Microsoft vulnerabilities have grave implications for organizations of all sizes – Help Net Security

Microsoft software products are a connective tissue of many organizations, from online documents (creating, sharing, storing), to email and calendaring, to the operating systems that enable business operations on the front and back ends, both in the cloud and on premises.

microsoft vulnerabilities implications

Over 1 million companies worldwide and over 731,000 companies in the U.S. use Office 365, and though Microsoft offers no hard stats, some sources suggest there are over 90,000 Microsoft partners facilitating services and products for clients. It’s no wonder, then, that vulnerabilities in Microsoft solutions are an attractive attack vector.

So far in 2021, the 12 most notable critical Microsoft vulnerabilities fall within five major threat categories:

  • Exchange vulnerabilities
  • Print Spooler vulnerabilities
  • Sensitive Windows Registry database files vulnerabilities
  • Encrypting File System Remote Protocol (MS-EFSRPC) and Active Directory Certificate Services (AD CS) vulnerabilities, and
  • ActiveX vulnerabilities.

Let’s break them down.

Exchange vulnerabilities

Microsoft Exchange comprises the back end of integrated messaging, calendaring, tasks, and email. Exchange Server is among the most widely used and well-known mail solutions for governments and enterprises across the globe. Managing Exchange Server in-house is a complex task, and misconfigured Exchange servers are especially troubling because threat actors actively scan and exploit vulnerable Exchange servers that aren’t configured correctly or have the most current security patches and updates.

Recent Microsoft Exchange Server vulnerabilities include ProxyLogon, ProxyOracle and ProxyShell.

ProxyLogon (CVE-2021-26855 and CVE-2021-27065) targets on-premise Exchange servers. This bug exploits the Exchange Proxy Architecture and its Logon mechanism, allowing the threat actor to bypass authentication on the Exchange Server, impersonate an admin and gain code execution abilities.

ProxyOracle (CVE-2021-31196 and CVE-2021-31195) is a bit trickier than ProxyLogon in that threat actors must trick users into clicking on a malicious link to steal the user’s password. The form-based authentication used to manage user logins for Outlook Web Access saves credentials and passwords in a user’s browser cookies, which are encrypted. To work around those measures, threat actors use a padding oracle attack to help decrypt the user’s cookies and get the plaintext passwords.

ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) is another on-prem Exchange Server vulnerability on unpatched servers with Internet access. ProxyShell works by abusing the Client Access Service URL normalization that’s triggered by logon requests. When logon requests are initiated, Exchange normalizes the request URL and nixes the portion containing the mail address before routing the logon request to the backend. With ProxyShell, threat actors can remove part of the URL during the normalization process, grant access to an arbitrary backend URL, and execute commands on the Exchange Server by using an exposed 443 port with Exchange PowerShell Remoting. In simple terms, this allows threat actors to act as an Exchange Admin and execute PowerShell commands remotely.

Print Spooler vulnerabilities

Printers in general and Print Spooler in particular have been targeted for exploitation by threat actors for many years. For example, the infamous 2010 Stuxnet worm – the one used against Iranian nuclear facilities – used a Print Spooler vulnerability.

PrintNightmare (CVE-2021-34527) is a vulnerability that lets attackers with a low-privilege domain user account take control of a server running on the Print Spooler service and add dynamic link library (DLL) files as printer drivers, which they later execute via SYSTEM. Once the threat actor exploits this vulnerability, they can install programs, manipulate data, and create new users with full permissions.

Sensitive Windows Registry database files vulnerabilities

Windows Registry stores information about configurations, parameters and preferences for Windows OS and applications. It contains a set of files called hives, such as SYSTEM and SECURITY hives, and the Windows Security Accounts Manager (SAM) database. A threat actor who abuses the sensitive Windows Registry database files vulnerability and successfully authenticates to a machine can run arbitrary code with SYSTEM privileges.

HiveNightmare aka SeriousSAM (CVE-2021-36934) is one such vulnerability. Using a low-privileged account, a threat actor can use the pass the hash method to authenticate a remote server with hashed credentials they got from the database. (You read that correctly – default Windows 10 and 11 configurations grant all non-admin users read rights on key registry hives; it’s a known error.) This allows them to retrieve all Registry hives in Windows 10 and 11. That includes SAM data, which the attacker can use to execute code as SYSTEM. Once their machine is authenticated, the attacker gains full control, can run commands, drop extra payloads, spread over the network, and create users with full permissions.

MS-EFSRPC & AD CS vulnerabilities

Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) takes care of your data that is encrypted, remotely stored and accessed over a network. It performs maintenance and management operations. Active Directory Certificate Services (AD CS) is a server role that lets users create a public key infrastructure (PKI) and provides public key cryptography, digital certificates and signature capabilities and other security functions.

PetitPotam (CVE-2021-36942) is an example of a new technology LAN manager (NTLM) relay attack. PetitPotam is a type of relay attack in which threat actors that have already accessed the victim’s machine gain the ability to take over an Active Directory with AC DS in use. In this type of attack, rather than taking advantage of one specific vulnerability, threat actors exploit the authentication method in the MS-EFSRPC to yield an authentication certificate, which leads to domain compromise and the ability to elevate privileges within the domain.

ActiveX vulnerabilities

ActiveX controls are program parts used to create and execute applications that work over a network. Applications rely on ActiveX to share functionality and data over web browsers, so this vulnerability can be exploited through online Microsoft Office documents.

MSHTML (CVE-2021-40444) is a highly sophisticated remote code execution vulnerability that lets an attacker run arbitrary code on a victim’s machine through ActiveX control that is typically sent to the victim through spear-phishing. The threat actor lures the user to open the malicious document, and once the file is opened and the code is executed, the threat actor performs malicious activities such as running commands remotely, dropping extra payloads and gaining persistence.

Feeling vulnerable?

According to IBM’s Cost of a Data Breach Report 2021, the average cost of a data breach increased by the largest year-over-year margin in seven years, from $3.86M in 2020 to $4.24M in 2021. The average time elapsed before a breach was detected in 2021 was 212 days with an additional 75 days to contain it!

The attack types we’ve explored in this article lead to compromised domains and the ability for criminals to create their own accounts with full admin credentials. And according to the report, compromised credentials were the most common attack vector, responsible for 20% of breaches and costing an average of $4.37M per breach.

Each of these Microsoft vulnerabilities has grave implications for organizations of all sizes. For example, PrintNightmare is critical because the Print Spooler service runs by default on all Windows servers and clients. It’s alarming that this iteration evolved from an earlier vulnerability that was patched but edited to reduce the patch to only half effective. And HiveNightmare (aka SeriousSAM) works because of a vulnerability in a company’s Windows OS. It also doesn’t require unencrypted credentials. These attack types justify the need to keep all systems updated in addition to staying up to date on Microsoft vulnerabilities.

Cybersecurity leaders must ensure they are deploying detection rules designed to detect and prevent exploitation attempts of these vulnerabilities and create additional detection rules to place more focus on the risk. Push all patches available for Microsoft products and keep an eye out for not only newly discovered vulnerabilities but also evolutions of known ones.

Source of this news: https://www.helpnetsecurity.com/2021/12/10/microsoft-vulnerabilities-implications/

Related posts:

Scrapy vs BeautifulSoup - The perfect the Best Free Python scraper? - Programming Insider
You can find businesses, communities, and individuals that utilize statistics collection. An increase in scale and simply quantity of web scraping procedures highlights the importance of ...
Analytical Bug Reported in NPM Package With Millions of Downloading Weekly - The Hacker News
A traditionally used NPM package called ' Pac-Resolver ' for this JavaScript programming language may remediated with a fix for a high-severity remote code completion vulnerability that could...
What is a cURL? - TechnoChops
If this is the first time you hear about cURL, you’ll be surprised to learn that cURL is very widespread. If you use a device to transfer any data through the internet – cURL is hidden in there somew...
Twitter Announces First Quarter 2022 Results - Benzinga - Benzinga
SAN FRANCISCO, April 28, 2022 /PRNewswire/ -- Twitter, Inc. TWTR today announced financial results for its first quarter 2022.First Quarter 2022 Operational and Financial Highlights Except as ot...
Exchange Servers Under Active Attack via ProxyShell Bugs - Threatpost
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In ad...
Roblox keeps crashing on Windows PC - TWCN Tech News
Here is a full guide on how to fix the issue of Roblox crashing on Windows 11/10 PC. Roblox is a great gaming platform to play a variety of games. However, a lot of users have complained that Roblox ...
Expo 2020 Dubai is ready to be most digitally-connected show - Gulf Today
A mind-blowing view of the Sustainability Pavilion at the Expo 2020 site in Dubai. wam Inayat-ur-Rahman, Business EditorThe Expo 2020 Dubai set to be the most digitally-connected and immersive e...
How To Change your Location and Local Stations in YouTube TV - Alphr
How To Change your Location and Local Stations in YouTube TV Get Secure with ExpressVPN and Get 3 Months Free! Download Now Disclaimer: Some pages on this sit...
Burp Scanner error reference exactly why The Daily Swig
Cause Burp Scanning could not resolve a hostname when making a request the actual audit phase. This can be that is the consequence of a number of issues, including irregular network problems, s...
How to stop your emails from tracking you - Wired.co.uk
Regulation exists to stop email tracking without your consent. In Europe, pixels are covered by the Privacy Electronic Communications Regulations 2003 (Pecr) and the EU’s General Data Protection Regu...
Researchers Submit Patent Application, “Managing Queries With Data Processing Permits”, for Approval...
Insurance Daily News 2021 NOV 01 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Washington, D.C., NewsRx journalists report that a patent application by the inv...
How to Select the Most Effective Social Media Proxy - iLounge
What are the most frequently made errors when people use social media proxies?The answer is straightforward — these individuals frequently make mistakes when selecting the best social media proxy.Tab...
Eagles Schedule Released - Garry Cobb
The NFL finally released their 2021 schedule last night. The opponents list has been known for some time know, meaning we knew who and where the Eagles were laying in 2021, we just didn’t know when. ...
Microsoft adds Azure capabilities to Windows Server 2022 - SecurityBrief Asia
Barely a month after the launch of Windows Server 2022, users are exploring everything the new platform has to offer, including new features like Hyper-V virtual machine support Released last mo...
10 of the best Best (and Worst) Browsers for Privacy - WRCB-TV
Larger-than-life is a unique, secure web browser that streets ads, trackers, fingerprinting, cryptomining, and more. Epic routes every one of the web traffic through a proxy host that automatic...
Microsoft Urges Patching Exchange Server To Avoid ProxyShell Attacks - Redmondmag.com
News Microsoft Urges Patching Exchange Server To Avoid ProxyShell Attacks By Kurt Mackie08/25/2021 The Exchange team at Microsoft posted an announcement on Wednesday acknowledging "ProxyShell" th...
HTTP request smuggling bug patched in mitmproxy - The Daily Swig
Bug exploited inconsistencies between intermediary and backend serversMitmproxy, an open source, interactive HTTPS proxy service, has patched a dangerous bug that potentially allowed attackers to st...
EVS unveils asset management shopping cart software for live production, MediaCeption Signature - Ne...
EVS is complete with announced the launch amongst MediaCeption Signature 1 . 0, the company’s latest-generation end-to-end asset management solution on fast turnaround productions. MediaCeption Si...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30