Governance & Risk Management
SecureScreen treated malformed signature the same way as a valid signature
A fix for a zero-day vulnerability exploited by ransomware hackers is part of this month’s patch dump of the Microsoft operating system.
Also see: Find a password management solution for your business
Operators of a ransomware variant known as Magniber have been exploited CVE-2022-44698 to bypass a Windows security feature intended to prevent malicious files from running on a desktop.
The patch is one of them 52 corrections published by Microsoft in the last patch Tuesday of 2022. Six are rated as critical, 43 as major, and three as moderate in severity.
Security researchers at HP characterize Magniber as “single-client ransomware” targeting individual computers rather than fleets of devices. Operators have been known to demand $2,500 to unlock data.
As detailed by Mitja Kolsek of 0Patch, Magniber ransomware attackers were able to bypass the Windows SmartScreen feature by using a malformed, unparsable Authentic code signature. SmartScreen is one security component of the Windows operating system that inspects files downloaded from the Internet for matches against a database of malicious files. It looks for Authenticode’s digital signature to determine if the executable is from a trusted publisher and hasn’t been tampered with since it was published.
the mistake, discovers by security researcher Will Dormann, is that Windows treated a malformed Authenticode signature the same way as a trusted signature and allowed the file to run without triggering the SmartScreen warning.
“And so a new 0 day – already exploited in the wild – was revealed,” Kolsek wrote.
Since Dormann discovered the zero-day in mid-October, some researchers have questioned the speed with which Microsoft developed a patch. Ransomware, and malware in general, relies heavily on convincing users to bypass the security measures designed to prevent automatic file execution that Microsoft has built into Windows over the past few decades.
“Considering how much phishing attacks rely on people opening attachments, these safeguards are vital in preventing malware and other attacks,” said Dustin Childs, a security analyst at the Zero Day initiativea software vulnerability initiative from cybersecurity firm Trend Micro.
Other crucial solutions
Microsoft also patches a DirectX Graphics Kernel elevation of privilege vulnerability, CVE-2022-44710, which is also listed as public. In this case, the attacker must a racing condition on Windows 11.
Ashley Leonard, founder and CEO of cybersecurity firm Syxsense, says an attacker who successfully exploited this vulnerability could gain system privileges.
“If they could do that, the vulnerability has a jump point, meaning they could break out of the vulnerable component and move to another part of the operating system. Since there are no known countermeasures, the only option is to implement this .” patch,” said Leonard.
Microsoft also fixed 16 remote code execution bugs, including multiple Office bugs.
Another defect addressed by Microsoft is a PowerShell Remote Code Execution Vulnerability with a CVSS score of 8.5, tracked as CVE-2022-41076. This critical bug allows authenticated users to escape the PowerShell Remoting Session Configuration firewall and run unapproved commands.
Mike Walters, vice president of vulnerability and threat research at Action1, says the powerful bug could affect Windows operating systems, starting with Windows 7 and Windows Server 2008 R2, PowerShell 7.2 and 7.3.
Another critical vulnerability with a CVSS score of 8.8 affects the Microsoft SharePoint Server. Tracked as CVE-2022-44693, it allows an authenticated attacker to remotely execute code on SharePoint servers.
“To exploit it, attackers only need to access the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default. This vulnerability requires no user interaction; once attackers have the correct credentials, they can remotely execute code to carry out.” on a target SharePoint server,” says Walters.