-2020-0892\",\n \"CVE-2020-0852\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-11 12:26:06 +0530 (Wed, 11 Mar 2020)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Remote Code Execution Vulnerabilities Mar20 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update for Microsoft Office 2016 and Office 2019 on Mac OSX according to\n Microsoft security update March 2020\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaws are due to Microsoft Excel and Word\n fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2016 and Office 2019 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 16.16.20 for Microsoft\n Office 2016 and to version 16.35 for Office 2019. Please see the references\n for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/officeupdates/release-notes-office-2016-mac\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-gb/officeupdates/release-notes-office-for-mac\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\nif(!offVer = get_kb_item(\"MS/Office/MacOSX/Ver\")){\n exit(0);\n}\n\nif(offVer =~ \"^1[56]\\.\")\n{\n if(version_is_less(version:offVer, test_version:\"16.16.20\")){\n fix = \"16.16.20\";\n }\n else if(version_in_range(version:offVer, test_version:\"16.17.0\", test_version2:\"16.34\")){\n fix = \"16.35\";\n }\n\n if(fix)\n {\n report = report_fixed_ver(installed_version:offVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2020-04-16T14:37:49", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0892", "CVE-2020-0850", "CVE-2020-0852"], "description": "<html><body><p>Provides information about the SharePoint Server 2019 Language Pack security update 4484277 that was released on March 10, 2020.</p><h2>Summary</h2><div><p>This security update resolves a remote code execution vulnerability that exists in Microsoft Word software if the program does not correctly\u00a0handle objects in memory. To learn more about the\u00a0vulnerability, see\u00a0the following security advisories:</p><ul><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0892\" managed-link=\"\" target=\"_blank\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0892</a></li><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0850\" managed-link=\"\" target=\"_blank\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0850</a></li><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852\" managed-link=\"\" target=\"_blank\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0852</a></li></ul><p><strong>Note</strong> To apply this security update, you must have the release version of Microsoft SharePoint Server 2019\u00a0installed on the computer.</p></div><h2>Improvements and fixes</h2><p>This security update contains fixes for the following nonsecurity issues:</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li value=\"50\"><span>Removes the <strong>Link</strong> command from the <strong>New</strong> menu in custom lists if content types are enabled.</span></li><li value=\"50\"><span>Fixes an issue that prevents users from switching content type when they create\u00a0items in a list.</span></li><li><span><span>Users navigate to a document library and open\u00a0a Links list in Job Access With Speech (JAWS) by using a keyboard shortcut (Alt+F7) to see all links on the page. In this situation, every\u00a0document in the library will have the <strong>Open Menu</strong> link to open the\u00a0<strong>Edit Control Block (ECB)</strong> menu. Therefore, it is not possible\u00a0to know which document belongs to which\u00a0link. This update fixes this\u00a0issue.</span></span></li></ul><p><strong>Note </strong>To fix these issues, you have to install update <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/4484271\" managed-link=\"\" target=\"_blank\">4484271 </a>together with this update.</p><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4484277\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=9516c2ec-f9e4-4f36-bdca-d13c3bd82d03\" managed-link=\"\" target=\"\">Download security update 4484277 for the 64-bit version of SharePoint Server 2019 Language Pack</a></li></ul><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/20200310\" managed-link=\"\" target=\"_blank\">security update deployment information: March 10, 2020</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released update <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/kb/4484259\" managed-link=\"\" target=\"_blank\">4484259</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>wssloc2019-kb4484277-fullfile-x64-glb.exe</td><td>5B6ABD48D2EA6F210D9F94297C181F4E76F7B9F9</td><td>3B24FDC747384E0EFD2AE5850003CFFDEDF1342F8787F3F7682D744923C46202</td></tr></tbody></table><h3><br/>File information</h3><p>Download the <a href=\"https://download.microsoft.com/download/2/1/1/21107492-d5a7-4d85-b912-151d65c1ed08/4484277.csv\" managed-link=\"\">list of files that are included in security update 4484277</a>.</p><h2>Information about protection and security</h2><p>Protect yourself online: <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/hub/4099151\" managed-link=\"\" target=\"_blank\">Windows Security support</a></p><p>Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" managed-link=\"\" target=\"_blank\">Microsoft Security</a></p></body></html>", "edition": 3, "modified": "2020-03-10T17:03:03", "id": "KB4484277", "href": "https://support.microsoft.com/en-us/help/4484277/", "published": "2020-03-10T01:07:01", "title": "Description of the security update for SharePoint Server 2019 Language Pack: March 10, 2020", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:35:27", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0892", "CVE-2020-0850", "CVE-2020-0852"], "description": "<html><body><p>Provides information about the Office Online Server security update 4484270 that was released on March 10, 2020.</p><h2>Summary</h2><div><p>This security update resolves a <span>remote code execution vulnerability that exists in Microsoft Word software if the program\u00a0does not correctly handle objects in memory</span>. To learn more about the vulnerability, see the following:</p><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0850\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0850</a></li><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852\" managed-link=\"\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0852</a></li><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0892\" managed-link=\"\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2020-0892</a></li></ul><p><strong>Note</strong> To apply this security update, you must have the release version of Microsoft Office Online Server installed on the computer.<br/>\u00a0</p><h3>Known issues in this update</h3><ul><li><p>After you install this security update, Office Online Server logging will be set to <strong>Verbose </strong>by default. We recommend that you change this setting to <strong>Medium </strong>by running the following command:</p><p class=\"indent-1\"><strong><code>Set-OfficeWebAppsFarm -LogVerbosity \u201cMedium\u201d</code></strong></p><p><strong>Note</strong> After you run the command, you\u00a0have to restart the Office Online Service. To do this, run the following command:</p><p class=\"indent-1\"><code><strong>Restart-Service WACSM</strong></code></p></li></ul></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4484270\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=896ddd9f-4075-4fa0-877e-db2e29e2183c\" managed-link=\"\">Download security update 4484270 for the 64-bit version of Office Online Server</a></li></ul><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/20200310\" managed-link=\"\" target=\"_blank\">security update deployment information: March 10, 2020</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released security update <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4484254\" managed-link=\"\" target=\"_blank\">4484254</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>wacserver2019-kb4484270-fullfile-x64-glb.exe</td><td>239615C1F3CCBDFF4E943DE3F4879AF28575AE61</td><td>EF1396AE918B7AC22FD9E24BD69C5AB8608882C8EA7976BACEDEE17E65E8E5AE</td></tr></tbody></table><h3><br/>File information</h3><p>Download the <a href=\"https://download.microsoft.com/download/f/9/6/f969e02b-7d13-490b-b396-95ce7c2a9ad8/4484270.csv\" managed-link=\"\">list of files that are included in security update 4484270</a>.</p><h2>Information about protection and security</h2><p>Protect yourself online: <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/hub/4099151\" managed-link=\"\" target=\"_blank\">Windows Security support</a></p><p>Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" managed-link=\"\" target=\"_blank\">Microsoft Security</a></p></body></html>", "edition": 9, "modified": "2020-05-04T14:44:57", "id": "KB4484270", "href": "https://support.microsoft.com/en-us/help/4484270/", "published": "2020-03-10T00:00:00", "title": "Description of the security update for Office Online Server: March 10, 2020", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2020-03-17T19:36:23", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0688", "CVE-2020-0852", "CVE-2020-0872"], "description": "**Microsoft Corp.** today released updates to plug more than 100 security holes in its various **Windows** operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.\n\nAll told, this patch batch addresses at least 115 security flaws. Twenty-six of those earned Microsoft's most-dire \"critical\" rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.\n\nGiven the sheer number of fixes, mercifully there are no [zero-day bugs](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>) to address, nor were any of them detailed publicly prior to today. Also, there were no security patches released by **Adobe** today. But there are a few eyebrow-raising Windows vulnerabilities worthy of attention.\n\n**Recorded Future** warns exploit code is now available for one of the critical bugs Redmond patched last month in **Microsoft Exchange** ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), and that nation state actors have been observed abusing the exploit for targeted attacks.\n\nOne flaw fixed this month in **Microsoft Word** ([CVE-2020-0852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852>)) could be exploited to execute malicious code on a Windows system just by getting the user to load an email containing a booby-trapped document in the **Microsoft Outlook** preview pane. CVE-2020-0852 is one just four remote execution flaws Microsoft patched this month in versions of Word.\n\nOne somewhat ironic weakness fixed today ([CVE-2020-0872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0872>)) resides in a new component Microsoft debuted this year called [Application Inspector](<https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/>), a source code analyzer designed to help Windows developers identify \"interesting\" or risky features in open source software (such as the use of cryptography, connections made to a remote entity, etc).\n\nMicrosoft said this flaw can be exploited if a user runs Application Inspector on a hacked or booby-trapped program. Whoops. **Animesh Jain** from security vendor **Qualys** [says](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>) this patch should be prioritized, despite being labeled as less severe (\"important\" versus \"critical\") by Microsoft.\n\nFor enterprises, Qualys recommends prioritizing the patching of desktop endpoints over servers this month, noting that most of the other critical bugs patched today are prevalent on workstation-type devices. Those include a number of flaws that can be exploited simply by convincing a Windows user to browse to a malicious or hacked Web site.\n\nWhile many of the vulnerabilities fixed in today's patch batch affect Windows 7 operating systems, this OS is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nIf you rely on Windows 7 for day-to-day use, it\u2019s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.\n\nIf cost is a primary motivator and the user you have in mind doesn\u2019t do much with the system other than browsing the Web, perhaps a **Chromebook** or an older machine with a recent version of **Linux** is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it\u2019s important to pick one that fits the owner\u2019s needs and provides security updates on an ongoing basis.\n\nKeep in mind that while staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re not losing your mind when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the [AskWoody blog](<https://www.askwoody.com/2020/february-2020-patch-tuesday-foibles/>) from **Woody Leonhard**, who keeps a close eye on buggy Microsoft updates each month.\n\n**Update, 7:50 p.m.:** Microsoft has released [an advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) about a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. Critical SMB (Windows file-sharing) flaws are dangerous because they are typically \"wormable,\" in that they can spread rapidly to vulnerable systems across an internal network with little to no human interaction.\n\n\"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,\" Microsoft warned. \"To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\"\n\nMicrosoft's advisory says the flaw is neither publicly disclosed nor exploited at the moment. It includes a workaround to mitigate the flaw in file-sharing servers, but says the workaround does not prevent the exploitation of clients.", "modified": "2020-03-10T23:44:29", "published": "2020-03-10T23:44:29", "id": "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "href": "https://krebsonsecurity.com/2020/03/microsoft-patch-tuesday-march-2020-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, March 2020 Edition", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}