ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft August 2024 Patch Tuesday
Published: 2024-08-13. Last Updated: 2024-08-13 20:14:47 UTC
by Renato Marinho (Version: 1)
This month we got patches for 92 vulnerabilities. Of these, 9 are critical, and 9 are zero-days (3 previously disclosed, and 6 are already being exploited).
The CVEs CVE-2024-38189, CVE-2024-38178, CVE-2024-38193, CVE-2024-38106, CVE-2024-38213, and CVE-2024-38107 are related to the already exploited vulnerabilities and the CVEs CVE-2024-38202, CVE-2024-21302, and CVE-2024-38200 are related to previously disclosed ones.
Amongst exploited vulnerabilities, the highest CVSS (CVSS 8.8) is related to the Microsoft Project Remote Code Execution Vulnerability (CVE-2024-38189) rated as Important. According to the advisory, Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution.
Amongst critical vulnerabilities, one of the two 9.8 CVSS this month is associated to the Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability (CVE-2024-38140). According to the exploit, this vulnerability is exploitable only if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled but no programs are actively listening as a receiver, then this vulnerability is not exploitable. An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any interaction from the user.
The other CVSS 9.8 is associated with the Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063). Systems are not affected if IPv6 is disabled on the target machine. The advisory says that an unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+August+2024+Patch+Tuesday/31164/
Multiple Malware Dropped Through MSI Package
Published: 2024-08-14. Last Updated: 2024-08-14 08:15:29 UTC
by Xavier Mertens (Version: 1)
One of my hunting rules hit on potentially malicious PowerShell code. The file was an MSI package (not an MSIX, these are well-known to execute malicious scripts). This file was a good old OLE package ...
The file (SHA256: 69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38) has a low score on VT (1/32). I tried to install the package in my sandbox but it failed with an error message “This package can only be run from a bootstrapper”. After Googling more info, I found this:
If you get this error while attempting to uninstall or update a package with an EXE file, it may be because you're using a multilingual package with a display language selection dialog (for multi-language packages) in the Languages Tab. This is a known issue that occurs when your different language installations have different Product Codes.
It could be related to the language used ...
Read the full entry:
https://isc.sans.edu/diary/Multiple+Malware+Dropped+Through+MSI+Package/31168/