apple and Microsoft A software update was recently released that fixed dozens of security vulnerabilities in the operating system.Microsoft fixed at least 60 vulnerabilities today Windows operating system.At the same time, Apple’s new macOS Sonoma Addressing at least 68 security vulnerabilities, the latest update to iOS fixes two zero-day vulnerabilities.
Last week, Apple rolled out an emergency software update for its flagship iOS platform, warning of at least two zero-day exploits targeting vulnerabilities (CVE-2024-23225 and CVE-2024-23296).Security updates are available at iOS 17.4, iPadOS 17.4and iOS 16.7.6.
apple Apple system Sonoma 14.4 security update Dozens of security issues resolved. Jason KitkaChief Information Security Officer Automoxsaid that the vulnerabilities fixed in this update often stem from memory security issues, a concern that has triggered a broader discussion in the industry about the use of memory-safe programming languages. [full disclosure: Automox is an advertiser on this site].
On February 26, 2024, the Biden administration released a report calling for greater adoption of memory-safe programming languages. On March 4, 2024, Google released “Secure by Design”, explaining the company’s views on memory security risks.
Fortunately, there don’t appear to be any zero-day threats plaguing Windows users this month (at least not yet). sananarangsenior research engineer tenablepoints out that of the 60 CVEs released on Patch Tuesday this month, only six are considered “more likely to be exploitable,” according to Microsoft.
Most of the vulnerabilities that are easier to exploit are “privilege escalation vulnerabilities”, including CVE-2024-26182 (Windows Core), CVE-2024-26170 (Windows Composite Image File System (CimFS)), CVE-2024-21437 (Windows Graphics Component )) and CVE-2024-21433 (Windows print spooler).
Narang highlights CVE-2024-21390, a privilege escalation vulnerability, as a particularly interesting vulnerability in this month’s Patch Tuesday release Microsoft Authenticator, the software giant’s multi-factor authentication app. Narang said that the prerequisite for an attacker to exploit this flaw is that malware or malicious applications are already present on the device.
“If the victim closes and reopens the Microsoft Authenticator app, the attacker can obtain the multi-factor authentication code and modify or delete the account in the app,” Narang said. “Accessing the target device is bad enough because They can monitor keystrokes, steal data and redirect users to phishing sites, but if the goal is to remain stealthy, they can maintain this access and steal multi-factor authentication codes to log in by changing passwords and switching multiple identities. Authenticate devices to attack sensitive accounts, steal materials, or completely hijack accounts, effectively locking users out of their accounts.”
CVE-2024-21334 has a CVSS (Dangerous) score of 9.8 (worst 1o) and involves weaknesses in: Open management infrastructure (OMI), a Linux-based cloud infrastructure MicrosoftAzure. Microsoft said an attacker could connect to an OMI instance over the network without authentication and then send specially crafted packets to obtain remote code execution on the host device.
CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which serves as the backbone for a lot of communication between the applications people use every day on Windows. Kevin BrinSenior Director of Threat Research Immersive Lab.
Breen explained: “To exploit this vulnerability, there is a vulnerability that allows remote code execution. The attacker needs to trick the user into opening a document, which will use the OLE engine to download a malicious DLL, thereby gaining code execution permissions on the system.” “Attack complexity is described as low, meaning there is a smaller barrier to entry for attackers.”
The SANS Internet Storm Center provides a complete list of vulnerabilities addressed by Microsoft this month, with updates broken down by severity and urgency.
Finally, Adobe today released security updates that fix dozens of security vulnerabilities across a variety of products, including Adobe Experience Manager, Adobe Premiere Pro, Cold Fusion 2023 and 2021, adobe bridge, lamp roomand Adobe animation. Adobe said it is not aware of anyone actively exploiting the flaws.
By the way, Adobe recently registered all of its acrobat Users can use a “new generative AI feature” that scans the content of a PDF so that its new “AI assistant” can “understand your questions and provide answers based on the content of the PDF file.” Adobe provides instructions on how to disable and opt out of AI features here.
