Security News

Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. According to Bill Demirkapi, an engineer in Microsoft MSRC's Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image.

Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. The MoTW flag is added to files as an alternate data stream called 'Zone.Identifier,' which includes what URL security zone the file is from, the referrer, and the URL to the file.

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.Also separately addressed at the start of the month is an actively exploited flaw in Chromium-based browsers that was plugged by Google as part of an out-of-band update late last month.

November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities. "In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment," Microsoft says, but as security researcher Kevin Beaumont recently noted, it has been successfully exploited by different attackers in the wild for months.

Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. Microsoft confirmed they were actively abused in attacks on September 30, saying it was "Aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. This month's Patch Tuesday fixes six actively exploited zero-day vulnerabilities, with one being publicly disclosed.

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11. What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.

Incoming OpenSSL critical fix: Organizations, users, get ready!The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library. Apple fixes exploited iOS, iPadOS zero-dayFor the ninth time this year, Apple has released fixes for a zero-day vulnerability exploited by attackers to compromise iPhones.

Google pushed out a bunch of security fixes for the Chrome and Chromium browser code earlier this week. In short, what we mean is that when Google says "It is aware of reports" of an attack launched by exploiting Chrome in real life, we're ready to assume that you can translate this into "The bug is real, and it really can be exploited, but because we didn't actually investigate the hacked system in real life ourselves, we're still on safe ground if we don't come straight out and say, 'Hey, everyone, it's an 0-day'."

Why did a single security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know that iPadOS 16 was delayed, so did this recent update mean that iPadOS was now getting patched only to the same security level as iOS 16, which came out more than a month ago, while iOS advanced to 16.1, thus leaving iPadOS more than five weeks adrift in cybersecurity terms? Why did iPadOS 16 ultimately report itself as version 16.1? After updating, the About screen apparently says iPadOS 16, like the security bulletin did, while the iPadOS Version screen explicitly says 16.1. It sounds as though iPhones and iPads now not only both support "The version family known as 16", but also both have the very latest security fixes, so why not simply call both of them version 16.1 everywhere for clarity, including in the security bulletin and on the About screen? Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS version X-3 when version X comes out, but is that the actual explanation of why macOS 11 Big Sur and macOS 12 Monterey got updates while Catalina didn't? What happened to iOS/iPadOS 15.7.1? When iOS 16 came out in September 2022, the previous version family received critical updates as well, taking it to version 15.7.