The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
In September’s Patch Tuesday, Microsoft fixed 59 security vulnerabilities. Two of these are active zero-day vulnerabilities, and 24 relate to remote code execution (RCE). Here’s a breakdown of the bugs in each category:
- 3 Security Feature Bypass Vulnerabilities
- 24 Remote Code Execution Vulnerabilities
- 9 Information Disclosure Vulnerabilities
- 3 Denial of Service Vulnerabilities
- 5 Spoofing Vulnerabilities
- 5 Edge – Chromium Vulnerabilities
Among the vulnerabilities, the zero-days demand particular attention:
CVE-2023-36802 (Zero-Day): This is linked to the Microsoft Streaming Service Proxy and relates to an elevation of privilege. If this flaw is exploited, attackers can gain SYSTEM-level access, enhancing their control over the compromised system.
CVE-2023-36761 (Zero-Day): Associated with Microsoft Word, this vulnerability allows for information disclosure. In practical terms, attackers can extract NTLM hashes from document interactions, including previews. These hashes can then be decoded or used in NTLM Relay attacks for further access.
It is recommended users promptly update their systems with the latest patch. For a deeper dive into this month’s security updates, click here.
Apple Zero-Day Exploits Fixed
Two zero-days, recently fixed in an urgent security update, were identified as being actively misused in a zero-click exploit chain to deploy a commercial spyware onto fully updated iPhones. These vulnerabilities, labelled CVE-2023-41064 and CVE-2023-41061, allowed cyber adversaries to target iPhones running iOS 16.6 through PassKit attachments laden with malicious imagery.
This exploit chain, named BLASTPASS, could compromise iPhones with the latest iOS (16.6) without requiring any interaction from the unsuspecting victim. The exploit process involved maliciously crafted PassKit attachments sent via an iMessage account from the cyber attacker to the intended recipient.
CVE-2023-41064 is a buffer overflow that becomes active when processing certain malicious images. In contrast, CVE-2023-41061 is a validation anomaly exploitable with malicious attachments. Both vulnerabilities enable malevolent actors to execute arbitrary code on iPhones and iPads that haven’t been patched.
Apple has rectified these vulnerabilities in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 by enhancing logic and memory management. The range of devices affected encompasses:
- iPhone 8 and subsequent models
- iPad Pro (all variants), iPad Air from the 3rd generation onwards, iPad from the 5th generation onwards, and iPad mini from the 5th generation onwards
- Macs with macOS Ventura
- Apple Watch Series 4 and later versions.
For optimal security, users are advised to update their devices promptly.
Android Monthly Security Update
Google has recently launched its monthly security updates for Android, addressing several vulnerabilities, notably including a zero-day bug believed to be exploited in the wild. This high-risk flaw, identified as CVE-2023-35674, is a privilege escalation issue affecting the Android Framework.
Additionally, this update rectifies three other privilege escalation vulnerabilities in the Framework. Google emphasised that the gravest among these could allow local privilege escalation without necessitating any extra execution privileges or user intervention.
Furthermore, Google has remedied a severe security flaw in the System component. This could potentially facilitate remote code execution without the victim’s engagement.
In a comprehensive move, Google has mended 14 vulnerabilities within the System module and rectified two defects in the MediaProvider component. Notably, updates for the latter will be made available through a Google Play system update.
It’s strongly advised that all Android users promptly upgrade their systems to the most recent available patch.