remote execution Archives

Winsage

March 24, 2025

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A vulnerability in Microsoft Windows' handling of link files (.lnk) has been exploited by state-sponsored hackers from North Korea, Russia, Iran, and China for espionage and data theft. This flaw allows malicious payloads to be embedded in seemingly harmless links, enabling remote execution of arbitrary code and unauthorized access to compromised systems. Nearly 1,000 malicious .lnk files have been identified, with around 70% of attacks focused on espionage and information theft, particularly targeting government and financial institutions. The malicious commands are difficult to detect, complicating protection efforts for organizations. ZDI recommends increased awareness and the use of endpoint and network protection tools to mitigate the threat.

Winsage

February 13, 2025

Don’t ignore Microsoft’s February Patch Tuesday – it’s a big one for all Windows 11 users

Microsoft's February Patch Tuesday updates, released on February 11, include KB5051987 for Windows 11 24H2 and KB5051989 for Windows 11 23H2. The updates introduce enhancements to the Taskbar and File Explorer, including improved previews and animations for Taskbar icons, a new icon in the System Tray for Windows Studio Effects, and a new simplified Chinese font named Simsun-ExtG. A feature allowing certain applications to automatically restart after signing back in has also been added. File Explorer now includes a "New Folder" command in the context menu and can restore previously open tabs at logon. The updates fix various bugs, including issues with Auto HDR in games, playback interruptions for USB audio devices, and problems with USB audio drivers. They also address issues from the January 2025 security update, such as USB camera recognition and slower shutdown processes with connected controllers. On the security side, the update resolves 56 vulnerabilities, three of which are critical. Notable vulnerabilities include CVE-2025-21391 (file deletion), CVE-2025-21418 (remote code execution), CVE-2025-21377 (authentication spoofing), and CVE-2025-21376 (malicious code execution). The updates are set to install automatically, but users can check for updates manually through Windows Update.

TrendTechie

November 22, 2024

В qBittorrent 5.0.1 разработчики исправили баг с неправильной валидацией TLS-сертификатов, который был в проекте 14 лет

In late October 2024, the qBittorrent project released version 5.0.1, which addressed a 14-year-long issue of improper validation of SSL/TLS certificates, mitigating a vulnerability that exposed users to man-in-the-middle (MitM) attacks. The vulnerability allowed for remote code execution due to the application’s failure to verify SSL/TLS certificates in the DownloadManager component, first documented in a commit from April 6, 2010. Since then, qBittorrent had accepted any certificate, enabling malicious actors to manipulate network traffic. The default behavior was changed to enforce verification on October 12, 2024. Sharp Security identified four primary risks associated with this vulnerability: 1. An attacker could intercept a request for a Python installer and substitute it with a malicious version. 2. An attacker could replace the update link with a malicious one during the update check. 3. Attackers could modify RSS feed content, inserting malicious URLs. 4. Exploitation through potential buffer overflow vulnerabilities when downloading a GeoIP database from a counterfeit server. An example of exploitation included remote execution of the system application "Calculator." The qBittorrent 5.0 client was released in late September 2024, developed using the Qt toolkit, with source code available on GitHub under the GPLv2+ license.

Winsage

October 9, 2024

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released updates addressing a total of 118 vulnerabilities, including two that are actively exploited in the wild. The vulnerabilities are categorized as follows: 3 critical, 113 important, and 2 moderate. Among the 118 flaws, five are publicly known, with two classified as zero-day vulnerabilities: - CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) - CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected) Additionally, CVE-2024-43468 is a critical remote execution flaw in Microsoft Configuration Manager with a CVSS score of 9.8, allowing unauthenticated actors to execute arbitrary commands. Other critical vulnerabilities include: - CVE-2024-43488 (CVSS score: 8.8) - Visual Studio Code extension for Arduino - CVE-2024-43582 (CVSS score: 8.1) - Remote Desktop Protocol (RDP) Server The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43572 and CVE-2024-43573 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by October 29, 2024.

Winsage

August 9, 2024

PoC Released for 0-click RCE Flaw Impacting Windows Server – MadLicense

A critical zero-click remote code execution (RCE) vulnerability, identified as CVE-2024-38077, affects various Windows Server versions from 2000 to the 2025 preview. The flaw is located in the Windows Remote Desktop Licensing Service and allows attackers to execute arbitrary code without user interaction. The vulnerability is due to a heap overflow issue in the CDataCoding::DecodeData function, which mishandles user-controlled input. A proof-of-concept exploit demonstrates how this vulnerability can bypass security measures in Windows Server 2025. Over 170,000 Remote Desktop Licensing Services are exposed to the public internet, increasing the risk of exploitation. Microsoft has been informed about the vulnerability and has released a patch, urging users to apply it to mitigate risks. Security researchers recommend additional security measures like network segmentation and access controls.