INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft Patch Tuesday: March 2025
Published: 2025-03-11
Last Updated: 2025-03-11 17:52:02 UTC
by Johannes Ullrich (Version: 1)
The March patch Tuesday looks like a fairly light affair, with only 51 vulnerabilities total and only six rated as critical. However, this patch Tuesday also includes six patches for already exploited, aka "0-Day" vulnerabilities. None of the already exploited vulnerabilities are rated as critical.
Today's most interesting vulnerability is a not-yet exploited critical vulnerability (CVE-2025-24064) that affects the Windows Domain Name Service. A remote code attacker would exploit this vulnerability by sending a "perfectly timed" dynamic DNS update message. Many Windows DNS servers support dynamic updates, making assigning hostnames to internal IP addresses easier. It is unclear if the server is exploitable if dynamic updates are disabled.
Three of the exploited vulnerabilities affect the NTFS file system. One may lead to remote code execution. The other two are considered privilege escalation vulnerabilities. The remote code execution vulnerability, CVE-2025-24993, is due to a heap-based buffer overflow. Typically, these types of vulnerabilities are exploited when mounting a corrupt file system.
CVE-2025-24985 is related to the Windows Fast FAT File System Driver. Again a heap-based buffer overflow, or "Integer Overflow/Wraparound", the vulnerability allows for remote code execution. The attacker may be remote for both the NTFS and FAT issues, but the attacker will likely upload the corrupt VHD disk image to the victim and mount it locally. Of course, the attacker may just provide the VHD file and trick the victim into mounting it locally.
The two remaining already exploited vulnerabilities affect a security feature bypass in the Microsoft Management Console and a privilege elevation vulnerability in the Win32 kernel subsystem.
Three of the critical vulnerabilities affect the Windows Remote Desktop Services. Systems are vulnerable if they act as a remote gateway. This is important because gateways are likelier to be exposed to the internet. However, the attacker will also have to win an unspecified race condition, often resulting in less reliable exploits.
The remaining critical vulnerabilities affect Microsoft Office and the Windows subsytem for Linux ...
Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+March+2025/31756/
Apple Fixes Exploited WebKit Vulnerability in iOS, MacOS, visionOS and Safari
Published: 2025-03-11
Last Updated: 2025-03-11 19:22:10 UTC
by Johannes Ullrich (Version: 1)
Today, Apple released a critical update to fix a single, already exploited, WebKit vulnerability. The patch was released for current versions of iOS, macOS, and visionOS. A standalone update for Safari was also made available, which will help address this issue in macOS 13 and 14 (Ventura, Sonoma).
Apple states that this vulnerability may be used to break out of the Web Content sandbox. The attack was initially addressed in iOS 17.2, but this additional fix is "supplementary." The vulnerability was used in targeted attacks against iOS before 17.2.
Read the full entry: https://isc.sans.edu/diary/Apple+Fixes+Exploited+WebKit+Vulnerability+in+iOS+MacOS+visionOS+and+Safari/31758/
Shellcode Encoded in UUIDs
Published: 2025-03-10
Last Updated: 2025-03-10 08:23:57 UTC
by Xavier Mertens (Version: 1)
I returned from another FOR610 class last week in London. One key tip I give to my students is to keep an eye on "strange" API calls. In the Windows ecosystem, Microsoft offers tons of API calls to developers. The fact that an API is used in a program does not always mean we are facing malicious code, but sometimes, some of them are derived from their official purpose. One of my hunting rules for malicious scripts is to search for occurrences of the ctypes library. It allows Python to call functions in DLLs or shared libraries ...
I spotted a malicious Python script that uses the following API call: UuidFromStringA(). This function converts a UUID string to its binary format.
A UUID (Universally Unique Identifier) is a 128-bit value commonly used in software systems to provide a practically guaranteed unique reference. It is represented as a string of hexadecimal digits often divided into five groups. Because of their structure and generation process (timestamp-based or random), UUIDs have an extremely low chance of collision, making them ideal for identifying objects or records across distributed systems where a central authority to track uniqueness may not exist.
The Python script I found contained an array of UUIDs that, once decoded in raw bytes, was injected in memory as a shellcode ...
Read the full entry: https://isc.sans.edu/diary/Shellcode+Encoded+in+UUIDs/31752/