system vulnerabilities Archives

Winsage

May 12, 2025

Microsoft Defender Discovers Zero-Day Vulnerability in Windows CLFS

The deployment of PipeMagic preceded a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver, initiated from a dllhost.exe process. The exploit began with the NtQuerySystemInformation API, which leaked kernel addresses to user mode. In Windows 11, version 24H2, access to specific System Information Classes within this API was restricted to users with SeDebugPrivilege, rendering the exploit ineffective on this version. The exploit then used a memory corruption technique with the RtlSetAllBits API to overwrite its process token with 0xFFFFFFFF, granting it all available privileges and enabling process injection into SYSTEM-level operations. A CLFS BLF file was created at C:ProgramDataSkyPDFPDUDrv.blf, marking the exploit's activity.

Tech Optimizer

April 26, 2025

How to disable the PC webcam and protect it from unauthorized access

The webcam is a crucial tool for remote communication but poses privacy risks, particularly through a threat known as CamFecting, where unauthorized access can occur via malware, malicious websites, or system vulnerabilities. Preventive measures include using antivirus software, disabling the webcam when not in use, and physically covering the camera with privacy caps or tape. Signs of unauthorized access include unexpected illumination of the webcam light, unusual camera behavior, unknown files on the system, abnormal data consumption, and decreased battery life. To deactivate the webcam, users can adjust settings in major browsers and operating systems. Maintaining digital hygiene, such as regularly updating software, using security systems like firewalls and VPNs, and being cautious of phishing attempts, is essential to minimize risks.

AppWizard

March 18, 2025

Large-Scale Malicious App Campaign Bypassing Android Security

A recent analysis by Bitdefender has revealed a significant ad fraud campaign resulting in over 60 million downloads of malicious applications from the Google Play Store. The campaign involves at least 331 applications that can bypass Android's security measures, allowing them to remain undetected and activate without user interaction. These apps, which often disguise themselves as utility tools, are capable of displaying advertisements and launching phishing attacks without necessary permissions. Some of the malicious apps have been updated and continue to be active, while Google has been notified and is investigating the issue. The attackers employ various methods to conceal their apps, including hiding icons and exploiting system vulnerabilities. They also use custom command and control domains with encryption techniques to complicate detection efforts.

Winsage

February 13, 2025

How to prevent forced installation of new Outlook on Windows 10 PCs

In February 2025, Microsoft began a mandatory update for Windows 10 users that included the forced installation of the new Outlook app as part of a strategy to integrate it into their ecosystem. This installation is linked to the KB5051974 update, which is a critical security patch. Users can prevent the new Outlook from being installed by modifying the Windows registry, specifically by creating a new string value named BlockedOobeUpdaters and setting its value data to ["MS_Outlook"]. This process must be repeated with each subsequent Windows 10 update. For users who have already had the new Outlook installed, it cannot be uninstalled through standard methods but can be removed using Windows PowerShell with the command: Remove-AppxProvisionedPackage -AllUsers -Online -PackageName (Get-AppxPackage Microsoft.OutlookForWindows).PackageFullName. Additionally, to uninstall unsupported Mail or Calendar apps, the command is: Get-AppxProvisionedPackage -Online | Where {$.DisplayName -match "microsoft.windowscommunicationsapps"} | Remove-AppxProvisionedPackage -Online -PackageName {$.PackageName}.

Winsage

November 13, 2024

Zero Day Initiative — The November 2024 Security Update Review

Microsoft has addressed a limited number of critical vulnerabilities, including two related to privilege escalation: one associated with VMSwitch that allows low-privileged users on a guest OS to execute code with SYSTEM privileges on the host OS, and another in a cloud service that has been mitigated. The updates include over 50 code execution vulnerabilities, primarily affecting SQL Server, with CVE-2024-49043 requiring urgent attention for updates to OLE DB Driver versions 18 or 19. Several vulnerabilities in Office components were identified, and the Telephony service revealed six remote code execution vulnerabilities, notably an SMBv3 vulnerability that can exploit a malicious SMB client against an affected SMB server in SMB over QUIC configurations. A CVSS 9.9 rated vulnerability in Azure CycleCloud could allow root-level access, and an RCE vulnerability in TouchGeo was also identified. Over two dozen fixes for privilege escalation vulnerabilities were released, including USB Video Class System vulnerabilities requiring physical access and vulnerabilities in Azure Database for PostgreSQL that could grant SuperUser privileges. Two Security Feature Bypass vulnerabilities were addressed, one in Word and another in Windows Defender Application Control. Two spoofing vulnerabilities were identified in Exchange Server and DNS, and four denial-of-service vulnerabilities were reported, including one in Hyper-V that could facilitate cross-VM attacks. The final Patch Tuesday of 2024 is scheduled for December 10.

Winsage

September 27, 2024

Novel Exploit Chain Enables Windows UAC Bypass

Researchers have identified a security concern designated as CVE-2024-6769, which involves user access control (UAC) bypass and privilege escalation vulnerabilities in the Windows operating system. This flaw could allow an authenticated attacker to gain complete system privileges. Fortra rated the vulnerability with a medium severity score of 6.7 out of 10 on the CVSS scale. The attack requires an attacker to have medium integrity-level privileges of a standard user in the administrative group. The attacker can manipulate the system's root drive and use a counterfeit DLL to execute code at an elevated privilege level. Microsoft does not classify this as a vulnerability, stating that administrative processes are part of the Trusted Computing Base (TCB) and implying that they are not strongly isolated from the kernel boundary. Fortra argues that this undermines the credibility of UAC as a security feature. Only administrators are affected by this vulnerability, and vigilance is recommended for businesses to mitigate risks associated with privilege escalation.

Winsage

August 14, 2024

New Windows Cyber Attacks Confirmed—CISA Says Update By September 3

Microsoft has released Patch Tuesday security updates addressing 90 vulnerabilities in the Windows ecosystem, including five critical zero-day vulnerabilities under active cyber attack. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in the Known Exploited Vulnerabilities Catalog, requiring compliance by September 3. The five critical vulnerabilities are: 1. CVE-2024-38178: A memory corruption issue in the Windows scripting engine, allowing remote code execution, affecting Windows 10, Windows 11, and Windows Server 2012 and later, with a severity rating of 7.6. 2. CVE-2024-38213: A bypass of the Windows ‘Mark of the Web’ security feature, potentially allowing circumvention of SmartScreen protection, affecting Windows 10, Windows 11, and Windows Server 2012 and later. 3. CVE-2024-38193: An elevation of privilege vulnerability in the Windows ancillary function driver for WinSock, affecting Windows 10, Windows 11, and Windows Server 2008 and later, which could lead to SYSTEM privileges. 4. CVE-2024-38106: A Windows kernel elevation of privilege vulnerability affecting Windows 10, Windows 11, and Windows Server 2016 and later, arising from inadequate protection of sensitive data in memory. 5. CVE-2024-38107: A use-after-free elevation of privilege vulnerability in the Windows power dependency coordinator, affecting Windows 10, Windows 11, and Windows Server 2012 and later, which could lead to arbitrary code execution or system control.