CPU bugs reached a level of yikes that speculation side channels can only dream of

https://ghostwriteattack.com/riscvuzz.pdf

Tony Hawk's Pro Strcpy https://icode4.coffee/?p=954

This tabloid cover feels cyberpunk in a good way #adtech

MICROSOFT ZERO-DAYS (both CVE IDs are UNPATCHED)
As promised, Microsoft Security Response Center (MSRC) published not one but TWO security advisories in regards to a Windows Update issue allowing for software-downgrade attacks (see parent toot above):

• CVE-2024-21302 (6.7 medium) Windows Secure Kernel Mode Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
• CVE-2024-38202 (7.3 high) Windows Update Stack Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)

Microsoft was notified that an elevation of privilege vulnerability exists in Windows based systems supporting Virtualization Based Security (VBS) including a subset of Azure Virtual Machine SKUS; enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.
A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Backup potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability.
Microsoft is developing a security update to mitigate this threat, but it is not yet available.

cc: @campuscodi @briankrebs @wdormann @ntkramer

#CVE_2024_21302 #CVE_2024_38202 #Microsoft #vulnerability #CVE

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here ->
https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work

Ivanti and Fortinet have unpatched vulnerabilities in their VPN products!
Akamai, in their blog post Living off the VPN — Exploring VPN Post-Exploitation Techniques, talk about techniques that can be used by threat actors after compromising a VPN server to further escalate their intrusion. The key takeaway is that the vulnerability disclosure was published 133 days after initial notification to Ivanti and Fortinet:

• CVE-2024-37374 (unknown CVSS score) Ivanti hard-coded key issue?
• CVE-2024-37375 (unknown CVSS score) Ivanti MDM cleartext passwords issue?
• Fortinet custom encryption key bypass issue (no CVE ID assigned)

Fortinet informed us that after additional consideration, they decided to not fix the custom encryption key bypass as it “does not cross a security boundary”

If the original Ivanti Connect Secure exploited zero-day fiasco hasn't scared you off of their products, this is your wakeup call. As @cadey would say: "No way to prevent this" say users of only VPN where this regularly happens

cc: @campuscodi (who else wants to be notified of issues like this?)

#CVE_2024_37374 #CVE_2024_37375 #Fortinet #Ivanti #ConnectSecure #FortiGate

“Variant analysis is the lowest effort, highest reward activity for preventing 0days” @natashenka

Another year, another Microsoft Most Valuable Researcher for me. This year, it has a bittersweet taste though.

Let’s kick off with the sweet part.

I’m quite happy with my consistency and findings. My record for 2024:
- 10x Exchange
- 2x SharePoint
- 1x .NET/VS

Multiple RCEs included.

I have also already reported several vulns for 2025, and I’m happy with the technical level of the findings. Not necessarily with the impact, but you don’t always get RCE;). I’m especially happy with the fact that I’m doing some risky deep dives, and sometimes it pays off.

I’m also happy with some recent research. I’ve been abusing unknown attack surfaces and I had some success with that (even though I was not familiar with the target). At least some of them are unknown according to my knowledge, so even if they are known, it does not count, right? :)

Now the bitter part.

Over the entire year, I had an impression that MSRC leaderboard is missing points for the majority of my submissions. I was signalizing this issue a couple of times, but with no effect. I was even not on the initial MVR list.

After my small tweet, some of my missing points were found and I eventually made it to the list (thx MSRC for this intervention). The truth is – the list is not so important to me. I like to think about vuln disclosure as some mutually respected process.

I’m not collecting bounties (reporting as ZDI) and the only thing I want in return for my submissions is a proper acknowledgment. I think that this process failed in 2024, but I hope it will eventually get better. I have impression that I should have way more points, but whatever.

Another part – several of my submissions were rejected as an expected behavior. Not a nice feeling, but it’s a part of the game. I can see a lot of tweets about dropped submissions and this part concerns everybody. From my perspective, reporting of .NET vulns is hardest.

I have a small perception that if you cannot exploit something that you consider a .NET vuln in Exchange or SharePoint, it’s probably going to be ignored (based on my experience only). Well guess what, there are different products/apps based on .NET too :D

To sum up, quite a good year. Hoping to have an even better 2025, although my Exchange run from 2023/2024 will be hard to repeat.

I hope to deliver some nice research and to see you next year during conferences or wherever. Cheers

Fresh root cause analysis by #CrowdStrike

https://www.crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

Here's one way to view the 28 transfer protocols #curl supports.

Google Chrome security advisory: Stable Channel Update for Desktop
Google does not know how to count past five as they state 5 security fixes but list 6 externally reported vulnerabilities:

1. CVE-2024-7532 (critical) Out of bounds memory access in ANGLE
2. CVE-2024-7533 (high) Use after free in Sharing.
3. CVE-2024-7550 (high) Type Confusion in V8.
4. CVE-2024-7534 (high) Heap buffer overflow in Layout
5. CVE-2024-7535 (high): Inappropriate implementation in V8
6. CVE-2024-7536 (high) Use after free in WebAudio.

No mention of exploitation.

#CVE_2024_7532 #Google #Chrome #PatchTuesday #vulnerability #CVE

@risottobias I'm not saying revocation/key mgmt is useless, just that it's not relevant in this case as it seems there are no keys to manage

@risottobias if I interpret the translation correctly there is no need for revocation as there are no sigs :) *roll smart*

Parody site ClownStrike refused to bow to CrowdStrike’s bogus DMCA takedown

Parody site ClownStrike defended the "obvious" fair use.

https://arstechnica.com/tech-policy/2024/08/parody-site-clownstrike-refused-to-bow-to-crowdstrikes-bogus-dmca-takedown/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

@risottobias Im not familiar with TUF. Here the key would be to verify the authenticity of (bytecode)updates since you have to expect middleboxes in the network path that you shouldn't trust.

@Viss "now you can convert your web proxy to a multi-target remote kernel debugger"

After months of digging and reporting, I have learned where Facebook's bizarre AI spam (like "Shrimp Jesus") comes from, who is making it, how it works, and how it is monetized.

Turns out Meta is directly paying people to spam FB with this stuff

https://www.404media.co/where-facebooks-ai-slop-comes-from/

Alt:

Therefore, after in-depth analysis, we found that the conditions for LPE or RCE vulnerabilities are actually met here.


(1) The source of its input content is the `C-00000291-00000000-00000009.sys` file, and there is no signature mechanism;

(2) `CrowdStrike` lacks a self-protection mechanism and can read and write the `C-00000291-00000000-00000009.sys` file at will;

(3) `C-00000291-00000000-00000009.sys` itself is directly downloaded from the Internet by `CSAgent.sys`;

(4) `CSAgent.sys` supports reading the proxy from IE AutoProxy out of the network.

I don't have hight expectations about security products but this one about #CrowdStrike is straight up terrifying

Mozilla Foundation security advisories:

• Security Vulnerabilities fixed in Firefox 129 14 vulnerabilities
• Security Vulnerabilities fixed in Firefox ESR 115.14 9 vulnerabilities
• Security Vulnerabilities fixed in Firefox ESR 128.1 12 vulnerabilities
• Security Vulnerabilities fixed in Firefox for iOS 129 4 vulnerabilities

No mention of exploitation

#Mozilla #Firefox #PatchTuesday #vulnerabilities #CVE