Patch Tuesday brings a zero day fix and a patch for a... 2013 bug?
Microsoft has urged users to patch a zero day in the Windows Common Log File System (CLFS) that allows elevation by a local attacker to SYSTEM privileges and which is being exploited in the wild. CVE-2023-28252 was reported by a member of China’s DBAPPSecurity WeBin Lab and as that country requires security researchers to report vulnerabilities to the state within two days of their being found, it is plausibly also in state hands.
The new Microsoft zero day affects most flavours of Windows 10 and 11 as well as Windows Server (2022, 2019, 2016, 2012, 2008 et al). It comes hot on the heels of a similar zero day (CVE-2023-23376) patched in the same component in February’s Patch Tuesday and reported by Microsoft Threat Intelligence Center (MSTIC) Microsoft Security Response Center (MSRC), potentially suggesting that the patch for that has been bypassed.
The new Windows Common Log File System zero day was one of 101 vulnerabilities patched by Microsoft in April Patch Tuesday. Seven are rated critical (the zero day by contrast has a CVSS score of 7.8); more than 50% of the April Patch Tuesday vulnerabilities are also remote code execution (RCE) bugs, the ZDI notes.
Return of the Hac: CVE-2013-3900 gets patched, again
Among other highlights is CVE-2013-3900; a decade old bug fix that is being reissued.
The vulnerability was used by a threat actor in the recent 3CX supply chain attacks and as the Zero Day Initiative notes, was an “opt-in” fix in the past. Security researchers say Windows 11 effectively undid the patch.
Microsoft said in its new patch guidance: "On December 10, 2013, Microsoft released an update for all supported releases of Microsoft Windows that changes how signatures are verified for binaries signed with the Windows Authenticode signature format. This change can be enabled on an opt-in basis. When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed."
On July 29, 2014 Microsoft announced that it no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. To this date, it remains available as an opt-in feature in all currently supported releases of Microsoft Windows. Microsoft recommends that executables authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure [and that] customers appropriately test this change to evaluate how it will behave in their environments" Redmond added in its patch notes.
The “reissue” of this classic in collector’s vinyl essentially adds fixes for additional platforms and adds further recommendations for businesses. Microsoft says the RCE bug “exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files.
“An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system… Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an existing signed file to include malicious code without invalidating the signature… In an email attack scenario, an attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file" it explains.
There’s a host of other nasties to fix. Do the right thing and patch or mitigate if you can. In other news, there’s around 15 million instances exposed to the ~900 known exploited vulnerabilities in CISA’s catalogue...
Be better than that.