Aggregator

代码安全扫描的误报率居高不下，一直是业界的难题。就当前的技术来说，唯有结合实际代码人工运营检测规则，才会有不错效果，所以不打算深入聊误报率。 既然遇到这个话题，不妨说下SonarQube(Sonar的一个版本)，是一个用于代码质量检测和管理的平台，可检测Bug、坏味道、漏洞等。通过插件形式支持检测多种开发语言，漏洞类型涉及OWASP top 10 (2021)、CWE等编号的漏洞。若使用其进行安全性扫描，至少有2个好处： 1、接入开发流程时间更早：大概率会比安全团队的其他工具更早，因为这是代码质量管理的常见工具，易于与Jenkins、gitlab等各种开发工具集成； 2、质量问题处置流程完善：代码bug修复的需求肯定是优先于安全问题，因为要解决软件可用性问题，所以相关流程、考核指标建设早、会更加完善。 但在实际场景中，大多数安全团队为什么不用？有个关键点是：配置管理团队给不给安全团队使用，这是权责与利益问题。此外，曾做过对比测试，专业的SAST工具在检测规则数量、实际检出效果方面（均为默认规则），也确实比SonarQube好。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 设计阶段应开展哪些安全活动？ 有哪些不错的安全设计参考资料？ 安全设计要求怎么做才能落地？ 有哪些威胁建模方法论？ 有哪些威胁建模工具？ 如何开始或实施威胁建模？ 威胁建模和架构安全评审，有何异同？ 编码阶段，开展哪些安全活动？ 如何选择静态代码扫描(SAST)工具？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 如何制定一份有用的开发安全规范？ 如何做到开发安全规范的有效实施？ 应该如何选型代码安全扫描工具？ 代码安全扫描应该设置哪些指标？ 如何提升开发人员的安全意识？ 白盒检测工具存在局限性，如何进行补偿？ SCA用什么系统做，自研还是外购？ SDL 31/100问：有没有好用的SDL平台？ 2、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点

Dark Strom Team Targeted the Website of Denmark Police

Decoding SMS Pumping Fraud: Protecting Your Communications

First Things First | SentinelOne Is A Fortune Best Workplace for Parents

Why is NHIDR Crucial in Modern Cybersecurity? For organizations to stay ahead in this dynamic cybersecurity landscape, it’s imperative to embrace innovative and comprehensive security methodologies. One such methodology is Non-Human Identity and Access Management (NHIDR). NHIDR is a revolutionary approach that addresses the increasingly complex security challenges associated with cloud environments. But, what makes […]

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Entro.

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Security Boulevard.

Robotcop: enforcing your robots.txt policies and stopping bots before they reach your website

‘Tis the Season for Artificial Intelligence-Generated Fraud Messages

When User Input Lines Are Blurred: Indirect Prompt Injection Attack Vulnerabilities in AI LLMs

AppLite: A New AntiDot Variant Targeting Mobile Employee Devices

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Background

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

Analysis

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Patch Tuesday 2024 by severity

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

Patch Tuesday 2024 by impact

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

Patch Tuesday 2024 zero-day vulnerabilities

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

CVE Description Exploitation Activity CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group to deploy the FudModule rootkit CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT) CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability Used to deploy QakBot malware CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability Exploited by APT34 (aka OilRig) CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee to deploy the malware known as Atlantida stealer. CVE-2024-38178 Scripting Engine Memory Corruption Vulnerability Exploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt) CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkit CVE-2024-38213 Windows Mark of the Web Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI) CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Exploited by APT known as UAC-0194 to deploy Spark RAT malware. CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee in an attack chain with CVE-2024-38112 CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Exploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware. Conclusion

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

Get more information

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft Patch Tuesday 2024 Year in Review appeared first on Security Boulevard.

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Background

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

Analysis

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Patch Tuesday 2024 by severity

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

Patch Tuesday 2024 by impact

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

Patch Tuesday 2024 zero-day vulnerabilities

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

CVEDescriptionExploitation ActivityCVE-2024-21338Windows Kernel Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group to deploy the FudModule rootkitCVE-2024-21412Internet Shortcut Files Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT)CVE-2024-30051Windows DWM Core Library Elevation of Privilege VulnerabilityUsed to deploy QakBot malwareCVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityExploited by APT34 (aka OilRig)CVE-2024-38112Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee to deploy the malware known as Atlantida stealer.CVE-2024-38178Scripting Engine Memory Corruption VulnerabilityExploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt)CVE-2024-38193Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkitCVE-2024-38213Windows Mark of the Web Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI)CVE-2024-43451NTLM Hash Disclosure Spoofing VulnerabilityExploited by APT known as UAC-0194 to deploy Spark RAT malware.CVE-2024-43461Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee in an attack chain with CVE-2024-38112CVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityExploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware.Conclusion

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

View the video below for a summary of key takeaways:

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

Get more information

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Performing Android Static Analysis 101-A Complete Guide for Beginners - Laburity

Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor

Quantum computing was long considered to be part of a distant future. However, it is quickly becoming a reality. Google’s recent announcement of its Willow quantum computing chip is a breakthrough generating significant media attention and questions about the implications for cybersecurity. Google’s Willow advancements are significant because of two major breakthroughs critical to the […]

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity first appeared on Accutive Security.

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity appeared first on Security Boulevard.

U.S. Senator Ron Wyden of Oregon announced a new bill to secure the networks of American telecommunications companies breached by Salt Typhoon Chinese state hackers earlier this year. [...]

A vulnerability was found in Antirez Kilo. It has been classified as problematic. This affects the function editorUpdateRow of the file kilo.c. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2020-20335. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Pluck CMS 4.7.10-dev2. It has been declared as critical. This vulnerability affects unknown code of the file admin.php. The manipulation of the argument hidden leads to code injection. This vulnerability was named CVE-2020-20918. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical was found in Pluck CMS 4.7.10-dev2. Affected by this vulnerability is an unknown functionality of the file theme.php. The manipulation leads to unrestricted upload. This vulnerability is known as CVE-2020-20919. The attack can be launched remotely. There is no exploit available.