July 18, 2024
Patch Tuesday, June 2024 “Recall” Version – Krebs on Safety

Microsoft as we speak launched updates to repair greater than 50 safety vulnerabilities in Home windows and associated software program, a comparatively gentle Patch Tuesday this month for Home windows customers. The software program large additionally responded to a torrent of unfavorable suggestions on a brand new characteristic of Redmond’s flagship working system that consistently takes screenshots of no matter customers are doing on their computer systems, saying the characteristic would not be enabled by default.

Final month, Microsoft debuted Copilot+ PCs, an AI-enabled model of Home windows. Copilot+ ships with a characteristic no one requested for that Redmond has aptly dubbed Recall, which consistently takes screenshots of what the person is doing on their PC. Safety consultants roundly trashed Recall as a elaborate keylogger, noting that it could be a gold mine of data for attackers if the person’s PC was compromised with malware.

Microsoft countered that Recall snapshots by no means go away the person’s system, and that even when attackers managed to hack a Copilot+ PC they’d not have the ability to exfiltrate on-device Recall knowledge. However that declare rang hole after former Microsoft menace analyst Kevin Beaumont detailed on his blog how any person on the system (even a non-administrator) can export Recall knowledge, which is simply saved in an SQLite database regionally.

“I’m not being hyperbolic after I say that is the dumbest cybersecurity transfer in a decade,” Beaumont said on Mastodon.

In a current Risky Business podcast, host Patrick Grey famous that the screenshots created and listed by Recall could be a boon to any attacker who abruptly finds himself in an unfamiliar atmosphere.

“The very first thing you need to do whenever you get on a machine should you’re as much as no good is to determine how somebody did their job,” Grey mentioned. “We noticed that within the case of the SWIFT assaults in opposition to central banks years in the past. Attackers needed to do display screen recordings to determine how transfers work. And this might velocity up that kind of discovery course of.”

Responding to the withering criticism of Recall, Microsoft said last week that it’s going to not be enabled by default on Copilot+ PCs.

Solely one of many patches launched as we speak — CVE-2004-30080 — earned Microsoft’s most pressing “essential” ranking, which means malware or malcontents might exploit the vulnerability to remotely seize management over a person’s system, with none person interplay.

CVE-2024-30080 is a flaw within the Microsoft Message Queuing (MSMQ) service that may permit attackers to execute code of their selecting. Microsoft says exploitation of this weak point is probably going, sufficient to encourage customers to disable the susceptible element if updating isn’t potential within the quick run. CVE-2024-30080 has been assigned a CVSS vulnerability rating of 9.8 (10 is the worst).

Kevin Breen, senior director of menace analysis at Immersive Labs, mentioned a saving grace is that MSMQ just isn’t a default service on Home windows.

“A Shodan seek for MSMQ reveals there are a number of thousand doubtlessly internet-facing MSSQ servers that may very well be susceptible to zero-day assaults if not patched shortly,” Breen mentioned.

CVE-2024-30078 is a distant code execution weak point within the Home windows WiFi Driver, which additionally has a CVSS rating of 9.8. In response to Microsoft, an unauthenticated attacker might exploit this bug by sending a malicious knowledge packet to anybody else on the identical community — which means this flaw assumes the attacker has entry to the native community.

Microsoft additionally fastened various critical safety points with its Workplace functions, together with no less than two remote-code execution flaws, mentioned Adam Barnett, lead software program engineer at Rapid7.

CVE-2024-30101 is a vulnerability in Outlook; though the Preview Pane is a vector, the person should subsequently carry out unspecified particular actions to set off the vulnerability and the attacker should win a race situation,” Barnett mentioned. “CVE-2024-30104 doesn’t have the Preview Pane as a vector, however however finally ends up with a barely greater CVSS base rating of seven.8, since exploitation depends solely on the person opening a malicious file.”

Individually, Adobe launched safety updates for Acrobat, ColdFusion, and Photoshop, among others.

As typical, the SANS Internet Storm Center has the thin on the person patches launched as we speak, listed by severity, exploitability and urgency. Home windows admins also needs to regulate AskWoody.com, which regularly publishes early reviews of any Home windows patches gone awry.