Information Technology

Skip to Content

User menu

Navigation

Main menu (IT)

Security Blogs Archive 2020

Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution - 12-16-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities could allow for arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights..

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 84
  2. Mozilla Firefox ESR versions prior to 78.6
  3. Mozilla Thunderbird versions prior to 78.6

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. A heap based buffer-overflow vulnerability. Specifically, this issue occurs due to a boundary error within WebGL component. [CVE-2020-26971]
  2. A security-bypass vulnerability. Specifically, this issue occurs due to insufficient validation of user-supplied input within CSS Sanitizer. [CVE-2020-26973]
  3. A denial-of-service vulnerability. Specifically, this issue occurs due to incorrect casting of the 'StyleGenericFlexBasis' object. [CVE-2020-26974]
  4. A security vulnerability. Specifically, this issue exists due to application does not properly impose security restrictions. A remote attacker can create a specially crafted webpage and send probes to hosts in internal network as well as to services on the user's local machine. [CVE-2020-26978]
  5. An information-disclosure vulnerability. Specifically, this issue exists due to the proxy.onRequest API does not use proxy when viewing source code of the web application. [CVE-2020-35111]
  6. A security vulnerability. Specifically, this issue exists due to the way Firefox processes downloaded files without extensions on Windows operating system. [CVE-2020-35112]
  7. A security vulnerability that occurs due to memory safety bugs. [CVE-2020-35113]

Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  4. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/

https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/

https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - 12-15-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution.

  1. iCloud for Windows is a cloud storage service that can be used on Windows computers.
  2. watchOS is a mobile operating system created & developed by Apple to be utilized by its Apple Watch product line.
  3. iOS is a mobile operating system created & developed by Apple to be utilized by its mobile devices such as the iPhone.
  4. Safari is a web browser available for macOS.
  5. tvOS is an operating system based on iOS developed for AppleTV.
  6. macOS Server is a desktop operating system for Macintosh computers.
  7. iPadOS is a mobile operating system created & developed by Apple to be utilized by its iPad product line.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. watchOS versions prior to 7.2 and 6.3
  2. macOS versions prior to Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave
  3. tvOS versions prior to tvOS 14.3
  4. iOS versions prior to 14.3 and 12.5
  5. iPadOS versions prior to 14.3
  6. macOS Server versions prior to 5.11
  7. Safari versions prior to 14.0.2

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: High

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple products, the most severe of, which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

iOS 14.3 and iPadOS 14.3

  1. A logic issue was addressed with improved state management (CVE-2020-29613)
  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)
  8. A use after free issue was addressed with improved memory management (CVE-2020-15969)

iOS 12.5

  1. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)

watchOS 6.3

  1. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)

watchOS 7.2

  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)
  8. A use after free issue was addressed with improved memory management (CVE-2020-15969)

macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave

  1. A memory corruption issue was addressed with improved input validation (CVE-2020-27914, CVE-2020-27915)
  2. An application may be able to gain elevated privileges (CVE-2020-27903)
  3. An application may be able to execute arbitrary code with kernel privileges (CVE-2020-27941)
  4. A malicious application may be able to bypass Privacy preferences (CVE-2020-29621)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-27910)
  6. An out-of-bounds read was addressed with improved bounds checking (CVE-2020-9943)
  7. An out-of-bounds read was addressed with improved bounds checking (CVE-2020-9944)
  8. An out-of-bounds write was addressed with improved input validation (CVE-2020-27916)
  9. Multiple integer overflows were addressed with improved input validation (CVE-2020-27906)
  10. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948, CVE-2020-9955)
  11. An out-of-bounds read was addressed with improved input validation (CVE-2020-9960, CVE-2020-27908)
  12. An out-of-bounds write was addressed with improved input validation (CVE-2020-10017)
  13. A logic issue was addressed with improved state management (CVE-2020-27922)
  14. An information disclosure issue was addressed with improved state management (CVE-2020-27946, CVE-2020-9849)
  15. A buffer overflow was addressed with improved size validation (CVE-2020-9962)
  16. An out-of-bounds write was addressed with improved input validation (CVE-2020-27952)
  17. An out-of-bounds read was addressed with improved input validation (CVE-2020-9956)
  18. A memory corruption issue existed in the processing of font files (CVE-2020-27931, CVE-2020-27943, CVE-2020-27944)
  19. A logic issue was addressed with improved state management (CVE-2020-10002)
  20. A memory corruption issue was addressed with improved input validation (CVE-2020-27947)
  21. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29612)
  22. An attacker in a privileged network position may be able to unexpectedly alter application state (CVE-2020-9978)
  23. An out-of-bounds write was addressed with improved input validation (CVE-2020-27919)
  24. A memory corruption issue was addressed with improved input validation (CVE-2020-29616)
  25. An out-of-bounds read was addressed with improved input validation (CVE-2020-27924, CVE-2020-29618)
  26. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  27. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  28. An out-of-bounds write was addressed with improved input validation (CVE-2020-27912, CVE-2020-27923)
  29. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-10015, CVE-2020-27897)
  30. A memory corruption issue was addressed with improved memory handling (CVE-2020-27907)
  31. A logic issue was addressed with improved state management (CVE-2020-9974)
  32. A memory corruption issue was addressed with improved state management (CVE-2020-10016)
  33. Multiple memory corruption issues were addressed with improved input validation (CVE-2020-9967)
  34. A use after free issue was addressed with improved memory management (CVE-2020-9975, CVE-2020-27899)
  35. A race condition was addressed with improved state handling (CVE-2020-27921)
  36. A malicious application may cause unexpected changes in memory belonging to processes traced by DTrace (CVE-2020-27949)
  37. A malicious application may be able to elevate privileges (CVE-2020-29620)
  38. An integer overflow was addressed through improved input validation (CVE-2020-27911)
  39. A use after free issue was addressed with improved memory management (CVE-2020-27920)
  40. A use after free issue was addressed with improved memory management (CVE-2020-27926)
  41. A parsing issue in the handling of directory paths was addressed with improved path validation (CVE-2020-10014)
  42. A path handling issue was addressed with improved validation (CVE-2020-10010)
  43. An out-of-bounds read was addressed with improved input validation (CVE-2020-13524)
  44. A logic issue was addressed with improved state management (CVE-2020-10004)
  45. A logic issue was addressed with improved restrictions (CVE-2020-27901, CVE-2020-10008)
  46. A logic issue was addressed with improved state management (CVE-2020-10007)
  47. An access issue was addressed with improved access restrictions (CVE-2020-10012)
  48. A path handling issue was addressed with improved validation (CVE-2020-27896)
  49. A logic issue was addressed with improved state management (CVE-2020-10009)
  50. A use after free issue was addressed with improved memory management (CVE-2020-15969)
  51. A denial of service issue was addressed with improved state handling (CVE-2020-27898)
  52. A logic issue was addressed with improved validation (CVE-2020-9971)
  53. An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic (CVE-2020-27900)
  54. The issue was addressed with improved handling of icon caches (CVE-2020-9963)
  55. A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement (CVE-2020-9977)
  56. An inconsistent user interface issue was addressed with improved state management (CVE-2020-9942)
  57. This issue was addressed with improved checks (CVE-2020-9991)
  58. This issue was addressed with improved entitlements (CVE-2020-10006)

macOS Server 5.11

  1. An issue existed in the parsing of URLs. This issue was addressed with improved input validation (CVE-2020-9995) 

tvOS 14.3

  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. A use after free issue was addressed with improved memory management (CVE-2020-15969)

Safari 14.0.2

  1. A use after free issue was addressed with improved memory management (CVE-2020-15969)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page.  Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to download, accept, or execute files from un-trusted or unknown sources.
  4. Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

https://support.apple.com/en-us/HT212003

https://support.apple.com/en-us/HT212004

https://support.apple.com/en-us/HT212005

https://support.apple.com/en-us/HT212006

https://support.apple.com/en-us/HT212007

https://support.apple.com/en-us/HT212009

https://support.apple.com/en-us/HT212011

https://support.apple.com/en-us/HT211932

https://support.apple.com/en-us/HT211931

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 12-4-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Google chrome. In most severe cases the vulnerabilities could allow arbitrary code execution. Google chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Google Chrome versions prior to 87.0.4280.88

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been found in Google Chrome, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. A security vulnerability due to use after free error. Specifically, this issue affects the clipboard component. (CVE-2020-16037)
  2. A security vulnerability due to use after free error. Specifically, this issue affects the media component. (CVE-2020-16038)
  3. A security vulnerability due to use after free error. Specifically, this issue affects the extensions component. (CVE-2020-16039)
  4. A security vulnerability that occurs because it fails to properly validate data in V8. (CVE-2020-16040)
  5. A security vulnerability due to out of bound read in networking. (CVE-2020-16041)
  6. A security vulnerability due to uninitialized use in V8. (CVE-2020-16042)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If google chrome is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

Read more about this update at https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html 

Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution - 11-18-2020 

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird. In most severe cases the vulnerabilities could allow arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Mozilla Firefox ESR version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 83
  2. Mozilla Firefox ESR versions prior to 78.5
  3. Mozilla Thunderbird versions prior to 78.5

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. (CVE-2020-26951)
  2. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks. (CVE-2020-16012)
  3. It was possible to cause the browser to enter full screen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. (CVE-2020-26953)
  4. In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. (CVE-2020-26956)
  5. Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. (CVE-2020-26958)
  6. During browser shutdown, reference decrementing could have occurred on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. (CVE-2020-26960)
  7. In Freetype, if PNG images were embedded into fonts, the Load_SBit_Png function contained an integer overflow that led to a heap buffer overflow, memory corruption, and an exploitable crash. (CVE-2020-15999)
  8. When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. (CVE-2020-26961)
  9. Mozilla developers Steve Fink, Jason Kratzer, Randell Jesup, Christian Holler, and Byron Campen reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2020-26968)
  10. Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. (CVE-2020-26952)
  11. During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. (CVE-2020-26959)
  12. Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. (CVE-2020-26962)
  13. Repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate-limiting to these API calls. (CVE-2020-26963)
  14. If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix domain socket, protected by the Android SELinux policy; however, SELinux was not enforced for versions prior to 6.0. This was fixed by removing the Remote Debugging via USB feature from affected devices. (CVE-2020-26964)
  15. Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. (CVE-2020-26965)
  16. Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. (CVE-2020-26966)
  17. When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. (CVE-2020-26967)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

MacOS Big Sur Conflict with Sophos - 11-12-2020

Apple is releasing the latest operating system—MacOS 11 or Big Sur—for Macintosh computers Thursday, November 12. At this time, Sophos is not compatible with Big Sur. If you are using Sophos Home or using the Sophos Endpoint Protection campus license for antivirus/anti-malware, make sure that automatic updates are turned off on your Macintosh computer to avoid issues. 

Here is more information from Sophos. https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/124012/sophos-endpoint-and-apple-macos-11-big-sur

A Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution - 11-12-2020

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird. In most severe cases the vulnerabilities could allow arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Mozilla Firefox ESR version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 82.0.2
  2. Mozilla Firefox ESR versions prior to 78.4.0
  3. Mozilla Thunderbird versions prior to 78.4.1

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Mozilla Firefox and Mozilla Firefox ESR, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. (CVE-2020-26950)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Arbitrary Code Execution (APSB20-67) - 11-3-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader. In most severe cases the vulnerabilities could allow arbitrary code execution. Adobe Acrobat is a software developed by Adobe Inc. to view, create, manipulate, print, and manage files in PDF format. Adobe reader is the free version within Adobe Acrobat family of the software. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Acrobat DC (Continuous track) for Windows & macOS version 2020.012.20048 and earlier versions
  2. Acrobat Reader DC (Continuous track) for Windows & macOS version 2020.012.20048 and earlier versions
  3. Acrobat 2020 (Classic 2020) for Windows & macOS version 2020.001.30005 and earlier versions
  4. Acrobat Reader 2020 (Classic 2020) for Windows & macOS version 2020.001.30005 and earlier versions
  5. Acrobat 2017 (Classic 2017 track) for Windows & macOS version 2017.011.30175 and earlier versions
  6. Acrobat Reader 2017 (Classic 2017 track) for Windows & macOS version 2017.011.30175 and earlier versions

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

Technical Summary:

Multiple vulnerabilities have been found in Adobe Acrobat and Adobe Reader, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. A Heap-based buffer overflow vulnerabilities that could allow for arbitrary code execution. (CVE-2020-24435)
  2. A Improper access control vulnerability that could allow for local privilege escalation. (CVE-2020-24433)
  3. A Improper input validation vulnerability that could allow for arbitrary JavaScript execution. (CVE-2020-24432)
  4. A Signature validation bypass vulnerability that could allow for minimal (defense-in-depth fix). (CVE-2020-24439)
  5. A Signature verification bypass vulnerability that could allow for local privilege escalation. (CVE-2020-24429)
  6. A Improper input validation vulnerability that could allow for information disclosure. (CVE-2020-24427)
  7. A Security feature bypass vulnerability that could allow for Dynamic library injection. (CVE-2020-24431)
  8. An Out-of-bounds write vulnerability that could allow for arbitrary code execution. (CVE-2020-24436)
  9. Multiple Out-of-bounds read vulnerabilities that could allow for information disclosure. (CVE-2020-24426, CVE-2020-24434)
  10. A Race Condition vulnerability that could allow for local privilege escalation. (CVE-2020-24428)
  11. Multiple Use-after-free vulnerabilities that could allow for arbitrary code execution. (CVE-2020-24430, CVE-2020-24437)
  12. A Use-after-free vulnerability that could allow for information disclosure. (CVE-2020-24438)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker view, change, or delete data; or create new accounts with the privileges associated with the application. If the application is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Install the updates provided by Adobe immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit websites or follow links provided by unknown or untrusted sources.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 11-3-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Google chrome. In most severe cases the vulnerabilities could allow arbitrary code execution. Google chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

While Google is aware of reports that an exploit for CVE-2020-16009 exists, there are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Google Chrome versions prior to 86.0.4240.183

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been found in Google Chrome, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. Use after free in user interface (CVE-2020-16004)
  2. Insufficient policy enforcement in ANGLE (CVE-2020-16005)
  3. Inappropriate implementation in V8 (CVE-2020-16006)
  4. Insufficient data validation in installer (CVE-2020-16007)
  5. Stack buffer overflow in WebRTC (CVE-2020-16008)
  6. Inappropriate implementation in V8 (CVE-2020-16009)
  7. Heap buffer overflow in UI on Windows (CVE-2020-16011)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If google chrome is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Fake Online Coronavirus Map Delivers Well-Known Malware

Fake Online Coronavirus Map Delivers Well-known Malware Health Sector Cybersecurity Coordination Center (HC3) Date: March 10, 2020

EXECUTIVE SUMMARY:

A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet waiting for unwitting internet users to visit the website. Visiting the website infects the user with the AZORult trojan, an information stealing program which can exfiltrate a variety of sensitive data. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Furthermore, anyone searching the internet for a Coronavirus map could unwittingly navigate to this malicious website.

Threat Details

A sample of the malware being deployed by “corona-virus-map[dot]com” was submitted and analyzed by and received an extremely malicious threat score of 100/100 with Anti-virus (AV) detection at 76%. This sample was labelled by Hybrid-Analysis as a Trojan.

Recommendations

End users should be warned about this cybersecurity risk and security teams should blacklist any indicators associated with this specific threat. IOCs and Analysis may be found here: 

https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threatanalysis-report/

Requests for Information

Need information on a specific cybersecurity topic? Send your request for information (RFI) to   or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110

Information Technology
© California State University, Northridge
18111 Nordhoff Street, Northridge, CA 91330
Phone: (818) 677-1200 / Contact Us