Tag Archives: ZDI

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

Leave a reply

May In the Trend of VM (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader

May "In the Trend of VM" (#27): high-profile vulnerabilities in Linux, ActiveMQ, SharePoint, and Adobe Acrobat Reader. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. While the previous April edition featured only one vulnerability, this one includes four, covering different technologies and attack scenarios.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431). The vulnerability allows an attacker to gain root privileges.

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). A vulnerability in a solution widely used in enterprise systems and integration platforms.

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). A vulnerability in a Microsoft solution widely used in enterprise systems for collaboration, document management, and internal portal development.

🔻 RCE - Adobe Reader (CVE-2026-34621). A vulnerability in a widely used PDF document viewer; actively exploited in phishing attacks.

🟥 The full list of trending vulnerabilities is available on the portal

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

Leave a reply

Про уязвимость Spoofing - Microsoft SharePoint Server (CVE-2026-32201)

About Spoofing - Microsoft SharePoint Server (CVE-2026-32201) vulnerability. A vulnerability from the April Microsoft Patch Tuesday. The description provided by Microsoft experts is extremely vague: "Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." Spoofing is an attack in which a threat actor forges data, an address, an identifier, or a trusted source in order to impersonate a legitimate user, service, or system.

What is actually hidden behind this description? In the April review on MSPT, a ZDI expert noted that vulnerabilities of this kind in SharePoint are often associated with XSS attacks.

🛠 On April 23, an exploit was published on GitHub, whose author claims that the vulnerability can be summarized as follows: "An unauthenticated attacker can send a specially crafted HTTP request to inject malicious JavaScript (reflected XSS), which executes in the security context of the SharePoint site."

In other words, the attacker sends a specially crafted request to the SharePoint server, causing SharePoint to generate a malicious link on behalf of a trusted source. The attacker then passes this link to the user. When the user opens such a link, the injected malicious JavaScript executes in the context of SharePoint, which can be used to steal data from the current session, intercept authentication tokens, as well as perform actions on behalf of the user through the user's active session.

👾 Microsoft experts noted the vulnerability as being exploited in the wild on the day of publication of the April Microsoft Patch Tuesday, April 14. The vulnerability was added to the CISA KEV. On the same day, researchers from Defused reported coordinated reconnaissance activity targeting vulnerable SharePoint servers, which was carried out from four IP addresses between April 1 and April 11.

⚙️ Updates are available for Microsoft SharePoint Server 2016, 2019, and Subscription Edition.

New episode "In The Trend of VM" (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social "attack on the complainer", "Ford's method" for motivating IT specialists to fix vulnerabilities

Leave a reply

New episode "In The Trend of VM" (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social "attack on the complainer", "Ford's method" for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:37 Elevation of Privilege - Microsoft Streaming Service (CVE-2024-30090)
🔻 01:46 Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-35250)
🔻 02:38 Spoofing - Windows MSHTML Platform (CVE-2024-43573)
🔻 03:43 Remote Code Execution - XWiki Platform (CVE-2024-31982)
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
🔻 05:22 Social "Attack on the complainer"
🔻 06:35 "Ford's method" for motivating IT staff to fix vulnerabilities: will it work?
🔻 08:00 About the digest, habr and the question contest 🎁
🔻 08:29 Backstage

На русском

What is known about the Spoofing - Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

1 Reply

What is known about the Spoofing - Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

What is known about the Spoofing - Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from whom we can expect details.

ZDI suggested that this could be an additional fix for a similar July vulnerability Spoofing - Windows MSHTML Platform (CVE-2024-38112). The vulnerability type and component are the same. The July vulnerability was about ".url" file handling and was exploited by the APT group Void Banshee to install the Atlantida Stealer malware. Attackers may have bypassed the initial fix, prompting Microsoft to release a new patch. So far, this is only an assumption. But the vulnerability shouldn’t be ignored despite its low CVSS Base score (6.5).

На русском

September episode of "In The Trend of VM": 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Leave a reply

September episode of "In The Trend of VM": 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video "In The Trend of VM" on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege - Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass - Windows Mark of the Web "LNK Stomping" (CVE-2024-38217)
🔻 03:50 Spoofing - Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution - VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting - Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection - The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

August episode of "In The Trend of VM": 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of "In The Trend of VM": 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It's up to you, please follow the link to the video platform and click "Like" button and/or leave a comment. 🥺

📹 Video "In The Trend of VM" on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution - Windows Remote Desktop Licensing Service "MadLicense" (CVE-2024-38077)
🔻 02:22 Security Feature Bypass - Windows Mark of the Web "Copy2Pwn" (CVE-2024-38213)
🔻 03:23 Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege - WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

1 Reply

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased. The vulnerability was fixed in September Microsoft Patch Tuesday. At the time of publication, Microsoft had not yet flagged this vulnerability as being exploited in the wild. They did this only 3 days later, on September 13.

ZDI Threat Hunting team researcher Peter Girnus discovered the vulnerability while investigating the Void Banshee APT attack. The vulnerability was exploited in the same attack chain as the trending Spoofing - Windows MSHTML Platform (CVE-2024-38112) vulnerability, patched in July.

Using this vulnerability, the attackers hid the extension of the malicious HTA file being opened by adding 26 Braille space characters to its name. Thus, victims may think that they are opening a harmless PDF document.

Installing the security update does not remove spaces in the file name, but Windows now shows the actual file extension. 👍

На русском