Internet Explorer is dead, but not the mess it left behind.

Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild — and there is no patch yet available for it.

The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library.

A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a maliciously crafted web page on the vulnerable Microsoft browser.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory says.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft is aware of ‘limited targeted attacks’ in the wild and working on a fix, but until a patch is released, affected users have been provided with workarounds and mitigation to prevent their vulnerable systems from cyberattacks.

The affected web browsing software includes — Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 running on all versions of Windows 10, Windows 8.1, and the recently-discontinued Windows 7.

images from Hacker News

Great news for iOS users!

You can now use your iPhone or iPad, running iOS 10 or later, as a physical security key for securely logging into your Google account as part of the Advanced Protection Program for two-factor authentication.

Android users have had this feature on their smartphones since last year, but now Apple product owners can also use this advanced, phishing-resistant form of authentication as an alternative to a physical security key.

Adding extra security later of two-step authentication is one of the more essential steps you can take to secure your online accounts, which makes it harder for attackers to log in to your account, especially when they steal your password.

“According to a study we [Google] released last year, people who exclusively used security keys to sign into their accounts never fell victim to targeted phishing attacks,” said Shuvo Chatterjee, Product Manager at Google’s Advanced Protection Program.

images from Hacker News

After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products.

What’s so special about the latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States.

What’s more interesting is that this is the first security flaw in Windows OS that the NSA reported responsibly to Microsoft, unlike the Eternalblue SMB flaw that the agency kept secret for at least five years and then was leaked to the public by a mysterious group, which caused WannaCry menace in 2017.

CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability

According to an advisory released by Microsoft, the flaw, dubbed ‘NSACrypt‘ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for handling encryption and decryption of data.

The issue resides in the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates that is currently the industry standard for public-key cryptography and used in the majority of SSL/TLS certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

Exploitation of the vulnerability allows attackers to abuse validation of trust between:

• HTTPS connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Though technical details of the flaw are not yet available to the public, Microsoft confirms the flaw, which if exploited successfully, could allow attackers to spoof digital signatures on software, tricking the operating system into installing malicious software while impersonating the identity of any legitimate software—without users’ knowledge.

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” the microsoft advisory says.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.”

Besides this, the flaw in CryptoAPI could also make it easy for remote man-in-the-middle attackers to impersonate websites or decrypt confidential information on user connections to the affected software.

“This vulnerability is classed Important and we have not seen it used in active attacks,” the microsoft said in a separate blog post.

“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available,” the NSA said.

images from Hacker News

Adobe today released software updates to patch a total of 9 new security vulnerabilities in two of its widely used applications, Adobe Experience Manager and Adobe Illustrator.

It’s the first Patch Tuesday for the year 2020 and one of the lightest patch releases in a long time for Adobe users.

Moreover, none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.

5 of the 9 security vulnerabilities are ‘critical’ in severity, and all of them affect Adobe Illustrator CC versions 24.0 and earlier, which were reported to the company by Fortinet’s FortiGuard Labs researcher Honggang Ren.

According to an advisory published by Adobe, all five critical issues in Adobe Illustrator software are memory corruption bugs that could allow an attacker to execute arbitrary code on targeted systems in the context of the current user.

The rest 4 security vulnerabilities affect Adobe Experience Manager—a comprehensive content management solution for building websites, mobile apps, and forms—none of which are critical in severity but should be patched at your earliest convenience.

That’s also because Adobe has marked security updates for Adobe Experience Manager with a priority rating of 2, which means similar flaws have previously been seen exploited in the wild, but for now, the company has found no evidence of any exploitation of these vulnerabilities in the wild.

images from Hacker News

It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers.

Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [1, 2] for a recently disclosed remote code execution vulnerability in Citrix’s NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets.

Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.

Citrix confirmed that the flaw affects all supported version of the software, including:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

The company made the disclose without releasing any security patches for vulnerable software; instead, Citrix offered mitigation to help administrators guard their servers against potential remote attacks⁠—and even at the time of writing, there’s no patch available almost 23 days after disclosure.

images from Hacker News