exploitation Archives

Winsage

April 24, 2025

Windows 11’s crucial new ‘inetpub’ folder is laughably easy to hack

A new folder named "inetpub" appeared on many Windows PCs after an April update, initially thought to be a glitch. Microsoft later stated that this folder was introduced to enhance Windows security by addressing the CVE-2025-21204 vulnerability. However, security researcher Kevin Beaumont revealed that the inetpub folder could allow attackers to bypass critical security updates. Beaumont proposed creating a junction point in the C: directory to prevent the inetpub folder's creation, which would also block the installation of the April update and subsequent security updates, leaving PCs vulnerable. This situation could lead to error messages and failed update rollbacks, with attackers able to exploit these issues without elevated privileges. Beaumont has informed Microsoft about the problem, but a response has not yet been received.

Winsage

April 23, 2025

Critical Flaw in Windows Update Stack Enables Code Execution and Privilege Escalation

A newly identified vulnerability in the Windows Update Stack, designated as CVE-2025-21204, allows attackers to execute arbitrary code and escalate privileges to SYSTEM level on affected machines. This critical security flaw arises from improper privilege separation and inadequate validation during the update orchestration process. Attackers can exploit it by creating harmful update packages or acting as man-in-the-middle on compromised networks. The vulnerability impacts any Windows system utilizing the vulnerable update mechanism, affecting both enterprise and consumer editions. Microsoft is working on a patch, and users are advised to monitor official channels for updates and apply patches promptly. Organizations should also restrict network access to update servers and monitor for suspicious update activities. The CVSS score for this vulnerability is 7.8 (High), indicating significant risk.

Winsage

April 22, 2025

Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation

A security vulnerability identified as CVE-2025-21204 has been discovered in the Windows Update Stack, allowing local attackers to execute unauthorized code and escalate privileges to SYSTEM-level access. This vulnerability, with a CVSS score of 7.8 (High), affects Windows 10 versions 1507, 1607, and 1809, among likely other supported Windows 10/11 and Windows Server versions. The flaw arises from a design issue where Windows Update processes do not properly follow directory junctions, enabling attackers with limited user privileges to redirect trusted paths to locations containing malicious code. Microsoft has introduced a mitigation strategy in its April 2025 cumulative update, which includes creating a new folder at the root of system drives and implementing detection rules for suspicious junction creations. Organizations are advised to apply the April 2025 security updates, restrict ACLs on specific directories, prevent symbolic link creation, and monitor file creation activities in certain directories.

Winsage

April 20, 2025

587 Windows Vulnerabilities — A Microsoft Security Record Breaker

Microsoft has reported a record number of 1,360 security vulnerabilities for its products in 2024, marking an 11% increase from 2023. This includes 587 vulnerabilities in Windows (33 classified as critical) and 684 in Windows Server (43 classified as critical). The increase in reported vulnerabilities suggests that security researchers are effectively identifying weaknesses, and Microsoft has invested over a million dollars in bounties to encourage this. The proactive communication and remediation process during Patch Tuesday enhances security, indicating that Microsoft is committed to addressing vulnerabilities rather than being indifferent to user security.

AppWizard

April 19, 2025

Urgent Android Warning: Major Security Flaw Allows Hackers Full Access—Here Are the Apps You Must Delete Now

A vulnerability known as “Dirty Stream” was discovered by Microsoft, allowing malicious applications to hijack trusted apps on high-end Android devices. Although the flaw has been patched, any data accessed before the patch remains vulnerable. The vulnerability exploited the ContentProvider system in Android, enabling harmful apps to send deceptive files that could overwrite critical data in secure storage. Microsoft noted that this could lead to arbitrary code execution, giving attackers full control over applications and access to sensitive user data. Several popular Android apps were found to be vulnerable, with over four billion installations affected. It is crucial to promptly install security updates and maintain app vigilance to protect personal data.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

AppWizard

April 18, 2025

N.J. sues Discord, alleging the messaging app leaves kids vulnerable to predators

State officials in New Jersey have filed a lawsuit against Discord, alleging that the messaging platform fails to protect children from online predators and misrepresents its safety features, particularly regarding direct messaging. New Jersey Attorney General Matt Platkin claims that Discord's misleading safety settings have made it a target for predators, exposing young users to risks. Discord has announced its intention to contest the lawsuit, asserting its commitment to safety. The complaint points out that Discord's default settings allow users to receive friend requests from anyone and that its claims about scanning and removing explicit content are misleading. The lawsuit demands that Discord relinquish profits earned in New Jersey and seeks civil penalties, following incidents where inadequate safeguards led to child exploitation. Additionally, a man has been accused of communicating with a 14-year-old victim on Discord after previously assaulting her.

AppWizard

April 18, 2025

N.J. sues messaging app Discord for alleged youth endangerment

New Jersey has filed a lawsuit against Discord, alleging that the platform's safety measures for young users are inadequate and misleading. The lawsuit claims that Discord's safety protocols have exposed children to violent content, harassment, and sexual abuse, despite the company's assertions that it provides a "safe space for teens." Key concerns include the platform's ineffective age-verification process, which allows children under 13 to access the app, and the failure of its "Safe Direct Messaging" feature to effectively scan for explicit content. Discord has expressed surprise at the legal action and maintains its commitment to improving safety on the platform.

AppWizard

April 17, 2025

N.J. attorney general sues Discord messaging app over child predator concerns

New Jersey has filed a lawsuit against Discord, claiming the platform fails to adequately protect underage users from predators, thus breaching the New Jersey Consumer Fraud Act. The lawsuit highlights that children can easily create accounts without proper age verification, allowing adult users to contact them. New Jersey Attorney General Matthew Platkin criticized Discord's safety measures, stating they can be easily bypassed. In 2023, an NBC News investigation linked 35 cases of serious crimes to interactions on Discord. Discord’s CEO acknowledged the severity of these issues and announced updates to child safety policies, including a ban on teen dating and AI-generated child sexual abuse material.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.