Reg Latin scholars scrap over LOHAN's stirring motto

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

Apple last week patched two actively exploited vulnerabilities in macOS Monterey yet has left users of older supported versions of its desktop operating system unprotected.

In a blog post on Tuesday, security biz Intego said fixes applied to address CVE-2022-22675 (AppleAVD bug) and CVE-2022-22674 (Intel Graphics Driver bug) in macOS Monterey were not backported to macOS Big Sur or macOS Catalina.

The AppleAVD issue is unpatched for macOS Big Sur, said Joshua Long, chief security analyst for Intego, while Catalina isn't affected because it lacks the AppleAVD component for decoding audio and video. The Intel Graphics Driver flaw, he said, looks like it affects both Big Sur and Catalina.

Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one.

You need to apply both patches, in order.

The new vuln has also been assigned a severity rating of the 9.8 on the CVSS scale – the same as its predecessor, for which Adobe issued an out-of-bounds patch earlier in the week. It's tracked as ​​CVE-2022-24087 and – like the earlier vuln, CVE-2022-24086 – impacts both Magento Open Source and Adobe Commerce.

In an advisory this week, VMware alerted users to guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in its ESXi hypervisor, plus an important flaw fixed in NSX Data Center for vSphere.

In all, five vulnerabilities were discovered in VMware's ESXi, Workstation, Cloud Foundation (ESXi), and Fusion during the Tianfu Cup 2021, a Chinese vulnerability competition, by the country's Kunlun Lab. Bugs that Kunlun discovered were disclosed privately to VMware – though last year China passed a new law ordering security researchers to reveal findings to the country's Ministry of Public Security at least two days before anyone else.

The vendor said it hadn't seen any evidence the competition's findings had been exploited in the wild. Patches have been issued, now it's up to admins to schedule them. The vulnerabilities range from use-after-free() and double-fetch flaws that can be exploited to execute code on the host, to an old-fashioned denial of service (DoS). The full list for ESXi, Workstation, Cloud Foundation, and Fusion is:

Microsoft has kicked off 2022 by issuing a patch for Exchange Server 2016 and 2019, which both possessed a “latent date issue” that saw emails queued up instead of being dispatched to inboxes.

“The problem relates to a date check failure with the change of the new year,” states a January 1st post to the Exchange Blog.

Exchange’s malware scanning engine is the source of the problem, as Exchange checks the version of that software and then tries to write the date into a variable. But that variable’s maximum value is 2,147,483,647 and the value Exchange tries to write - 2,201,010,001, to reflect the date of January 1st, 2022, at midnight – exceeds the variable’s maximum threshold.

Feature Some vulnerabilities remain unreported for the longest time. The 12-year-old Dell SupportAssist remote code execution (RCE) flaw – which was finally unearthed earlier this year – would be one example.

Others, however, have not only been long since reported and had patches released, but continue to pose a threat to enterprises. A joint advisory from the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), published in late July, listed the top 30 publicly known vulnerabilities that are routinely being exploited by threat actors. Many of these are a good few years old, including one Microsoft Office RCE that was patched in 2017 but had been around since the year 2000.

Eoin Keary, CEO and founder of Edgescan, told The Register that the oldest common vulnerability discovered in its latest quarterly vulnerability scans report (CVE-1999-0517, impacting Simple Network Management Protocol) dated back to 1999. Which raises the question, why are threat actors being allowed to party like it's, um... 1999?

It has proved an unfortunate Halloween for Microsoft, with the ghost of an expired certificate haunting Windows 11 users. The upshot is: various built-in programs may stop working properly or cannot be opened at all.

Redmond yesterday said "some users" are affected, so you may or may not notice the blunder. This all applies to at least Windows 11 version 21H2.

The cryptographic cert at the heart of this affair ran out at the end of October leading to failures this month, according to Microsoft: "Starting on November 1, 2021, some users might be unable to open or use certain built-in Windows apps or parts of some built-in apps. This is caused by an issue with a Microsoft digital certificate, which expired October 31, 2021."

SolarWinds has issued an emergency patch after a critical security hole in its Serv-U Managed File Transfer and Serv-U Secure FTP was spotted being exploited in the wild.

The vulnerability, discovered by Microsoft's Threat Intelligence Center (MSTIC) and Offensive Security Research teams, can be exploited by an attacker to achieve remote code execution, and is present in Serv-U version 15.2.3 HF1 and all prior builds. The Redmond crew also said a "single threat actor" was abusing the programming blunder (CVE-2021-35211) though it's not known how many customers are affected.

"This attack is a Return Oriented Programming (ROP) attack," said SolarWinds in an advisory. "When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack."

Updated Microsoft continues to demonstrate its impressive commitment to Windows quality by admitting the patch it released to patch the patch that broke printing was, er, itself broken.

As a reminder, a fresh security update dropped from Microsoft's Windows Update orifice last week that left some Windows 10 users unable to print. Worse, a screen of deathly blue was flashed when a printing operation was attempted – a step up from the error message seen after last year's mishap.

With impressive speed, Microsoft hurried out an out-of-band optional patch to deal with the affected Windows 10 versions: KB5001567 for Windows 10 2004 and 20H2; KB5001566 for Windows 10 1909; KB5001568 for 1809 and KB5001565 for 1803.

Apple has patched a hole in macOS that has been exploited by malware to secretly take screenshots on victims' Macs.

The security flaw can also be potentially abused to access files and record video and audio from the computer. The iGiant has also released iOS and iPadOS 14.6, which fixes 43 CVE-listed security flaws and adding a bunch of user-friendly UI tweaks.