file system Archives

Winsage

May 15, 2025

Windows Remote Desktop Vulnerability Let Attackers Execute Malicious Code Over Network

Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities in Windows Remote Desktop services, including two critical vulnerabilities, CVE-2025-29966 and CVE-2025-29967, which are heap-based buffer overflow issues. These flaws allow unauthorized attackers to execute arbitrary code over a network, posing significant risks. The vulnerabilities have been rated as "Critical" and classified under CWE-122. They affect various versions of Windows operating systems utilizing Remote Desktop services. Although there have been no reported active exploitations, experts warn of the potential dangers, urging users to apply patches immediately. The update also addressed five actively exploited zero-day vulnerabilities in other Windows components. Patches are available through Windows Update, WSUS, and the Microsoft Update Catalog.

Winsage

May 14, 2025

Microsoft’s ‘Patch Tuesday’ Update Fixes Seven Zero-Day Exploits

Microsoft's latest Patch Tuesday update addresses 72 security vulnerabilities, including five critical zero-day vulnerabilities. Four of these zero-days are elevation of privilege flaws: - CVE-2025-32701 and CVE-2025-32706 target the Windows Common Log File System Driver. - CVE-2025-30400 affects the Microsoft DWM Core Library. - CVE-2025-32709 involves the Windows Ancillary Function Driver for WinSock. These vulnerabilities allow attackers to gain SYSTEM privileges locally. The fifth zero-day, CVE-2025-30397, is a remote code execution vulnerability in the Microsoft Scripting Engine, which can be exploited through malicious links in Microsoft Edge or Internet Explorer. CVE-2025-30397, CVE-2025-32701, and CVE-2025-30400 were discovered by the Microsoft Threat Intelligence Center, while CVE-2025-32706 was disclosed by the Google Threat Intelligence Group and CrowdStrike, and CVE-2025-32709 was reported by an anonymous researcher. Additionally, a publicly disclosed spoofing flaw in Microsoft Defender, CVE-2025-26685, allows unauthenticated attackers with local network access to impersonate another account. The final zero-day, CVE-2025-32702, is a remote code execution vulnerability in Visual Studio.

Winsage

May 12, 2025

Microsoft Defender Discovers Zero-Day Vulnerability in Windows CLFS

The deployment of PipeMagic preceded a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver, initiated from a dllhost.exe process. The exploit began with the NtQuerySystemInformation API, which leaked kernel addresses to user mode. In Windows 11, version 24H2, access to specific System Information Classes within this API was restricted to users with SeDebugPrivilege, rendering the exploit ineffective on this version. The exploit then used a memory corruption technique with the RtlSetAllBits API to overwrite its process token with 0xFFFFFFFF, granting it all available privileges and enabling process injection into SYSTEM-level operations. A CLFS BLF file was created at C:ProgramDataSkyPDFPDUDrv.blf, marking the exploit's activity.

Winsage

May 8, 2025

Ransomware hackers target a new Windows security flaw to hit businesses

Several ransomware groups, including RansomEXX and Play, are exploiting a zero-day vulnerability in the Windows Common Log File System to elevate system privileges and deploy malware. This flaw was identified and patched during Microsoft's Patch Tuesday update in April 2024.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

May 6, 2025

Windows 11 24H2 now ‘broadly available’ – with a new problem

Microsoft has released Windows 11 24H2, but users are facing a known issue with Azure Virtual Desktop (AVD) applications, specifically related to the "App attach" feature. This feature allows applications to be dynamically attached to user sessions within AVD, operating within containers rather than being installed locally. Users may encounter an error message stating, "Element not found" when launching App attach applications. Microsoft recommends using VHDX images instead of CimFS images for packaging files, as the issue has not been reported in earlier versions of the operating system. A fix for the current version is expected by June 2025. The update for Windows 11 24H2 will be automatically received by devices running Windows 11 22H2 and 23H2, with users able to select the restart time or postpone the update.

Tech Optimizer

May 3, 2025

Extend the Amazon Q Developer CLI with Model Context Protocol (MCP) for Richer Context

Amazon Q Developer has introduced support for the Model Context Protocol (MCP) in its command line interface (CLI), enabling developers to connect external data sources for more context-aware responses. This enhancement allows access to pre-built integrations and MCP servers, improving code accuracy, data comprehension, unit test generation, database documentation, and query execution without custom integration code. MCP serves as an open protocol that standardizes application integration with large language models (LLMs). Developers can configure MCP servers in a file named mcp.json, which can be stored in the home directory or project root. After implementing MCP, Q Developer can effectively explore database schemas and execute complex SQL queries, significantly enhancing the development experience.

Winsage

April 26, 2025

3 reasons you shouldn’t use Btrfs, ReFS, or ZFS on Windows

Windows has relied on the NTFS file system for many years, while alternatives like Microsoft's ReFS, ZFS, and Btrfs have emerged. ZFS and Btrfs are not officially supported on Windows, leading users to depend on community-developed drivers that can cause stability issues, including crashes and blue screens of death. Performance tests show that ReFS underperforms compared to NTFS, with significant declines in disk performance across various metrics. Similar performance issues have been reported for Btrfs. Additionally, ReFS lacks certain features available in NTFS, such as support for portable media, specific encryption options, extended file attributes, and disk quotas. Currently, Windows is not fully equipped to support these newer file systems, and while ReFS is under development, the future of ZFS and Btrfs on Windows remains uncertain.