The CyberWire Daily Podcast 9.11.24
Ep 2148 | 9.11.24

A Patch Tuesday overload.

Transcript

Patch Tuesday rundown. Microsoft integrates post-quantum cryptography (PQC) algorithms into its SymCrypt cryptographic library.The FTC finalizes rules to combat fake reviews and testimonials. A payment card thief pleads guilty. On our latest CertByte segment, N2K’s Chris Hare and George Monsalvatge share questions and study tips from the Microsoft Azure Fundamentals (AZ-900) Practice Test.  Hard Drive Heaven: How Iconic Music Sessions Are Disappearing. 

Today is Wednesday Sept 11 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Today, we pause to remember the lives lost on September 11, 2001. We honor the courage of the first responders, the resilience of survivors, and the strength of the families forever changed by that tragic day. In the face of unimaginable loss, the spirit of unity and compassion shone brightly, reminding us of our shared humanity. As we reflect, may we continue to seek peace, understanding, and hope for a better future. We will never forget.

My Cyberwire colleague and friend Rick Howard was working in the Pentagon on that fateful day, and we will be running a special edition of his personal remembrances in your CyberWire feed. It is worth your time, and I hope you will check it out. 

Patch Tuesday rundown. 

Yesterday was Patch Tuesday, and Microsoft patched four actively exploited zero-day vulnerabilities, creating additional work for system administrators. The most severe is CVE-2024-43491, a remote code execution (RCE) flaw in Windows Update, scoring 9.8 on the CVSS scale, caused by a rollback of previous fixes due to a servicing stack defect. CVE-2024-38014, a privilege escalation bug in Windows Installer, poses a serious threat by granting attackers full system control. CVE-2024-38217, a Windows Mark of the Web (MoTW) bypass, could facilitate ransomware attacks. Lastly, CVE-2024-38226, a Microsoft Publisher security bypass, enables exploitation of embedded macros in documents.

Adobe has released security updates across multiple products to address critical, important, and moderate vulnerabilities, potentially leading to arbitrary code execution, memory leaks, and denial-of-service (DoS) attacks. Affected applications include Photoshop, ColdFusion, Acrobat, Illustrator, Premiere Pro, After Effects, Audition, and Media Encoder, with versions on both Windows and macOS impacted. Key vulnerabilities include CVE-2024-43491, a critical RCE in Photoshop, and CVE-2024-41874, a critical flaw in ColdFusion. Adobe urges users to apply the updates promptly to mitigate risks of exploitation.

Google released a Chrome 128 update addressing five vulnerabilities, four of which were high-severity memory safety issues reported by external researchers. These include a heap buffer overflow in Skia (CVE-2024-8636), use-after-free flaws in Media Router (CVE-2024-8637) and Autofill (CVE-2024-8639), and a type confusion bug in the V8 JavaScript engine (CVE-2024-8638). Google awarded $26,000 in bug bounties and is rolling out the update for Windows, macOS, and Linux. Users are advised to update their browsers promptly.

Ivanti has patched a critical vulnerability (CVE-2024-29847) in its Endpoint Management (EPM) software, which could allow unauthenticated attackers to remotely execute code on the core server. The flaw, caused by deserialization of untrusted data, is addressed in EPM 2024 hot patches and EPM 2022 Service Update 6. Ivanti stated that no known exploitations of the vulnerability have occurred so far. The company also fixed nearly two dozen other high-severity vulnerabilities in its EPM, Workspace Control, and Cloud Service Appliance products.

Turning to industrial control systems, the September 2024 Patch Tuesday includes security advisories from Siemens, Schneider Electric, ABB, and CISA. Siemens issued 17 advisories, including a critical authentication bypass in Industrial Edge Management and unauthenticated remote code execution flaws in Simatic and Scalance products. Schneider Electric addressed a high-severity privilege escalation in Vijeo Designer and a medium-severity XSS flaw. ABB published an advisory for two medium-severity DoS issues in Relion relays. CISA highlighted critical flaws in Viessmann systems and high-severity vulnerabilities in SpiderControl, Rockwell Automation, and BPL Medical Technologies products.

Microsoft integrates post-quantum cryptography (PQC) algorithms into its SymCrypt cryptographic library.

In preparation for the quantum computing era, Microsoft has integrated post-quantum cryptography (PQC) algorithms into its SymCrypt cryptographic library. Quantum computers threaten to break current encryption methods, but PQC algorithms are designed to resist such attacks. These algorithms, based on complex mathematical problems, have trade-offs like larger key sizes and longer computation times, requiring careful optimization.

Microsoft’s Quantum Safe Program (QSP) aims to ensure quantum readiness, and recent updates to SymCrypt include support for ML-KEM and XMSS algorithms. Additional algorithms, such as ML-DSA and SLH-DSA, will be added soon. Microsoft emphasizes that PQC is an evolving field and not a definitive solution, but integrating these algorithms marks a crucial step towards a quantum-safe future, enhancing security in products like Azure, Windows, and Microsoft 365.

The FTC finalizes rules to combat fake reviews and testimonials. 

The Federal Trade Commission (FTC) has introduced a new rule to combat fake reviews and testimonials, targeting deceptive practices in the marketplace. The rule prohibits the creation, sale, or dissemination of fake reviews, including AI-generated or false testimonials. It also bans businesses from paying for reviews with specific positive or negative sentiments, and ensures that insider reviews must disclose material connections to the company. The rule also addresses review suppression, misrepresentation of review sites, and misuse of fake social media metrics. Violators may face civil penalties. This rule, effective 60 days after publication, strengthens the FTC’s enforcement capabilities, which were previously hindered by a Supreme Court decision. 

A payment card thief pleads guilty. 

Vitalii Antonenko, a 32-year-old from New York City, pleaded guilty to hacking and stealing hundreds of thousands of payment card details, selling the data on the darknet. Antonenko used SQL injection attacks to breach vulnerable systems, targeting organizations such as a hospitality business and a non-profit research institution. He and his associates laundered the proceeds through cryptocurrency and traditional bank transactions. Antonenko was arrested in 2019 at JFK Airport carrying computer equipment with stolen data. Investigators linked him to Bitcoin wallets involved in transactions totaling $94 million. Following his arrest, Antonenko’s defense team requested a psychiatric evaluation after he claimed to be working for the CIA. He faces up to 25 years in prison, hefty fines, asset seizures, and restitution, with sentencing scheduled for December 10, 2024.

 

Our CertByte segment returns next with host Chris Hare and guest SME George Monsalvatge joining her to discuss the Microsoft Azure Fundamentals exam also known as the AZ-900. We’ll be right back.

Welcome back. You can find out the details on the AZ-900 practice test and more in our show notes. 

Hard Drive Heaven: How Iconic Music Sessions Are Disappearing. 

And finally, our old-time-rock-and-roll desk pointed us to a story from Mix Online, a publication focused on the music production industry, that serves as a good reminder for cyber folks tasked with managing backups and long term storage.

Iron Mountain Media and Archive Services discovered that around 20% of hard drives archived from the 1990s are now unreadable, raising concerns about the preservation of historic music sessions. Robert Koszela, Global Director of Studio Growth, notes that many iconic recordings from the early 1990s are at risk of being lost. The problem emerged when record labels revisited vaults for remixing and repurposing, only to find deteriorating tapes and obsolete formats. Hard drives, like magnetic tapes, are proving to be vulnerable despite following best practices for storage. Legacy formats, unsupported connections, and physical damage complicate recovery efforts.

Iron Mountain offers specialized services to retrieve data from these drives but stresses that action is needed now, as assets may be irretrievable in the future. Koszela highlights the challenges of identifying the correct version of a track due to poor metadata or incomplete digital workflows. He warns that without proactive efforts, many assets could be permanently lost, especially for smaller entities with limited preservation budgets.

It’s a good reminder that just because it’s stored doesn’t mean it’s secure—whether it’s music archives or historical data, neglect leads to decay.

And that’s the CyberWire. We released a full-version of our Solution Spotlight conversation of Dr. Mary Haigh, CISO of BAE Systems, and N2K’s Simone Petrella speaking about building a cybersecurity team. There’s a link in our show notes. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.