Windows 10: Its Groundhog Day at Microsoft! Vulnerability patched again

Remember the movie Groundhog Day? Bull Murray plays a rather self-centered weatherman who finds himself in a time loop on Groundhog Day.

Windows administrators may have similar feelings to Murray's in regards to vulnerability CVE-2021-43890. First patched in December 2021, Microsoft announced in December 2023 that it has detected attacks in the wild and patched the issue again.

If that sounds confusing, it is. What Microsoft failed to mention is that the first patch has somehow been undone since April 2023.

Appx installer spoofing vulnerability in Windows


Source: Microsoft

The vulnerability report refers to the issue as a spoofing vulnerability in Appx installer in Microsoft Windows. Microsoft developed the ms-appinstaller Uniform Resource Identifier to support the downloading and installation of apps directly from Internet servers.

In other words: users who clicked on ms-appinstaller links would get an installation prompt similarly to the one displayed on the screenshot above.

While it still required the user to hit the "install" button, the lack of a prominent "cancel" button led to unwanted installations. A click on the x-icon at the top of the window cancelled the process.

Activation of install would download and install the malware on the device.

Microsoft describes the process in the following way: "Users who click the links to the installers are presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation."

Microsoft's blog post on its Security blog reveals that it observed several attacks that make use of App Installer to infect Windows devices. The functionality is disabled by default according to this Microsoft support page. Administrators may enable it, however. What Microsoft fails to mention in the post is that it disabled the functionality in December 2021 already as a reaction to abuse of the functionality.

Will Dormann was among the first to spot this missing piece of information in Microsoft's announcement.

What Microsoft also does not reveal in its announcement is when it disabled the functionality by default. Günter Born thinks that the December 2023 security updates are the most likely option, but Microsoft never revealed this. Born found a single reference on the web by a Microsoft Answers user who got the "cannot open app package" error message when trying to install an app using the ms-appinstaller protocol.

The description informs the user that the protocol has been disabled.

System administrators may want to read through Microsoft's entire post on the Security blog. It includes information about three malwares that used the vulnerability as well as a long list of recommendations.

Apart from making sure that App Installer build 1.21.3421.0 is used, Microsoft recommends the following mitigations:

• Deploy phishing resistant authentication methods.
• Implement conditional access authentication strength.
• Educate Microsoft Teams users and apply best security practices for Microsoft Teams.
• Educate users to review sign-in activity and mark attacks.
• Make users use Microsoft Edge or another browser that supports Microsoft's Defender SmartScreen technology.
• Educate users about clicking on links and verifying link targets.
• Educate users that they double-check software that is installed, e.g., to make sure the publisher is legitimate.
• Configure Microsoft Defender for Office 365 to recheck links on click.
• Enable several security features.

More than half of Microsoft's suggestions are about educating users.



You can check the AppInstaller version in the following way:

1. Open a command prompt window, e.g., by opening Start, typing cmd and selecting Command Prompt from the options.
2. Type winget list "App Installer" and press the Enter-key.

Check the version that is returned. You can upgrade the application using the command winget upgrade Microsoft.AppInstaller.

Now You: have you used App Installer in the past to install apps?

Thank you for being a Ghacks reader. The post Its Groundhog Day at Microsoft! Vulnerability patched again appeared first on gHacks Technology News.

read more...

 

Patching windows 10 vulnerabilities

Hi,

I'm new to windows and to the community so excuse me if I miss some community guidelines.

I've installed windows 10 (build number 14390) a few days ago, and today out of paranoia run a vulnerability scan using retina community. The report came out very colorful (6 high risk vulnerabilies) . I have almost nothing installed apart from the following:

• Visual Studio Code
• Visual Studio Community edition
• Cmder
• MongoDb/Nodejs with some Npm modules
• VLC

I was confused by the fact that almost all the vulnerabilities were Microsoft Office or Microsoft VB6 related and I don't have any of that installed.

Any idea where should I look for patches or how to proceed to fix those problems?

The report included links for Microsoft security bulletins related to each problem but I could not find any software I have installed in order to update it.

I think it goes without saying that I install all the updates Microsoft update finds daily.

Thank you for your time.

 

Microsoft patches Word zero-day booby-trap exploit

Microsoft patches Word zero-day booby-trap exploit Naked Security

 

Thecus Releases Patch to Resolve Bash Vulnerability

In order to combat recent bash vulnerability issues, Thecus today released a Bash patch for both Thecus OS5 and OS6 users. It is strongly recommended that all users update their NAS with this latest firmware. The patch will fix the GNU Bash Environment Variable Command Injection Vulnerability, also referred to as Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7187, and CVE-2014-71861), which allows unauthorized users access to remote Unix/Linux-based systems.





For ThecusOS 6, users can download the OS6 Bash offline patch V1.0. The patch is applicable for the following units:

• N2310, N4310
• N2520, N2560, N4520, N4560

For ThecusOS 5 x64, users can update their firmware to v2.05.06 to apply the Bash patch. This firmware is applicable to the following units:

• N16000 series / N12000 series / N8900 series
• N10850 / N8850 / N6850
• N8810 series / N7710 series
• N8800PRO v2 / N7700 PRO v2
• N7510 / N5550 / N4800 series / N4510U series / N2800

For ThecusOS 5 x86, users can update their firmware to v5.03.02.8 to apply the Bash patch. This firmware is applicable to the following units:

• Thecus XXX series / 1U4600 / N0503 / N4200 series / N5500
• N7700 / N7700SAS / N7700+ / N7700PRO
• N8800 / N8800SAS / N8800+ / N8800PRO
• N4100PRO