Happy #PatchTuesday from Microsoft: 71 new vulnerabilities, ONE ZERO-DAY:

• CVE-2024-49138 (7.8 high) Windows Common Log File System Driver Elevation of Privilege Vulnerability

Update for CVE-2024-38033 (7.3 high, from 09 July 2024) PowerShell Elevation of Privilege Vulnerability was reissued a patch for all affected versions of Windows Server 2012 and Windows Server 2012 R2.

The Microsoft data arrived almost 10 minutes early.

cc: @goatyell @mttaggart @hrbrmstr @ntkramer @iagox86 @zackwhittaker @dreadpir8robots @TheDustinChilds @neurovagrant @xorhex @campuscodi @briankrebs (remember to remove the mentions to avoid ReplyAll madness)

#microsoft #msrc #vulnerability #cve #infosec #cybersecurity

I'd imagine this is gonna change about three times an hour at the rate new info (and intel) is being shared, but Rapid7 is also investigating a bunch of incidents related to this. Our MDR folk have confirmed successful exploitation in customer environments and observed enumeration and post-exploitation behavior similar to what @huntress has already shared. https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/

Cleo have issued a (paywalled) advisory about the zero day, saying a new CVE number is being allocated.

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. Read the latest in the Vulnerability Roundup: https://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnerabilities-2/

The official PeerTube app just released:

https://play.google.com/store/apps/details?id=org.framasoft.peertube

https://apps.apple.com/app/peertube/id6737834858

(coming soon to F-Droid)

How to add more servers:

1. Click Explore
2. Click "Show More Platforms" in middle of the screen
3. Click the + icon in top right
4. Enter server's web address & connect
5. Click "Platforms" at the bottom to browse added servers

Don't blame Framasoft for missing features, blame Apple and Google's idiotic rules:

https://framablog.org/2024/12/10/peertube-mobile-app-discover-videos-while-caring-for-your-attention

🧵 1/2

Over 350 musicians are speaking out to demand that major labels drop a lawsuit aimed to destroy the Internet Archive.

https://www.rollingstone.com/music/music-news/tegan-sara-kathleen-hanna-internet-archive-lawsuit-letter-1235195841/

The Ruby on Rails _json Juggling Attack https://nastystereo.com/security/rails-_json-juggling-attack.html

The register on mine and Seth's AI reactions:

https://www.theregister.com/2024/12/10/ai_slop_bug_reports/

Hello Rustaceans! Our technical director @raptor is back at it.

In this second installment of our #Rust series, “An offensive Rust encore”, he will guide you in bringing your skills to the next level by using a new PoC #RedTeaming tool as an excuse:

https://security.humanativaspa.it/an-offensive-rust-encore

fascinating result about the performance of memory-safe PNG decoders and the usefulness of autovectorization in real projects https://www.reddit.com/r/rust/comments/1ha7uyi/memorysafe_png_decoders_now_vastly_outperform_c/

High level diff of iOS 18.2 RC vs. iOS 18.2 RC2 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/18_2_22C150__vs_18_2_22C151/README.md

Totally missed Huawei's new programming languages: ArkTS (ts subset that compiles to native code) and Cangjie (too much chinese documentation for me to understand it):

https://en.wikipedia.org/wiki/ArkTS

https://www.gizmochina.com/2024/06/21/huawei-cangjie-programming-language/

kids don’t even know you used to go to the mall and go to a store inside the mall and find boxes that had computer programs inside and you’d look at the boxes and compare them to other boxes and decide which computer programs you wanted to run and pay for them at the counter and take them home and find out they sucked ass. they just don’t know.

CISA: Vulnerability Summary for the Week of December 2, 2024
ELEVEN vulnerabilities with a perfect CVSSv3.1 score of 10.0 out of 10 🥳 cc: @cR0w
How many high severity path traversals this week?

1. CVE-2024-51549: ABB--ASPECT-Enterprise "Absolute File Traversal vulnerabilities" perfect 10.0
2. CVE-2024-11398: Synology--Synology Router Manager (SRM) Path Traversal 8.1 high
3. CVE-2024-54154 JetBrains YouTrack path traversal 8.0 high
4. CVE-2024-54216 Path Traversal vulnerability in NotFound ARForms

Fun little story about @wiz. For several years (or so it seemed), I watched Wiz kicking the crap out of Azure, finding and reporting on vulnerabilities in Azure’s services. I even talked about some of that on the DefSec podcast.

Then I became the CISO of IBM Cloud. One fine day after I had been in place for a while, I was made aware that our security tools had taken action against a malicious customer trying to find a way to move around in the multi-tenant environment. I then got a request to speak with Wiz security researchers who I found out where the people we shut down. Before I got on the phone with them, I remembered the ongoing saga between Wiz and Azure and thought “here we go, they’re coming after us now”.

That turned out not to be the case at all. Wiz asked for permission to continue testing because they had an intuition that some issues existed. We set them up in a fenced off environment and let them have at it. Wiz did end up finding some issues, but it became clear to me that Wiz was most interested in keeping cloud customers safe - even those they have no relationship with. Now certainly there’s a marketing aspect to a security company finding and reporting on security vulnerabilities, but I will tell you that they were super professional and coordinated well with us.

Behind the scenes, that wasn’t an easy sell for me. Everyone could see what was going on with Azure and many thought I was insane for wanting to entertain Wiz, but I shared Wiz’s view of wanting to ensure the safety of customers, even if it meant discomfort.

The title of Wiz’s report is “Hell’s Keychain” and you can google it easy enough, and it has a quote from me.

I’ve never used their product and have no affiliation with them beyond being on their podcast once and getting some swag from them.