Google's Threat Analysis Group (TAG) Makes Significant Finding

Google's Threat Analysis Group (TAG) has recently made a significant finding, revealing the exploitation of a Zimbra zero-day vulnerability in real-world scenarios. As a popular email and collaboration solution, Zimbra's users are urged to take immediate action and manually update their installations to secure their systems.

The vulnerability, discovered by Clement Lecigne from Google, is related to a cross-site scripting (XSS) bug impacting Zimbra Collaboration Suite 8.8.15. Although no CVE identifier has been assigned to the flaw yet, it has the potential to compromise data confidentiality and integrity, as attackers can execute remote code with the help of user interaction.

Zimbra developers have been made aware of the issue and are expected to release a security update to address the vulnerability later this month. In the meantime, users can apply mitigations provided by Zimbra manually.

It's worth noting that in the past, Zimbra vulnerabilities, including XSS flaws, have been exploited in the wild, leading to the compromise of numerous email servers. Despite the discovery of multiple Zimbra flaws in the CISA's Known Exploited Vulnerabilities Catalog, the latest zero-day is yet to be included.

Given the significant user base of Zimbra, which includes over 200,000 organizations in 140 countries, prompt action to secure the systems becomes even more crucial.

Apple's Rapid Security Response

Apple has taken action to address complaints from users who encountered website access issues after installing its latest Rapid Security Response updates for iOS and macOS. The updates were promptly withdrawn by Apple due to reports of errors when accessing certain websites through Safari.

The released updates included macOS Ventura 13.4.1 (a), iOS 16.5.1 (a), iPadOS 16.5.1 (a), and Safari 16.5.2. They were intended to fix an actively exploited WebKit vulnerability known as CVE-2023-37450. This zero-day flaw, reported by an anonymous researcher, allowed for arbitrary code execution through the exploitation of malicious web content accessed by targeted users.

Rapid Security Response updates are designed to swiftly provide zero-day vulnerability fixes for iPhones and Macs, ensuring crucial patches are delivered promptly without waiting for regular operating system updates. However, users reported encountering errors when accessing websites like Facebook, Instagram, and Zoom after applying the CVE-2023-37450 patches.

Upon confirming the issue, Apple pulled the problematic iOS and macOS updates and addressed the situation on Tuesday, stating that Rapid Security Response iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b) would soon be available to resolve the website access problem.

Apple offered instructions to users experiencing issues to remove the buggy update. While Rapid Security Response patches are valuable in protecting against zero-day exploits, their expedited development might result in less rigorous testing compared to regular patches. This, in turn, could lead to potential bugs being pushed out to users.

Apple faced similar challenges with its first Rapid Security Response update released in May, which also caused problems during installation for iPhone users. If these issues persist, users may hesitate to install future Rapid Security Response updates until they are thoroughly tested, defeating the purpose of the rapid patching approach.

Microsoft issued updates to address a total of 132 newly discovered security vulnerabilities

Microsoft issued updates to address a total of 132 newly discovered security vulnerabilities across its software, including six zero-day flaws that have been actively exploited in real-world attacks.

Among the 132 vulnerabilities, nine are classified as Critical, 122 as Important in severity, and one has a severity rating of "None." These updates come in addition to the eight flaws that Microsoft previously patched in its Chromium-based Edge browser.

The six zero-day flaws under active attack are as follows:

• CVE-2023-32046 (CVSS score: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability
• CVE-2023-32049 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2023-35311 (CVSS score: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability
• CVE-2023-36874 (CVSS score: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability
• CVE-2023-36884 (CVSS score: 8.3) - Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
• ADV230001 - Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned)
  

Microsoft is aware of targeted attacks against defence and government entities in Europe and North America that exploit CVE-2023-36884. In these attacks, a specially crafted Microsoft Office document is used as a lure, related to the Ukrainian World Congress. The actor behind these attacks tracked as Storm-0978 or RomCom, also deploys Underground ransomware.

While Microsoft intends to protect its customers by issuing security updates, a patch for CVE-2023-36884 is still pending. In the meantime, users are advised to implement the "Block all Office applications from creating child processes" attack surface reduction (ASR) rule to safeguard their systems.

Additionally, Microsoft has revoked code-signing certificates used by threat actors to sign and install malicious kernel-mode drivers on compromised systems. The use of rogue kernel-mode drivers allows attackers to operate with the highest privilege level on Windows, gaining persistence and evading detection.

Apart from Microsoft, other vendors have also released security updates to address vulnerabilities in their respective software, covering a wide range of products and services. Given the active exploitation of some flaws, users are strongly recommended to apply the updates promptly to mitigate potential threats.