June turned out to be a hectic month for Microsoft’s security patch team, as India’s Computer Emergency Response (CERT-In) put the Albuquerque-based multinational technology company to the test twice in the same month. months for vulnerabilities across multiple platforms, including the new flagship. Operating system (OS) Windows 11 and its Edge browser. Microsoft has since patched these vulnerabilities with two updates, one on June 17 and another on June 20.
Interestingly, Adobe, the maker of creative software such as Photoshop and Premier Pro, was also flagged by India’s cybersecurity watchdog as having equally severe vulnerabilities as Microsoft products on the same day (June 16) , especially in the creative suite applications inDesign and Illustrator. , but according to its security release notes, Adobe has not yet finished patching all vulnerabilities described by CERT.
Why is this important: Cyberattacks have been on the rise since the start of the pandemic, with the Home Office reporting 12,000 cybersecurity incidents in 2020 alone. Some of the most common attack patterns around the world include exploiting vulnerabilities in creative apps, web browsers, and commonly used operating systems. The fact that CERT-In has reported these bugs in widely used software across the country should also spur a closer look at other popular apps, browsers, and operating systems.
What are the vulnerabilities in Microsoft products?
“Multiple vulnerabilities have been reported in various Microsoft products, which could be exploited by an attacker to access sensitive information, bypass security restrictions, perform a denial of service (DoS) attack, elevate privileges, and perform attacks impersonation or execute arbitrary code on the target system,” CERT-In said on its vulnerability notes blog.
CERT-In reported 90 sensitive bugs in various Microsoft products on June 16. Of these, 36 vulnerabilities have been reported in Windows operating systems, including Windows 7, 8.1, 10, and 11. According to Microsoft security team notes, most of these operating systems vulnerabilities have been assigned to Windows Server 2019 and 2012, both of which are used by Windows 10 and 11.
Flaws and bugs in Microsoft’s product armor also extend to the company’s other popular apps and platforms, including 28 bugs found in the wildly popular Azure cloud computing infrastructure, which is used by hundreds of application developers to host their product as it supports dozens of different programming languages, tools and frameworks.
Microsoft Office and Office 365, which consist of everyday-use programs such as Word and Excel, have also been reported to have five “high” vulnerabilities in between that could allow an attacker to execute harmful code that could take control of an entire system or leak sensitive information from a document or spreadsheet without the knowledge of the user.
Below is the list of Microsoft programs and platforms in which CERT-In found these vulnerabilities:
- Windows and Windows Servers
- Microsoft Office and Office 365
- .NET Framework
- SharePoint Servers
- SQL Servers
- System Center Operations Manager
- Browsers: Edge and Explorer
What’s wrong with Adobe?
According to CERT-In, there are nine major vulnerable flaws in six of their most popular apps. If an attacker were to gain access to these weak points, they could wreak havoc on the user’s system by executing arbitrary code which could in turn allow the attacker further access to the victim’s computer, even allowing dangerous malware to be implanted into the system or leaking important files. of the targeted hard drive. Alternatively, the attacker could also play with the victim users’ privileges and use them to launch a broader attack on Adobe’s servers. These weak points are present in both Mac OS and Windows versions of these products.
“These vulnerabilities exist in Adobe products due to improper input validation, improper authorization, heap-based buffer overflow, out-of-bounds write, out-of-bounds read and use after free vulnerabilities,” the CERT-In vulnerability notes said, adding, “An attacker could exploit these vulnerabilities by tricking the victim into opening a specially crafted file or application.”
Corrupted versions of an Adobe product may appear suspiciously similar to the real thing and users should exercise caution when using such applications, especially if it is a free or pirated version downloaded from from a third-party website.
Vulnerable versions of Adobe products are listed below:
- Adobe InDesign versions 17.2.1 and 16.4.1
- Adobe InCopy versions 17.2.1 and 16.4.1
- Illustrator 2022 version 26.0.2 and Illustrator 2021 version 25.4.5
- Adobe Bridge version 12.0.1
- Adobe Animate 22.0.5
- RoboHelp Server RHS 11 (Update 3)
With seven of the nine vulnerabilities safely patched, Adobe says updating to the latest versions of these apps would help reduce the risk of outside attack.
What are some of the common attack patterns in both sets?
Going through the CERT-In reports, a few likely attack patterns stood out as common in Microsoft and Adobe products. They are listed and described below.
- Remote code execution: Remote Code Execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The consequences of an RCE vulnerability can range from executing malware to an attacker taking full control of a compromised machine.
- Denial of service attacks: A denial of service attack aims to make a resource (site, application, server) unavailable for the use for which it was designed. There are many ways to make a service unavailable to legitimate users by manipulating network packets, programming, logic, or resource management vulnerabilities, among others.
- Mess with user privilege: Also known as “escalation of privilege” attacks, these attacks occur when an application gains rights or privileges that should not be available to it. Many privilege escalation exploits are similar to exploits for other threats. For example, buffer overflow attacks (as mentioned as a possible attack path for Adobe products) that attempt to write executable code on the target system.
- Leak memory: A memory leak is basically a resource leak caused by a malicious attack that works by forcing a computer program to mismanage its memory allocations in such a way that memory that is no longer needed is not freed. A memory leak can also occur when an object is stored in memory but cannot be accessed by executed code.
Some updates on CERT-In
CERT-In has been in the news over the past two months due to the release of new cybersecurity guidelines on April 28 that apply to service providers, intermediaries, legal persons, data centers and to government organizations. The new directions are listed below.
- Report incidents within 6 hours: All entities are required to report cyber incidents to CERT-In within 6 hours of noticing such incidents or notifying of such incidents.
- Crypto exchanges and wallets must retain KYC details and financial transaction records for five years: Virtual asset service providers, virtual asset exchange providers and custodial wallet providers are required to retain all information obtained under Know Your Customer (KYC) and financial transaction records for a five-year period.
- Service providers must retain customer and subscriber information for five years: Data centers, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN service) service providers are required to record the following accurate customer and subscriber information for a period of 5 years or more after any cancellation or withdrawal of registration.
- Maintain logs for 180 days in India: All entities are required to enable logs of all their ICT systems and maintain them securely for a continuous period of 180 days and the same must be maintained in Indian jurisdiction.
- Synchronization of clocks: All Covered Entities must connect to the National Computing Center or National Physics Laboratory Network Time Protocol (NTP) server or servers traceable to these NTP servers for synchronization of all their IT systems clocks. information and communications.
- CERT-In can order actions and request information: For the purposes of cyber incident response, protection and prevention actions related to cyber incidents, CERT-In may issue orders to entities mandating them to take action or provide information that may assist CERT-In.
- Point-of-contact: Entities are required to designate a point of contact to interface with CERT-In.
On June 21, a group representing small and medium-sized businesses contacted CERT-In and its parent Ministry of Electronics and Information Technology (MeitY) to request a 300-day extension to the deadline for compliance. to the latter’s cybersecurity guidelines, clarity on how CERT-IN would secure the data it has collected, its data logging requirements, etc.