Categories
Computing

Frustrated Security Researcher Discloses Windows Zero-Day

There’s a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn’t alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but left another unpatched and incorrectly fixed. Naceri bypassed the patch and found a more powerful variant. The zero-day vulnerability impacts all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.

“This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” explained Naceri in a GitHub post.

His proof of concept is on GitHub, and Bleeping Computer tested the exploit and ran it. It is also being exploited in the wild with malware, according to the publication.

In a statement, a Microsoft spokesperson said that it will do what is necessary to keep its customers safe and protected. The company also mentioned it is aware of the disclosure opf the latest zero-day vulnerability. It mentioned that attackers must already have access and the ability to run code on a target victim’s machine for it to work.

With the Thanksgiving holiday in the U.S., and the fact that a hacker would need physical access to a PC, it could be a while until a patch is released. Microsoft usually issues fixes on the second Tuesday of each month, known as “Patch Tuesday.” It also tests bug fixes with Windows Insiders first. A fix could come as soon as December 14.

Editors’ Choice






Repost: Original Source and Author Link

Categories
Security

Apple releases iOS 14.7.1 to fix Apple Watch unlocking and a zero-day exploit

Last week iOS 14.7 appeared, adding features including support for Apple’s magnetic battery pack. Unfortunately, the update also interrupted the “Unlock with iPhone” feature that Apple Watch wearers used for easy access to their wristwear. Now, another update is going out to fix that.

However, even if you don’t have an Apple Watch, you should still install iOS 14.7.1 (and for Mac owners, macOS 11.5.1) as soon as you can, because security notes from Apple reveal that the two updates it pushed today fix flaws that are already being exploited in the wild. The memory corruption issues in Apple’s desktop and mobile operating systems have been assigned the same vulnerability ID and attributed to an anonymous researcher.

IOMobileFrameBuffer

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30807: an anonymous researcher

According to Security Week, this is the 13th zero-day vulnerability Apple has fixed this year.

Repost: Original Source and Author Link

Categories
Tech News

Chrome 89 update patches zero-day vulnerability with active exploit

Chrome 89 landed this week, and in addition to the new features this update is delivering to users, it also patches a number of bugs. In all, Google says that Chrome 89.0.4389.72 includes 47 security fixes, including one zero-day vulnerability that is actively being exploited. If you use Chrome, then, it’s a good idea to update to the latest version of the browser.

Google detailed all 47 security fixes in a post to the Google Blog. The zero-day security flaw that is actively being exploited in the wild is identified as CVE-2021-21166 in Google’s notes. We know next to nothing about this issue, as Google only identifies it as an “Object lifecycle issue in audio” with a High priority.

Of course, the reason we don’t know anything about it is probably because there’s an active exploit out in the wild for it. “Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google says in that blog post. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

We do know that the security issue was discovered by Alison Huffman with Microsoft’s Browser Vulnerability Research team and first reported to Google on February 11th, but beyond that, we’ll have to wait until the problem is quashed before Google will share more about it. You can make sure that your browser is updated to the latest version by heading into the Chrome Menu > Help > About Google Chrome, and then searching for an update.

When Chrome 89 was announced yesterday, Google said it would be rolling out to everyone in the coming weeks, so be sure to keep an eye out for it. This update is particularly important as it patches a zero-day vulnerability with an active exploit, so it’s a good idea to install it as soon as it’s available.

Repost: Original Source and Author Link