Software

Multiple critical patches – a busy day

Today marks the largest patch Tuesday ever from our friends in Redmond with 13 vulnerabilities addressed, covering a total of 34 potential exploits. Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.

The most alarming vulnerability this month is MS09-050, which according to its discoverer, was introduced by the patch for MS07-063. MS09-050 was first published publicly on security researcher Laurent Gaffié’s blog on September 7th outlining a denial of service vulnerability in SMB 2.0, specifically the srv2.sys driver. You might remember some of the buzz when this was first released as several people immediately added that that this was not only a denial of service, but could easily lead to remote code execution. What should be just as concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP – not an encouraging sign.

Included in this patch are also updated kill bits for ActiveX controls ala MS09-035, which if you remember was related to several vulnerabilities in ATL. Also, MS09-060 appears to address these vulnerabilities as they pertain to MS Office. It’s less than settling to see this vulnerability still has not been fully patched.
Another highly visible patch this month is the fix for the SSL certificate impersonation vulnerability, MS09-056. Those who attended Blackhat LV in July won’t have forgotten that this was the exploit being enthusiastically described to a standing room only audience by Moxie Marlinspike. Interestingly enough, this vulnerability was discovered by Dan Kaminsky.

As always, make sure to apply these patches as soon as possible and especially this month if you are using Windows Vista or later with SMB enabled!

Multiple critical patches – a busy day

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox