CISA: Vulnerability Summary for the Week of September 2, 2024
Sometimes I check the summary for hidden gems. This time, five of the Mozilla Firefox CVEs are CVSSv3.1: 9.8 critical

• CVE-2024-8381 type confusion
• CVE-2024-8384 memory corruption
• CVE-2024-8385 type confusion
• CVE-2024-8387 memory corruption
• CVE-2024-8389 memory corruption

At a glance, they're obviously high severity. It's just that you won't have that sense of urgency at the time of announcement because you didn't see the CVSS score, or understand the impact.

Let's not forget to mention Hall of Shame Progress Software for having LoadMaster vulnerability CVE-2024-7591 with a perfect 10.0 🥳

[PATCH] Fix a bug in ebpf verifier

https://lore.kernel.org/bpf/67451140439fafa1bae3e3b010d2c6b9969696a1.camel@gmail.com/T/#m8adf66625ed09e89983cca14f7e982393cb7ac3d

@phil I think this one is pretty fresh: https://www.bleepingcomputer.com/news/security/fortinet-confirms-data-breach-after-hacker-claims-to-steal-440gb-of-files/

New vulnerability report from Talos:

Microsoft High Definition Audio Bus Driver HDAudBus_DMA multiple irp complete requests vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2008

In part 2 of his #Exchange series, @chudypb describes the ApprovedApplicationCollection gadget. He also covers a path traversal in the Windows utility extrac32.exe, which allowed him to complete the chain for a full RCE in Exchange and remains unpatched.
https://www.zerodayinitiative.com/blog/2024/9/11/exploiting-exchange-powershell-after-proxynotshell-part-2-approvedapplicationcollection

[RSS] CVR: The Mines of Kakadum

https://bughunters.google.com/blog/6220757425586176/cvr-the-mines-of-kakad-m

Pretty sure I posted the OffensiveCon talk before, but it%27s always nice to have things written up

[RSS] Advisory X41-2024-003: DoS Vulnerability in Chilkat ASN.1 Decoder

https://x41-dsec.de/lab/advisories/x41-2024-003-chilkat-asn1/

@dmnk @joxean Done: https://github.com/nccgroup/Cartographer/pull/14

[RSS] The case of the string being copied from a mysterious pointer to invalid memory, revisited

https://devblogs.microsoft.com/oldnewthing/20240911-00/?p=110247

[RSS] Avred background: Advances in Reversing Defender Signature Format

https://blog.deeb.ch/posts/avred-update/

[RSS] WordPress.org to require two-factor authentication for plugin developers

https://cyberscoop.com/wordpress-two-factor-authentication-supply-chain/

I just got my hands on @tiraniddo's Windows Security Internals book <3

I ordered it through Blackwell's, that is a UK company but ships @nostarch books to EU too, so you can avoid dealing with customs yourself. Order tracking needs improvement.

https://blackwells.co.uk/bookshop/product/Windows-Security-Internals-by-James-Forshaw/9781718501980

I really try to like Firefox, but the last 5 minutes really captures the kind of papercut that happens often:

- I open a new tab and firefox informs me it has updated itself and needs to restart and won't allow any further operations until it does so.
- Fine, I close and restart.
- I reopen Firefox to find a brand new sponsored weather widget on my otherwise blank new tab page - from a source I would never otherwise visit.

Thanks for breaking my flow and the privacy breach, I guess.

The promised writeup of how I discovered that the Feeld dating app was protecting private data by doing client-side filtering: https://mjg59.dreamwidth.org/70061.html

Bleeping Computer: Adobe fixes Acrobat Reader zero-day with public PoC exploit
References:

• APSB24-70 Security update available for Adobe Acrobat and Reader (10 September 2024)
• APSB24-57 Security update available for Adobe Acrobat and Reader (13 August 2024)

Okay I already have an EXPMON thread here (see parent toots above) so I'll orphan the original Adobe September 2024 Patch Tuesday toot. It should be noted that CVE-2024-41869 (7.8 high) UAF to arbitrary code execution in Adobe Acrobat and Reader is a Zero Day (Proof of Concept exploit in the wild exists before the vulnerability was patched, unknown if actually exploited). Apparently the August patch wasn't sufficient for the vulnerability CVE-2024-39383 (7.8 high, which should also be considered a zero-day). Haifei Li wrote on the Bad Place: "We tested the (exactly the same) sample on the "patched" Adobe Reader version, it displayed additional dialogs, but if the user clicked/closed those dialogs, the app still crashed! Same UAF bug!"

In yesterday's Adobe Reader security advisory, Adobe didn't call attention to the fact that a Proof of Concept exploit exists in the wild, or however they would normally word it.

#expmon #adobe #proofofconcept #zeroday #vulnerability #CVE_2024_41869 #CVE_2024_39383

We've completed a comparative security assessment of authorization policy languages: Cedar, Rego, and the OpenFGA modeling language.
If you are a language designer or a software developer, our AWS-sponsored assessment also provides recommendations for improving policy language design and for securing systems that use policy languages.
https://buff.ly/4cSO63s

Are we not negative enough towards #ai

Australia really looked at GDPR and said “those fines are rookie numbers, mate”.

https://ministers.ag.gov.au/media-centre/parliament-approves-governments-privacy-penalty-bill-28-11-2022

(from https://twitter.com/troyhunt/status/1597841957526568966 )

As @echo_pbreyer reminded us, EU member states have revived their effort to force-install a child pornography scanner on our phones again. This idea was rejected twice before, but they'll keep trying. Here's an English transcript of what I said about this in Dutch parliament last year: https://berthub.eu/articles/posts/client-side-scanning-dutch-parliament/

My SharePoint RCE got fixed: CVE-2024-38018. Site Member privs should be enough to exploit.

I also found a DoS vuln that got patched today: CVE-2024-43466.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38018