Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it’s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.
You can see them in my automated security news telegram channel avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.
Hello everyone! I am glad to greet you from the most sanctioned country in the world. Despite all the difficulties, we carry on. I even have some time to release new episodes. This time it will be about Microsoft Patch Tuesday for March 2022.
I do the analysis as usual with my open source tool Vulristics. You can still download it on github. I hope that github won’t block Russian repositories and accounts, but for now it looks possible. Most likely, I will just start hosting the sources of my projects on avleonov.com in this case. Or on another domain, if it gets even tougher. Stay tuned.
Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2022. I release it pretty late, because of the my previous big episode about the blindspots in the Knowledge Bases of Vulnerability Scanners. Please take a look if you haven’t seen it. Well, if you are even slightly interested in the world news, you can imagine that the end of February 2022 in Eastern Europe is not the best time to create new content on Vulnerability Management. Let’s hope that peace and tranquility will be restored soon. And also that geopolitical confrontation between the largest nuclear powers will de-escalate somehow.
But let’s get back to information security. While working on Microsoft Patch Tuesday report for February 2022, I made a lot of improvements to my open source project for vulnerability prioritization Vulristics. I want to start with them.
Hello everyone! In this episode I want to highlight the latest changes in my Vulristics project. For those who don’t know, this is a utility for prioritizing CVE vulnerabilities based on data from various sources.. Currently Microsoft, NVD, Vulners, AttackerKB.
Command Line Interface
I started working on the CLI for Vulristics. Of course, it is not normal to edit scripts every time to release a report.
Hello everyone! This episode will be about relatively recent critical vulnerabilities. Let’s start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn’t get there.
Autodiscover leak discovered by Guardicore Labs
“Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com).” Guardicore Labs acquired multiple Autodiscover domains and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the “Autodiscover.” domains on devices.
Elevation of Privilege – Windows Kernel (CVE-2021-40449)
It is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.
I haven’t found any pretty solution for this. I parse public html pages on the Microsoft site I’ll show you how I do it. If you know something better, please write in the comments.
Let’s start with Microsoft’s August Patch Tuesday. I think the most interesting thing is that it contains a fix for the PetitPotam vulnerability. I talked about this vulnerability two weeks ago. At the time, Microsoft had no plans to release a patch because PetitPotam was a “classic NTLM Relay Attack”. But the patch was actually released as part of August Patch Tuesday.
A quote from Rapid7: “Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface”.
There are no formal signs that this vulnerability is critical other than comments from the vendors. My Vulristics tool has flagged this “Windows LSA Spoofing” as a Medium level Vulnerability. But this fix seems to be the most important thing in this Patch Tuesday. So install this patch first.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
