With all the buzz around the latest campaigns and exploits, it might seem hard to know what really demands your attention. That’s why we’ve decided to round up the top security threats from the past couple of weeks that really require your attention.
Now in order to help you address these threats, I’ve added actionable steps for you to follow in order to mitigate these risks.
Table of Contents:
- Critical RCE Vulnerability Remains Unpatched for 80% of Exchange Servers
- Critical Security Update for Chrome Released by Google
- Mozilla Releases Patch for Critical Vulnerabilities in Firefox and Firefox ESR
- Attackers Can Steal Windows Credentials and Run Programs Through Zoom
- Critical HP Support Assistant Bugs Exposes Windows PCs to Attacks
1. Critical RCE Vulnerability Remains Unpatched on 80% of Exchange Servers
Microsoft have patched an RCE (Remote Code Execution) vulnerability with Microsoft Exchange Server. Should this vulnerability be exploited, an attacker could use the Exchange user account to compromise the system completely.
It is believed that over 350,000 Exchange servers are exposed to this vulnerability.
How to Remediate
In order to remediate this vulnerability, follow the chart below for the relevant security update:
|Microsoft Exchange Server 2019 Cumulative Update 4
|Microsoft Exchange Server 2019 Cumulative Update 3||4536987||Security Update||RCE||Important||4523171|
|Microsoft Exchange Server 2016 Cumulative Update 15||4536987||Security Update||RCE||Important||4523171|
|Microsoft Exchange Server 2016 Cumulative Update 14||4536987||Security Update||RCE||Important||4523171|
|Microsoft Exchange Server 2013 Cumulative Update 23||4536988||Security Update||RCE||Important||4523171|
|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30||4536989||Security Update||RCE||Important||4509410|
2. Critical Security Update for Chrome Released by Google
Google have released a critical security update for Chrome version 80.0.3987.162 for Windows, Mac, and Linux. This Chrome version is set out to address vulnerabilities that if exploited would enable an attack to take control of the affected systems. CISA (The Cybersecurity and Infrastructure Security Agency) have encouraged users and admins alike to review the Chrome Release and apply the necessary updates, accordingly.
How to Remediate
In order to mitigate the risk follow these steps to update for Windows, Mac, and Linux desktop users:
- Open Chrome browser
- Head to "Settings"
- Expand "Help"
- "About Google Chrome"
- The browser will process the update
3. Mozilla Releases Patch For Critical Vulnerabilities in Firefox and Firefox ESR
Mozilla have released new security updates, aimed to address critical vulnerabilities found in Firefox and Firefox ESR. Should these vulnerabilites be exploited, an attacker would be able to take control of an affected system. Both vulnerabilities have been exploited in the wild. As so, we urge you to patch them immediately.
About the vulnerabilities
CVE-2020-6819: Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free.
CVE-2020-6820: Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free.
How to Remediate
In order to mitigate the risk, we urge you to patch these vulnerabilities to the following versions: Firefox 74.0.1, Firefox ESR 68.6.1
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Mozilla’s security advisory for Firefox 74.0.1 and Firefox ESR 68.6.1 and apply the necessary updates.
4. Attackers Can Steal Windows Credentials and Run Programs Through Zoom
The Zoom Windows client is vulnerable to UNC path injection. An attacker could potentially steal the user’s Windows credentials should they click on a link found in their chat feature.
Similarly to how Zoom converts any URL sent within the chat feature into a hyperlink so that members of the call could open the link in their browser, the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well, as discovered by security researcher @_g0dmode
How to remediate:
Zoom have released a new version of their client to address this issue – version 4.6.19253.0401. This version prevents all posted links, including URLs and UNC paths from being converted into hyperlinks.
Can’t patch every machine?
If you’re looking to protect your entire organization from this vulnerability but cannot ensure that this patch will be deployed on every machine, there is a workaround available. Follow these guidelines, as originally posted by Lawrence Abrams in BleepingComputer to enable a Group Policy that’ll prevent your NTML credentials from automatically being sent to a remote server when clicking on a UNC:
This policy is called 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' and is found under the following path in the Group Policy Editor:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
If this policy is configured to Deny All, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share.
It should be noted that when this policy is configured on domain-joined machines, it could cause issues when attempting to access shares. You can view this article to learn more about adding exceptions to the above policy.
If you are a Windows 10 Home user, you will not have access to the Group Policy Editor and will have to use the Windows Registry to configure this policy.
This can be done by creating the RestrictSendingNTLMTraffic Registry value under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0 key and setting it to 2.
Windows Registry Editor Version 5.00
To properly create this value, Windows users will need to launch the Registry Editor as an Administrator. When the above Registry settings are properly configured, the RestrictSendingNTLMTraffic value will look like the following image:
Windows Registry Editor
When configuring this policy, it is not necessary to reboot your computer.
To revert to the default Windows behavior of sending your NTLM credentials, you can just disable the policy by deleting the RestrictSendingNTLMTraffic value.
5. Critical HP Support Assistant Bugs Exposes Windows PCs to Attacks
Windows computers are exposed to RCE attacks through several critical HP Support Assistant vulnerabilities. Should these be exploited, attackers could elevate their privileges or delete arbitrary files. HP Support Assistant is pre-installed on new HP desktops and notebooks, making these vulnerabilities quite widespread.
Security researcher Bill Demirkapi found ten different vulnerabilities within the HP Support Assistant software. While some of these critcal flaws were patched – other not so much:
Patched and unpatched vulnerabilities (Bill Demirkapi)
How to Remediate:
In order to fully mitigate the flaws found by Demirkapi, you would need to uninstall the vulnerable software. This can be done by removing both HP Support Assistant and HP Support Solutions Framework from your computer.
To learn more about remediating the most critical threats in your enterprise, speak with our team today