Endpoint Security
,
Governance & Risk Management
,
Patch Management
SecureScreen Treated Malformed Signature the Same as a Valid Signature
A fix for a zero-day vulnerability exploited by ransomware hackers is part of this month’s patch dump from operating system Microsoft.
See Also: Finding a Password Management Solution for Your Enterprise
Operators of a ransomware variant known as Magniber have exploited CVE-2022-44698 in order to bypass a Windows security feature meant to stymie malicious files from executing on a desktop.
The patch is one of 52 fixes published by Microsoft in its last Patch Tuesday of 2022. Six are rated critical, 43 are rated important, and three are rated as moderate in severity.
Security researchers at HP characterize Magniber as “single-client ransomware” aimed at individual computers rather than fleets of devices. Operators have been known to demand $2,500 to unlock data.
As detailed by Mitja Kolsek of 0Patch, Magniber ransomware attackers were able to circumvent the Windows SmartScreen function by creating a malformed, unparsable Authenticode signature. SmartScreen is a security component of the Windows operating system that inspects files downloaded from the internet for matches against a database of malicious files. It looks for the Authenticode digital signature to determine whether the executable file comes from a trusted publisher and hasn’t been tampered with since it was published.
The flaw, discovered by security researcher Will Dormann, is that Windows treated a malformed Authenticode signature the same as a trusted signature and allowed the file to execute without triggering the SmartScreen warning.
“And so a new 0day – already exploited in the wild – was revealed,” wrote Kolsek.
Given that Dormann discovered the zero-day in mid-October, some researchers have questioned the speed with which Microsoft developed a patch. Ransomware, and malware in general, greatly depends on coaxing users into bypassing the security protections meant to prevent automatic execution of files that Microsoft has built into Windows over the past decades.
“Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks,” said Dustin Childs, a security analyst at the Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro.
Other Crucial Fixes
Microsoft also patches a DirectX Graphics Kernel elevation of privilege vulnerability, CVE-2022-44710, which is also listed as public. In this case, the attacker needs to win a race condition on Windows 11.
Ashley Leonard, founder and CEO of cybersecurity firm Syxsense, says an attacker who successfully exploits this vulnerability could gain system privileges.
“If they could do that, then the vulnerability has a jump point, meaning they’re able to break out of the vulnerable component and into another area of the operating system. Since there are no known countermeasures, the only option is to deploy this patch,” Leonard said.
Microsoft also fixed 16 remote code execution bugs, including multiple Office bugs.
Another defect addressed by Microsoft is a PowerShell Remote Code Execution Vulnerability that has a CVSS score of 8.5, tracked as CVE-2022-41076. This critical-rated bug allows authenticated users to escape the PowerShell Remoting Session Configuration firewall and run unapproved commands.
Mike Walters, vice president of vulnerability and threat research at Action1, says the high-impact bug could have repercussions for Windows operating systems, starting with Windows 7 and Windows Server 2008 R2, PowerShell 7.2 and 7.3.
Another critical vulnerability with a CVSS score of 8.8 affects the Microsoft SharePoint Server. Tracked as CVE-2022-44693, it allows an authenticated attacker to execute code remotely on SharePoint servers.
“To exploit it, attackers only need access to the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default. This vulnerability does not require user interaction; once attackers get the appropriate credentials, they can execute code remotely on a target SharePoint server,” Walters says.