Tag Archives: MSHTML

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

Leave a reply

What is known about Spoofing - Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

🔻 According to Check Point, attackers use special “.url” files with icons that look like PDF documents. If the user clicks on the file and ignores 2 uninformative warnings, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows. 😱 Why in IE? This is all due to the processing of the “mhtml:” prefix in the “.url” file. The July update blocks this. 👍

🔻 Check Point found “.url” samples that could date back to January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url” files to archives with PDF books and distribute them through websites, instant messengers and phishing.

На русском

July Microsoft Patch Tuesday

Leave a reply

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch Tuesday

May Microsoft Patch Tuesday. There are 91 vulnerabilities in total. Of those, 29 were added between April and May Patch Tuesday.

Two vulnerabilities have signs of exploitation in the wild and the presence of a functional exploit (not yet public):

🔻 Security Feature Bypass – Windows MSHTML Platform (CVE-2024-30040). In fact, an attacker can execute arbitrary code when the victim opens a specially crafted document. It is exploited through phishing.
🔻 Elevation of Privilege – Windows DWM Core Library (CVE-2024-30051). A local attacker can gain SYSTEM privileges on the vulnerable host. Microsoft credits four different groups for reporting the bug, indicating that the vulnerability is being widely exploited. The vulnerability is associated with the QakBot malware.

Among the rest we can note:

🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-30050). Such vulnerabilities have been frequently exploited recently. Microsoft indicates that there is a functional exploit (private) for the vulnerability.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-30044). An authenticated attacker with Site Owner privileges or higher can execute arbitrary code in the context of SharePoint Server by uploading a specially crafted file.
🔸 Elevation of Privilege – Windows Search Service (CVE-2024-30033). ZDI believes that the vulnerability has the potential to be exploited in the wild.
🔸 Remote Code Execution – Microsoft Excel (CVE-2024-30042). An attacker can execute code, presumably in the user’s context, when a malicious file is opened.

🗒 Vulristics report

На русском

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs

1 Reply

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs. Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239131

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Continue reading

PHDays 11: towards the Independence Era

Leave a reply

PHDays 11: towards the Independence Era. Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event.

Alternative video link (for Russia): https://vk.com/video-149273431_456239091

As I did last year, I want to start talking about this conference with a few words about the sanctions. US sanctions against Positive Technologies, the organizers of Positive Hack Days, were introduced a year ago. At that time it seemed very serious and extraordinary. But today, when our country has become the most sanctioned country in the world, those sanctions against Positive Technologies seem very ordinary and unimportant. In fact, it even seems to benefit the company somehow.

Continue reading

Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus

Leave a reply

Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus. Hello everyone! This time, let’s talk about recent vulnerabilities. I’ll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see the full report here.

The most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI – Open Management Infrastructure. Only ZDI wrote about this.

Continue reading

Vulristics: Microsoft Patch Tuesdays Q2 2021

Leave a reply

Vulristics: Microsoft Patch Tuesdays Q2 2021. Hello everyone! Let’s now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.

First of all, let’s take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. “Researcher who reported these bugs certainly found quite the attack surface”. The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. “Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system”. And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (​TFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.

Continue reading