Microsoft today released updates to fix more than 50 security vulnerabilities Windows and related software, this month’s most convenient Patch Tuesday for Windows users. The software giant also responded to negative feedback on a new feature of Redmond’s operating system that constantly takes screenshots of everything users do on their computers, saying the feature will no longer be enabled by default.
Last month, Microsoft made an appearance Copilot+ PC, an AI-powered version of Windows. Copilot+ ships with a feature no one asked for that Redmond has rightly called Remember, which constantly takes screenshots of what the user is doing on their PC. Security experts have completely dismissed Recall as a popular keylogger, noting that it can be a goldmine of information for attackers if a user’s PC is compromised by malware.
Microsoft argued that the recall snapshots never leave the user’s system, and that even if attackers were able to hack a Copilot+ PC they would not be able to extract data from the recall on the device. But that claim didn’t hold up after Microsoft’s threat analyst Kevin Beaumont detailed in his blog that any user on the system (even a non-administrator) can retrieve the Recall data, which has just been stored in a local SQLite database.
“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont told Mastodon.
On the latest Risky Business podcast, the host Patrick Gray noted that the screenshots created and referenced by Recall will be useful to any attacker who finds himself in an unfamiliar environment.
“The first thing you want to do when you go into the machine when you’re not doing anything is to find out how someone did their job,” said Gray. “We have seen that in the case of SWIFT attacks on big banks in the past years. The attackers had to record the screen to see how the transfer works. And this can speed up this kind of discovery process. “
Responding to withering criticism of the recall, Microsoft said last week that it would no longer be automatically enabled on Copilot+ PCs.
Only one of the patches released today – CVE-2004-30080 – received Microsoft’s most urgent “severe” rating, which means that malware or malicious content can exploit a remote control vulnerability on a user’s system, without user interaction.
CVE-2024-30080 is a bug in Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choice. Microsoft says exploitation of this vulnerability is possible, enough to encourage users to disable the vulnerable component if an update doesn’t happen in time. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 being the worst).
Kevin Breensenior director of threat research at Focused Labssaid saving grace is that MSMQ is not a default service on Windows.
“Shodan’s search for MSMQ reveals that there are several thousand MSQ servers potentially facing the Internet that could be vulnerable to zero-day attacks if not fixed immediately,” Breen said.
CVE-2024-30078 is a remote code execution vulnerability in Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker can exploit this bug by sending a malicious data packet to anyone else on the same network – meaning this flaw assumes the attacker has access to the local network.
Microsoft has also fixed many of its security issues The office applications, including at least two remote code execution errors, it said Adam Barnettlead software engineer at Immediately7.
“CVE-2024-30101 is a vulnerability Outlook; even though the Preview Window is a vector, the user must next perform some unspecified actions to trigger the vulnerability and the attacker must win the race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but still ends up with a slightly higher CVSS base score of 7.8, since the exploit depends only on the user opening a malicious file.”
Separately, Adobe released security updates for Acrobat, ColdFusionagain Photoshopamong others.
As usual, the SANS Internet Storm Center has the lowdown on the individual leaflets released today, with an indication of severity, exploitation and urgency. Windows administrators should also check out AskWoody.com, which often publishes first-hand reports of any Windows patches that have gone wrong.
Source link