INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.
Critical OpenSSL 3.0 Update Released. Patches CVE-2022-3786, CVE-2022-3602
(Johannes Ullrich | 2022-11-01)
As preannounced, OpenSSL released version 3.0.7, which patches two related vulnerabilities rated as "High." Initially, as part of a preannouncement, the vulnerability was rated "Critical." OpenSSL 3.0 was initially released in September of last year.
The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts. This does not appear to be exploitable against servers. For servers, this may be exploitable if the server requests a certificate from the client (mTLS)  . OpenSSL also published a blog post with details here: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
In short: While this is a potential remote code execution vulnerability, the requirements to trigger the vulnerability are not trivial, and I do not see this as a "Heartbleed Emergency". Patch quickly as updated packages become available, but beyond this, no immediate action is needed…
Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11
(Didier Stevens | 2022-10-30)
Sysinternals tools updates have been released for
Process Explorer v17.0
Process Monitor v3.92
Make sure to update sysmon, as it includes a bug fix.
I like the update to the Handles and DLLs view: it's multitab now, making it easier to switch (unless you are used to the control keys to switch) …