That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

This is a very low security update count coming out of Redmond, Wash. with Microsoft issuing fixes for nearly half of the security bugs it fixed last May.

According to Zero Day Initiative, this month’s Patch Tuesday is Microsoft’s lowest volume since August 2021. However, there are still several bugs that should be addressed quickly, including seven rated critical and 31 rated important.

May 2023 Patch Tuesday bugs that IT departments should prioritize

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

This bug is listed as under active attack this month and is a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges, according to Microsoft. Privilege escalation bugs are typically combined with code execution for other malicious purposes, but Microsoft offers no further details on these attacks or how widespread they are.

According to Satnam Narang, a senior staff research engineer at vulnerability management firm Tenable, this is the fifth month in a row that an elevation of privilege bug was exploited in the wild, and the fourth such vulnerability in Win32k.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

This is the other bug listed as being publicly exploited. According to Microsoft, an attacker would need physical access or administrative rights to a target deice to install an affected boot policy and bypass Secure Boot. Successful exploitation would require an attacker to compromise an administrator’s credential on the device.

The vulnerability appears to be related from an ESET report in March regarding BlackLotus, a Unified Extensible Firmware (UEFI) Interface bootkit that cybercriminals have been using since October 2022 and can be purchased for $5,000 on hacking forums, according to Narang.

ESET said in its March report that the bootkit was capable of bypassing the UEFI Secure Boot security feature on fully patched systems.

Read our previous Patch Tuesday coverage!

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

This publicly disclosed vulnerability allows an attacker to execute code on an affected system by sending a specially crafted RTF email. According to Zero Day Initiative (ZDI), the real component to worry about for this vulnerability is Outlook, as the Preview Pane is an attack vector, so a user doesn’t need to read the crafted message for an attack to be successful. While Outlook is the most likely vector, other Office applications are also impacted.

According to Microsoft, an email attack scenario would include an attacker sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.

For a workaround, Microsoft recommends users read email messages in plain text format, but admins should just test and deploy this patch.

 CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability

According to Microsoft, this vulnerability can be exploited over the network by making an unauthenticated, specially crafted call to a Network File System service to trigger a remote code execution. The bug gets a CVSS score of 9.8, probably because no user interaction is required.

ZDI notes that the vulnerability exists in NFS version 4.1, but not versions NFSv2.0 or NFSv3.0.

Organizations can mitigate this bug by downgrading to a previous version, but admins should only do so if they installed the CVE-2022-26937 patch from last May.

CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability

According to ZDI, this vulnerability was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. It was combined with an authentication bypass during the contest, but requires authentication.

This is also one of three SharePoint bugs patched this month, including an information disclosure vulnerability and a spoofing flaw.

The post May 2023 Patch Tuesday: Two Vulnerabilities Under Active Attack appeared first on My TechDecisions.

The company released patches to fix 97 vulnerabilities in its products, which was in addition to three Edge bugs patches earlier this month. Of the new patches, 45 of them intend to fix remote code execution bugs.

Let’s take a look at some of the more serious Microsoft bugs that IT admins should prioritize this month, in addition to others from Apple and Adobe, with information sourced from Microsoft, Zero Day Initiative (ZDI), Tenable, and others.

CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Microsoft lists this bug as under active attack, and it was reported by threat intelligent firm Mandiant, so right away this patch is of elevated importance. Although only rated “important” by Microsoft with a CVSS of 7.2, Microsoft lists the attack complexity and privileges requires as low. The company says the bug could allow an attacker to gain SYSTEM privileges. The bug is similar to one patched in CLFS in February, which implies that the first patch wasn’t completely successful.

According to Satnam Narang, senior staff research engineer at vulnerability management firm Tenable, this is also the fourth CLFS elevation of privilege bug exploited in the last two years, dating back to April 2022.

CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability

This is another very important bug to prioritize, as it receives a CVSS score of 9.8 and appears to be very easy to exploit, requiring no user interaction and a low attack complexity. According to Microsoft, a remote unauthenticated attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server, resulting in remote code execution on the server side. The Messaging Queue service is disabled by default, but many contact center applications use it.

According to ZDI, the service listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks.

CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability

This vulnerability was actually patched in February, but Microsoft is just now documenting the bug. According to ZDI, the patch fixes an out-of-bounds write bug in the SQLcmd tool, which could allow a remote, unauthenticated attacker to exploit code with elevated privileges. The CVSS is only 6.4, which ZDI says may be due to a high attack complexity. Organizations running SQL server should make sure they have both February and April updates installed.

CVE-2013-3900 – WinVerifyTrust Signature Validation Vulnerability

If you took a look at the CVE number and figured it was just a typo, you’d be wrong. Unfortunately, this decade-old vulnerability is being reissued, likely because it’s being exploited as part of the 3CX attacks. ZDU calls the 2013 patch an “opt-in” fix, meaning that admins had to choose to get the bug patched. The revised patch adds fixes for additional platforms and adds other recommendations for enterprises.

According to Microsoft, an anonymous attacker can exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This is especially dangerous for users with administrative rights.

Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an existing signed file to include malicious code without invalidating the signature. This code would execute in the context of the privilege in which the signed PE file was launched.

In an email attack scenario, an attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file.

There is a lot of information to digest for this bug, so click on the CVE number in this subhead.

Apple Patches

In addition to Microsoft, Apple released fixes for two CVEs last week that were listed as under active attack, including CVE-2023-28205, a use-after-free bug in WebKit that impacts Safari, macOS and iOS. It can lead to code execution at the level of the logged-on user.

The first bug would need to be paired with a privilege escalation flaw to take over a system, and another bug patched by Apple this month does just that, according to ZDI. That bug, CVE-2023-28206, is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS.

Adobe Patches

Adobe released fixes for 56 vulnerabilities this month, including 16 in Reader alone that could lead to arbitrary code execution if a user is tricked into opening a specially crafted PDF.

The post April 2023 Patch Tuesday: CLFS Under Active Attack Again; 10-Year-Old Bug Reissued appeared first on My TechDecisions.

The amount of bugs fixed by Microsoft this month is on par with the tech giant’s February security update when it patched 75 vulnerabilities, including three that were being actively exploited.

Also similar in the March 2023 Patch Tuesday release were the number of remote code execution bugs, with 25 listed this month. Last month, there were 35 remote code execution vulnerabilities.

Based on analysis from researchers at Zero Day Initiative, Tenable and other security firms, here’s a look at the more notable vulnerabilities.

CVE-2023-23397 – Microsoft Outlook Spoofing Vulnerability

This bug is getting a lot of attention from security researchers. The bug gets a CVSSv3 score of 9.8 and has been exploited in the wild, which makes this a top priority for IT and security admins this month.  The vulnerability is exploited by sending a malicious email to a vulnerable version of Outlook. When the server processes the email, a connection to an attacker-controlled device is established to leak the Net-NTLMv2 hash of the email recipient. This allows the attacker to use the hash to authenticate as the victim recipient in an NTLM relay attack.

According to Microsoft, this can occur before the email is viewed in Preview Pane, so no interaction from the victim is needed for the attack to be successful. Disabling the Preview Pane feature will have no impact.

What makes this even more interesting is that the discovery of this vulnerability is credited to the Computer Emergency Respponse Team of Ukraine and Microsoft researchers. Given what is currently happening in Ukraine, this bug could be significant.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability

This is the other vulnerability listed as under active attack, but it doesn’t appear to be as severe as the Outlook spoofing bug. This allows attackers to create files that can bypass Mark of the Web protections, rendering features like SmartScreen and Protected View in Microsoft Office useless and allowing threat actors to spread malware via crafted documents and other files.

This is listed as under active attack and could signify how attackers are adapting new methods of delivering malware since Microsoft has taken steps to prevent Office documents from being used for that purpose.

This bug was discovered by Google’s Threat Analysis Group (TAG), which says ransomware groups are using the vulnerability to deliver the magniber ransomware without any security warnings. According to TAG, attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.

TAG says it has observed over 100,000 downloads of the malicious MSI files since January 2023. Microsoft in December 2022 patched a similar vulnerability after threat actors were exploiting it since September 2022.

CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

This is a vulnerability in Windows operating systems that also gets a critical CVSSv3 score of 9.8. According to Tenable, the bug lies in the way the operating system handles ICMP packets when an application running on a vulnerable Windows host is bound to a raw socket. An attacker can exploit it by sending a malicious fragmented IP Packet to a vulnerable target.

CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability

Another bug getting attention this month is a CVSS 9.8-rated vulnerability that could allow a remote, unauthenticated attacker to execute code at the SYSTEM level without user interaction. Attackers can send a malicious packet to the target server, but the server must have  HTTP/3 enabled and use buffered I/O. However, this is a common configuration for Windows 11 and Windows Server 2022.

There are six other critical-rated bugs patched this month, including vulnerabilities in Windows Cryptographic Services, Hyper-V, Windows Point-to-Point Tunneling Protocol and others.

For more information on the March 2023 Patch Tuesday release, consult Microsoft’s Security Update Guide and analysis from Tenable and Zero Day Initiative.

The post March 2023 Patch Tuesday: Two Actively Exploited Bugs in Outlook, SmartScreen appeared first on My TechDecisions.

Microsoft has released patches to fix 75 security bugs in the February 2023 Patch Tuesday release, including one each in Microsoft Office, Windows Common Log File System Driver and Windows Graphics Component that are being actively exploited, as well as a handful of Exchange remote code execution vulnerabilities.

The 75 fixed vulnerabilities is a much lower number than the 98 bugs Microsoft patched in its first security update release of the year in January, but there are still a handful that warrant closer inspection, testing and deployment.

According to analysis from Zero Day Initiative, Tenable, and other cybersecurity researchers, here are the February 2023 Patch Tuesday bugs IT admins should prioritize patching:

CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution Vulnerabilities

There are multiple remote code execution Exchange bugs getting fixes this month. According to Tenable, CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call.

According to Tenable’s analysis, CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 are similar to CVE-2022-41082, an authenticated remote code execution bug that was publicly disclosed in September 2022 as part of ProxyNotShell.

Microsoft released mitigations in September 2022 to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022, per Tenable.

CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability

This bug is a security feature bypass in Microsoft Office, and it is one of the two bugs patched this month that are being actively exploited. However, exploitation requires a local, authenticated user to download and open an attacker-created file on a vulnerable system, so this requires some social engineering.

CVE-2023-23376 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

This is the other bug listed under active attack this month, and like it’s twin, there is little information about this vulnerability. According to Microsoft, the bug allows an attacker to exploit code as SYSTEM, which could lead to a complete system takeover. A remote code execution bug is likely being used in conjunction with this one to spread malware or ransomware. This is the third bug CLFS flaw patched in the last year, including one that was disclosed by the National Security Agency and CrowdStrike in April 2022. This one was discovered by Microsoft’s Threat Intelligence Center, which suggests use by a sophisticated threat actor.

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

This vulnerability gets a CVSS of 9.8, so IT admins should prioritize this Microsoft Word bug. The Outlook Preview Pane is an attack vector, and an attacker could use the bug to execute code at the level of the user without user interaction. It can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which allows for command execution if opened.

The Microsoft advisory for this vulnerability links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy, according to Tenable.

CVE-2023-21823 – Microsoft Windows Graphics Component Elevation of Privilege Vulnerability

This is EoP vulnerability in the Microsoft Windows Graphics Component gets a CVSSv3 score of 7.8 and was exploited in the wild as a zero day, according to Tenable. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to to run processes in an elevated context.

For more information on these bugs and the entire February 2023 Patch Tuesday release, read analysis from Tenable and Zero Day Initiative.

The post February 2023 Patch Tuesday: Three Exploited; Exchange, Word Bugs appeared first on My TechDecisions.

The solution comes after Microsoft’s first Patch Tuesday of 2023 resulted in patches for more than 100 vulnerabilities, which London-based 1E says highlights the increasing risk that vulnerabilities pose to an organization.

According to 1E Patch Insights is designed to ensure that endpoints are always up-to-date and secure by providing insights and visibility to help IT administrators address vulnerabilities.

The company says 1E Patch Insights augments native Microsoft patching processes by surfacing real-time information about the process and detailed patching failure information. In addition the solution gives administrators “complete visibility” of the device environment via detailed device health, configuration and patch status data.

In a blog, the company says a lack of complete visibility into their patching status via native solutions can lead to delays in reaching patch service-level agreements and securing and environment.

According to 1E, Patch Insights allows administrators to proactively remediate any device issues that may prevent a patch from completing when using 1E Endpoint Automation.

The Patch Insights dashboard provides a list of all crucial patches and their stats in real-time, along with information that allows admins to protect the Microsoft endpoint environment.

To help administrators prioritize patches, Patch Insights provides a priority scoring metric for each patch, so they can address the most critical patches first.

Administrators can also issue patches directly from the dashboard using SCCM, WSUS or Intune patching capabilities, the company says.

“Our DEX platform is unique in that along with improving experience and helping IT align with the business, it also helps the digital workplace be more secure,” says Mark Banfield, CEO of 1E. “1E Patch Insights, part of that platform, is a major piece of that promise, giving unprecedented visibility and closing the vulnerability window.”

The post 1E Releases Patch Insights to Augment Microsoft Patching Tools appeared first on My TechDecisions.

According to security researchers, the 98 vulnerabilities fixed in this month’s security update from Microsoft is the largest the company has issued in a January for long time and is almost double what was released in the December Patch Tuesday updates, setting the stage for a very busy 2023 for IT administrators.

#Windows11 #PatchTuesday Thread (January 2023)

— Windows Update (@WindowsUpdate) January 10, 2023

Here’s a look at the more notable vulnerabilities and patches that administrators should prioritize, with insight provided by Zero Day Initiative (ZDI) and Tenable:

CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

This bug, the only listed as under active exploitation, is an elevation of privilege bug in Windows Advanced Local Procedure Call (ALPC), which facilities interprocess communication for Windows operating system components.

According to ZDI and other security researchers, this bug is likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access. This could be used to deliver malware or ransomware.

CVE-2023-21743 – Microsoft SharePoint Server Security Feature Bypass Vulnerability.

Another critical-rated bug, this vulnerability could allow a remote, unauthenticated attacker to make an anonymous connection to an affected SharePoint server.

However, patching this bug is just one step admins need to take, as ZDI notes that they must also trigger a SharePoint upgrade action also included in this months’ update.

“Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world,” ZDI researchers say in a blog.

CVE-2023-21763/CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability

These two bugs were found by a ZDI researcher and are the result of a failed patch of CVE-2022-41123, an elevation of privilege bug that Microsoft disclosed and patched with the November Patch Tuesday updates. According to ZDI, a local attacker could use a hard-coded path and load their own DLL and execute code with SYSTEM privileges.

“A recent report showed nearly 70,000 unpatched Exchange servers that were accessible from the internet,” ZDI notes in a blog. “If you’re running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time.”

Print Spooler patches never stop

Microsoft included patches for Print Spooler again this month, continuing a steady stream of bugs since PrintNightmare was disclosed in 2021. Three elevation of privilege bugs in the component were patched this month, but one of them, CVE-2023-21678, was disclosed by the U.S. National Security Agency.

This continues a trend observed last year, when the agency disclosed three Print Spooler bugs from May to October.

End of Windows 7 security patches

This Patch Tuesday release also marked the end of Microsoft’s support for Windows 7 as the company focused instead on Windows 11. Support ended in January 2020, but the company kept security updates flowing for Microsoft 365 on Windows 7 devices until this month.

Visit Microsoft’s security update guide for more information on the other patches, and stay tuned for a January 2023 Patch Tuesday podcast episode later this week!

The post January 2023 Patch Tuesday: Nearly 100 Bugs, One Actively Exploited appeared first on My TechDecisions.

The distributed work experiment continues

Although some organizations made news by ordering employees back to the office, many organizations are still offering hybrid working arrangements to employees. There have been countless surveys and studies on this issue, and virtually all of them show that employees are demanding some level of flexible working arrangements, so mandating a return to the office will likely lead to turnover.

With organizations now forced to accept hybrid work, IT leaders are turning to technology and new innovations to help keep employees connected. The year saw many new features in videoconferencing platforms like Zoom, Microsoft Teams, Google Meet and Webex, as well as new AI-driven hardware to support those platforms.

However, some challenges remain, including mental and physical health, transportation, housing, and a persistent disconnect between the flexible work demands of employees and what executives are willing to offer.

We should continue to see new innovations in technology to support hybrid work models this year as we head into year three of the COVID-19 pandemic.

Cloud computing soars

Of course cloud computing is on our list of top IT stories in 2022. Despite a projected IT spending growth of just 0.8% for 2022, IT analyst firm Gartner says public cloud spending is projected to rise by nearly 19% in 2022 and is poised for another big leap in 2023 of nearly 21%. This comes as organizations are looking to the cloud to help support growth amid economic uncertainties as a recession is likely.

Other Gartner research of the thoughts of IT leaders finds that 42% say cloud migration is a top area of investment, and 34% say infrastructure compute and storage are top tech priorities.

However, as organizations navigate a complicated process, they are left with some legacy on-premises systems that can make security and management difficult. To solve those issues, tech companies have been releasing new solutions designed to give IT professionals visibility into their entire infrastructure, including cloud and on-premises.

UC&C interoperability

When the COVID-19 pandemic forced employees to work out of their homes, many organizations quickly deployed videoconferencing services such as Zoom, Microsoft Teams, Google Meet or Webex to communicate and collaborate with their remote colleagues. However, interoperability between those platforms and other major services was staggered, meaning that joining meetings on another platform not supported within the organization was challenging.

However, all of those companies made some efforts to move that needle forward this year. Google recently launched support for embedded bi-directional interoperability on Zoom Rooms and Google Meet devices after it already did the same for Webex devices.

Cisco also announced an integration with Microsoft Teams that enables the Teams Rooms experience on Webex devices.

Also announced this year by Microsoft was Direct Guest Join, a one-touch experience that enables users to join a third-party online meeting from Teams Rooms. Currently, the feature works on Teams Rooms for Zoom and Webex.

Cybersecurity implications from the Russia-Ukraine conflict

For security-minded IT professionals–and especially the ones handling sensitive information about the U.S. government–the ongoing crisis between Ukraine and Russia should give cause for concern. Before the boots-on-the-ground invasion of Ukraine by Russian forces, destructive cyberattacks were launched to weaken the government’s response and cripple its infrastructure.

Some of these cyberattacks have since spread to neighboring countries, such as Poland. Moldova, Germany, Romania and other nations that are sympathetic to Ukraine’s cause.

John Fokker, principal engineer and head of cyber investigations for Trellix Threat Labs, says organizations that could be targets of advanced persistent threat actors or nation-states should be paying very close attention.

“Make no mistake—if you have an (advanced persistent threat actor) as a potential threat to your organization, you should take very close notice of what is going on right now,” Fokker says. “From a threat intelligence perspective, I think we’re at a very pivotal moment.”

The conflict is now nearing its one year mark, and the cybersecurity landscape is only more dangerous.

Cybersecurity remains front-page news

Ransomware, phishing, data breaches and other cybersecurity stories have grabbed headlines in recent years, and 2022 was no different, which is why cybersecurity has a heavy presence on our list of top IT stories in 2022.

According to Palo Alto Networks, 96% of all respondents to a recent survey were the victims of a cyber incident or data breach during that time, and 57% saw three or more incidents or breaches. The study also found that a third of all organizations surveyed experienced an operational disruption as a result of a breach in the past year.

Hybrid work is largely to blame, as 84% of executives say hybrid work has played a key role in the increase in cyber incidents over the year.

Zero trust has emerged as a key priority, and identity and access management is now critical to any zero trust initiative. However, attacks are paying attention and have begun targeting identity provides such as Okta, and recent incidents at password management companies continue to put identity security at the forefront.

Log4Shell persists 

It’s been about a year since the critical vulnerability in Log4j was discovered, but the bug is still among the most actively exploited.

Despite constant news coverage of the bug, 30% of Log4j instances remained vulnerable to exploitation three months after the bug was discovered, and cybercriminals and ransomware operators everywhere began leveraging the vulnerability, known as Log4Shell.

Even after a year, the Log4Shell story is not over, as nearly three-quarters of organizations remain vulnerable to Log4Shell, Tenable reported last month.

In fact, the U.S. Department of Homeland Security’s Cyber Safety Review Board says Log4Shell will be an “endemic vulnerability” that could remain in systems for a decade or longer.

A busy year for Patch Tuesday

In keeping with the security theme on our list of top IT stories in 2022, Microsoft and its customers had another busy year of patching critical vulnerabilities and zero days, with 917 total vulnerabilities addressed. This is up from last year’s count of 848, but not near the high in 2020, which saw an incredible 1,235 security bugs patched. By our count, Microsoft patched 26 zero-day bugs in 2022.

However, Microsoft did release Windows Autopatch, a new service that automates the process of managing and rolling out updates for Windows and Microsoft 365 apps. Free for customers with Windows Enterprise E3 and E5 licenses, Autopatch essentially automates Patch Tuesday for IT administrators with the goal of improving the customer’s security and productivity.

However, many smaller organizations not on those advanced licenses are still left to apply patches manually.

Windows 11 adoption rises

While we’re on Microsoft, 2022 was the first full year of a campaign to encourage users to update from Windows 10 to Windows 11, and that appears to be paying off somewhat, as the Windows 11 market share has grown to more than 16% after a relatively slow adoption for the first few months.

That slow adoption could be due to the operating system’s hardware requirements, as fewer than 39% of devices were eligible for a Windows 11 upgrade as of May 2022. With the holiday season past us and new Windows 11 devices hitting the market, we expect that number to increase quickly in 2023.

In addition, Microsoft will end support for Windows 10 by October 2025, so organizations have less than three years to make the move to Windows 11 by either upgrading eligible devices or planning a full device refresh.

Microsoft also says Windows 11 will have an annual feature update cadence, with feature updates being released in the second half of the year.

Recession and budgeting

The global economy is on the brink of recession, but IT budgets are still expected to grow as digital business initiatives can help companies survive an economic downturn.

According to Gartner, economic turbulence will impact technology investments, but spending in some areas will increase while others will decrease. Next year’s spending on software is projected to grow by more than 11%, and IT services will grow by nearly 8%. The research firm also found that almost 70% of finance chiefs plan to increase spending on technology to reshape revenue streams, add new products and services and change the value proposition of existing products and services.

“Enterprise IT spending is recession-proof as CEOs and CFOs, rather than cutting IT budgets, are increasing spending on digital business initiatives,” says John-David Lovelock, distinguished VP analyst at Gartner.

Burnout and turnover

The last three years have been very busy for technology professionals as IT professionals had to figure out how to support a remote workforce overnight and new software and services were developed at a rapid pace in response to the COVID-19 pandemic. In addition, cyberattacks and ransomware are running rampant, forcing IT and security professionals to work long hours and risk burning themselves out.

One report from email security company Tessian finds that security leaders are working an average of 16.5 hours over their contractual obligations, and about 1 in 5 are working at least 25 extra hours a week.

Another report from Mimecast, also an email security company, finds that 33% of security decision-makers are thinking of leaving their role, and the same percentage say their team sees an increased number of absences due to stress and burnout following a cybersecurity incident.

In IT, especially cybersecurity, finding and retaining talent is one of the biggest issues facing the industry, so getting a handle on this problem is paramount in 2023.

The post Our Top IT Stories From 2022 appeared first on My TechDecisions.

Of the 52 released, six are rated critical, 43 are rated important and three are rated moderate in severity, according to Zero Day Initiative, which calls this month’s release a light month for Microsoft amid the holidays.

ZDI, the vulnerability disclosure initiative of cybersecurity company Trend Micro, says this release is the smallest monthly release this year while 2022 overall was Microsoft’s second busiest year ever with over 900 vulnerabilities fixed in total.

While the number of vulnerabilities patched each month varies depending on the researcher, researchers agree that there are two zero-day bugs patched this month, one of which is being actively exploited. However, given the ratings and severity scores, there are a handful that IT admins and security professionals should prioritize.

CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability

According to ZDI, this bug is likely related to the Mark of the Web bug that Microsoft patched last month. A file could be created that evades the mark of the web (MOTW) detection and bypasses security features such as Protected View in Microsoft Office. Since many phishing attacks leverage attachments, these protections are important in preventing malware from being deployed onto a target system.

According to Satnam Narang, a senior staff research engineer at vulnerability management company Tenable, SmartScreen is a built-in Windows feature that works with its mark of the web functionality to flag files downloaded from the internet.

“Depending on how MOTW flags a file, SmartScreen will perform a reputation check,” Narang says. “This vulnerability can be exploited in multiple scenarios, including through malicious websites and malicious attachments delivered over email or messaging services.”

A potential victim would have to visit a malicious website or open the attachment in order to bypass SmartScreen, Narang adds. Since this is being exploited in the wild, admins should prioritize this patch.

CVE-2022-44710 – DirectX Graphics Kernel Elevation of Privilege

The second zero-day vulnerability patched this month, this important-rated bug was publicly disclosed before Microsoft issued its security updates. Microsoft gives it a CVSS score of 7.8, but is considered to be a flaw less likely to be exploited, according to Narang, citing Microsoft’s Exploitability Index.

CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability

A bug highlighted by several researchers, this critical-rated bug could allow an unauthenticated attacker to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system, according to ZDI. PowerShell is a legitimate tool commonly used by threat actors to evade detection while moving throughout networks, so a bug impacting PowerShell and bypassing restrictions should be prioritized.

Other bugs highlighted by ZDI and Tenable include CVE-2022-44690 and CVE-2022-44693, remote code execution bugs in| Microsoft SharePoint Server; CVE-2022-44678 and CVE-2022-44681, elevation of privilege bugs in Windows Print Spooler;   CVE-2022-44713, a spoofing bug in Microsoft Outlook for Mac; and more.

Visit Microsoft’s Security Update Guide for more information on these patches.

Stay tuned for a podcast on the December 2022 Patch Tuesday releases this week!

The post December 2022 Patch Tuesday: Two Zero Days, One Being Exploited appeared first on My TechDecisions.

In total, the Redmond, Wash. software giant has released fixes for 62 security bugs, including nine rated critical and 53 rated important.

Here’s a look at some of the notable ones, including those four zero-days:

CVE-2022-41073 – Elevation of Privilege in Windows Print Spooler

Yet another vulnerability in Windows Print Spooler is patched this month, but this one stands out because it is the first such bug to be exploited in the wild by attackers. Several Print Spooler flaws have been patched since the PrintNightmare bugs from summer 2022, and it appears that attackers are catching on.

“We’ve long warned that once Pandora’s box was open with PrintNightmare, flaws within Windows Print Spooler would come back to haunt organizations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution,” says Satnam Narang, senior staff research engineer at Tenable.

Zero Day Initiative (ZDI) advises that disabling Print Spooler should be an effective workaround if users can deal with printing issues.

CVE-2022-41128 – Remote Code Execution in the Windows Sprinting Language

This bug affects Microsoft’s Jscript9 scripting language and requires user interaction, meaning an attacker would need to convince a victim running a vulnerable version of Windows to visit a specially crafted server share or website through some type of social engineering, according to Narang.

According to ZDI, the attacker could execute their code on an affected system at the level of the logged-on user.

CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege

This is another actively exploited bug, an elevation of privilege vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service. This is a service for isolating private keys hosted in the Local Security Authority (LSA) process. Exploitation of this vulnerability could grant an attacker SYSTEM privileges.

ZDI notes that an attacker would need to be authenticated, so it is likely paired with a remote code execution bug.

CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass

This is one of two security feature bypass vulnerabilities in Windows Mark of the Web (MoTW), a feature designed to flag files that have been downloaded from the internet and prompts users with a security warning. This is being actively exploited, so it’s another one to prioritize.

Narang, citing HP researchers, says this bug was recently discovered as being exploited in the wild by the Magniber ransomware group as fake software updates.

CVE-2022-41040 and CVE-2022-41082 – Microsoft Exchange Server Elevation of Privilege and Remote Code Execution

Microsoft has finally fixed these bugs, collectively known as ProxyNotShell. They are also being actively exploited in the wild, and can result in hands-on-keyboard access and Active Directory reconnaissance and data exfiltration. Read this article for more information.

Read blogs from ZDI and Tenable and Microsoft’s Security Update Guide for more information on these vulnerabilities and others included in the November 2022 Patch Tuesday updates.

The post November 2022 Patch Tuesday: Four Actively Exploited Zero Days appeared first on My TechDecisions.