Exposures, Exposed! Weekly Round-up December 10-15

The year may be winding down, but have no fear – XM Cyber’s "Exposures Exposed!" is still your weekly guide through the ever-shifting landscape of cyber threats. Our team of experts is here to steer you through the intricacies of cybersecurity, handpicking the most pertinent exposure incidents each week.

Here's what we’ve got for you this week:

Microsoft's December Patch Addresses 33 Vulnerabilities, Including Zero-Day

This month, Microsoft's Patch Tuesday focused on resolving 33 vulnerabilities across a wide range of MS products. The affected software includes Microsoft Windows, Office, Azure, Microsoft Edge (Chromium-based), Windows Defender, Windows DNS and DHCP server, and Microsoft Dynamics. Among these vulnerabilities, four were ranked Critical while 29 were marked as Important.

One noteworthy issue is the critical CVE-2023-35628, which impacts the MSHTML engine. An attacker could exploit this flaw through a specially crafted email which triggers the vulnerability when processed by Outlook, even before viewing it in the Preview Pane. Another, CVE-2023-36019, involves Microsoft Power Platform Connector spoofing, and is activated by tricking users into clicking a malicious URL. Additionally, CVE-2023-35636 in Microsoft Outlook poses an information disclosure risk.

Despite their severity, none of the vulnerabilities addressed has been actively exploited in the wild. This Patch Tuesday is actually one of Microsoft's lightest since 2017 - although 2023 saw overall a large number of CVEs addressed, over 900 throughout the year. Microsoft strongly advises users to apply these critical updates to safeguard their systems.

Apache Struts 2 Critical Flaw: Urgent Update Required

Apache has issued a critical security alert for a severe flaw in Struts 2, a Java-based web application framework, which could potentially lead to remote code execution. Tracked as CVE-2023-50164, the vulnerability originates in a faulty file upload process that allows unauthorized access and potential malicious code execution.?

Versions affected include Struts 2.3.37 (EOL), 2.5.0 to 2.5.32, and 6.0.0 to 6.3.0. Fixes are available in versions 2.5.33 and 6.3.0.2 or newer. Project maintainers strongly advise an immediate upgrade, especially given the fix’s simplicity as a drop-in replacement.

Despite no confirmed real-world exploits, the severity of this flaw echoes CVE-2017-5638, which was exploited by attackers in the Equifax breach. Recent reports indicate active exploitation attempts following the release of a proof-of-concept (PoC). Threat actors are targeting unpatched Struts servers, installing web shells and establishing network footholds.?

The XM Cyber Research team covered this vulnerability in last week’s security advisory blog and is in the process of adding CVE-2023-50164 to the platform to identify this vulnerability in the XM Cyber Exposure Management module.?

Apple Rushes Emergency Updates, Patches Actively Exploited Flaws

This week Apple swiftly deployed emergency security updates, releasing iOS 17.2 and iPadOS 17.2, which extend critical patches to cover older devices. These updates tackle a dozen security flaws, including actively exploited zero-day vulnerabilities.

The most severe flaw, CVE-2023-42898, involves a memory corruption issue within ImageIO that could potentially enable arbitrary code execution. Apple addressed this by enhancing memory handling. Another critical flaw, CVE-2023-42890, that affects WebKit, could execute arbitrary code while processing web content.

Earlier, Apple released iOS 16.7.3 and iPadOS 16.7.3 to safeguard older OS versions, addressing vulnerabilities like CVE-2023-42916 and CVE-2023-42917, which were both fixed in late November. Apple's rapid response highlights the critical nature of these vulnerabilities, necessitating immediate updates across devices to mitigate potential risks.

WordPress 6.4.2 Patches Critical Remote Code Execution Vulnerability

WordPress released version 6.4.2 this week to address a security vulnerability that, when combined with another flaw, could potentially lead to remote code execution (RCE). The RCE flaw itself isn't directly exploitable within the core, but threat actors could leverage it in conjunction with certain plugins, notably in multisite setups, to execute arbitrary code.

This vulnerability involves a "POP chain", which was introduced in version 6.4. When coupled with a separate Object Injection vulnerability, it can create a critical-severity threat. Found within the WP_HTML_Token class, which offers enhanced HTML parsing in the block editor, this flaw executes a "__destruct" magic method after PHP processes the request. Exploiting the Object Injection vulnerability grants attackers control over certain properties, allowing them to execute arbitrary code on the site.

WordPress addressed this by introducing a new "__wakeup" method to prevent the vulnerable function's execution. While most sites should auto-update, analysts strongly advise manual checks to ensure site security, emphasizing the gravity of the issue and the potential for complete site takeover.?

That’s all for this week – have any exposures to add to our list? Let us know!