0-days in Chrome and Edge
A few days later, security researcher known in Twitter as @frust93717815 announced a new 0-day vulnerability in Chromium-based browsers, publishing a PoC in his Github profile. This new vulnerability would be affecting both Chrome and Edge and, like the one published earlier this week, could allow remote code execution, allowing the Windows Notepad application to be opened. While this vulnerability is not able to escape the Chromium sandbox, and is therefore not harmful as such, a threat actor that manages to disable Chrome’s sandboxing argument (either by chaining it with other vulnerabilities or confusing the user) could exploit it. Bleeping Computer has verified that the exploit is functional in the latest versions of Google Chrome (89.0.4389.128, released just a few days ago) and Microsoft Edge (89.0.774.76).
Both vulnerabilities have been patched in Google Chrome 90.0.4430.72 and Microsoft Edge 89.0.774.77.
Microsoft security newsletter
Microsoft has published its monthly security newsletter for April in which it has fixed more than 100 vulnerabilities. Among the updates there are patches for new flaws in the 2013-2019 versions of Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), all of them with a high criticality and two of which would allow a potential attacker to execute remote code without the need for authentication. Regarding these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged all federal agencies to install the updates by Friday. On the other hand, a vulnerability in Desktop Window Manager has also been fixed, with CVE-2021-28310 and medium criticality, which is being actively exploited by several threat actors to escalate privileges on vulnerable systems. Finally, it is also worth mentioning several RCE vulnerabilities affecting Microsoft Office: CVE-2021-28454, CVE-2021-28451 (Excel), CVE-2021-28453 (Word) and CVE-2021-28449. Other patched systems include Edge, Azure, ShrePoint, Hyper-V, Team Foundation and Visual Studio.
Adobe fixes multiple critical vulnerabilities
Adobe has patched several vulnerabilities affecting four of its products: Adobe Photoshop, Adobe Digital Editions, Adobe Bridge and RoboHelp. There are a total of ten vulnerabilities, including two critical flaws listed as CVE-2021-28548 and CVE-2021-28549 affecting Adobe Photoshop, one critical flaw (CVE-2021-21100) in Adobe Digital Editions, six vulnerabilities, including four critical (CVE-2021-21093, CVE-2021-21092, CVE-2021-21094, CVE-2021-21095) that impact Adobe Bridge and, finally, a high-risk flaw reportedly affecting RoboHelp. Adobe warns its clients to update vulnerable versions as soon as possible.
Learn more: https://helpx.adobe.com/security.html
IcedID distribution campaigns
Microsoft researchers have recently detected a campaign to distribute the IcedID malware via legitimate contact forms on web pages. Attackers are allegedly filling out automated contact forms that are received by victims in the form of an email that looks trustworthy at first glance. The message sent uses social engineering techniques to force the victim to access an embedded link, using urgency language and legal threats for false copyright claims for images or other material supposedly used on their website. The link redirects to a Google login where the victim enters their credentials, automatically initiating the download of the malicious file containing IcedID. Meanwhile, Uptycs researchers and analyst Ali Aqeel have also detected the distribution of IcedID via malicious Microsoft documents, mainly Excel and Word. It is worth remembering that IcedID is a banking trojan that steals victims’ financial information and is also capable of acting as a gateway to infected systems for other malware; it is thought that it may be one of the access vectors for the RansomEXX ransomware, which recently included the Castelló City Council among its victims.