HOT
PUBLISHED BY VLADIMIR UNTERFINGHER QUICK READ

Patch Tuesday August 2022 – Microsoft Fixes 21 Vulnerabilities, Including a Zero-Day Bug

Zero-Day Exploited Allowed Remote Code Execution without Authentication

As part of the August’s Patch Tuesday, Microsoft has released fixes for 21 common vulnerabilities. The list also includes a fix for a zero-day bug that was first identified in December 2020. Per Microsoft’s evaluation, the vulnerability required no authentication and could have been remotely exploited.

Patch Tuesday August Roundup

Not much to report on the patching front; per its usual monthly routine, Microsoft delivered several improvements and fixes to the Chromium-base browser engine. To name a few, we have fixes for issues such as Heap buffer overflow in pdf, Use-after-free in Offline, Insufficient validation of untrusted input in Internals, Use-after-free in Extensions API, and, of course, Side-channel information leakage in Keyboard input.

This month’s highlight is definitely CVE-2021-42276 aka the Chakra Scripting Engine Memory Corruption Vulnerability. Microsoft’s zero-day hit has quite an interesting history; it was discovered in 2020, cataloged in 2021, and received a fix in August 2022. The issue affected both Edge and web browsers that used the ChakraCore engine.

CVE-2021-42276 was traced back to a defective Chakra Scripting Engine memory buffer. If successfully exploited, the issue would’ve allowed a threat actor to read and write information to any memory location. Why is the Chakra Scripting Engine Memory Corruption vulnerability considered a zero-day threat? Per Microsoft’s evaluation, the vulnerability could have been exploited regardless of the authentication level, meaning that the threat actor doesn’t require elevated privileges in order to leverage the issue. CVE-2021-42776 was labeled as fixed. The full list of fixes can be found below.

Release Date
CVE Number
CVE Title
Aug 5, 2022
CVE-2022-35796
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Aug 5, 2022
CVE-2022-33649
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Aug 5, 2022
CVE-2022-33636
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Aug 5, 2022
CVE-2022-2624
Chromium: CVE-2022-2624 Heap buffer overflow in PDF
Aug 5, 2022
CVE-2022-2623
Chromium: CVE-2022-2623 Use after free in Offline
Aug 5, 2022
CVE-2022-2622
Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing
Aug 5, 2022
CVE-2022-2621
Chromium: CVE-2022-2621 Use after free in Extensions
Aug 5, 2022
CVE-2022-2619
Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings
Aug 5, 2022
CVE-2022-2618
Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals
Aug 5, 2022
CVE-2022-2617
Chromium: CVE-2022-2617 Use after free in Extensions API
Aug 5, 2022
CVE-2022-2616
Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API
Aug 5, 2022
CVE-2022-2615
Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies
Aug 5, 2022
CVE-2022-2614
Chromium: CVE-2022-2614 Use after free in Sign-In Flow
Aug 5, 2022
CVE-2022-2612
Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input
Aug 5, 2022
CVE-2022-2611
Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API
Aug 5, 2022
CVE-2022-2610
Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch
Aug 5, 2022
CVE-2022-2606
Chromium: CVE-2022-2606 Use after free in Managed devices API
Aug 5, 2022
CVE-2022-2605
Chromium: CVE-2022-2605 Out of bounds read in Dawn
Aug 5, 2022
CVE-2022-2604
Chromium: CVE-2022-2604 Use after free in Safe Browsing
Aug 5, 2022
CVE-2022-2603
Chromium: CVE-2022-2603 Use after free in Omnibox
Nov 9, 2021
CVE-2021-42279
Chakra Scripting Engine Memory Corruption Vulnerability

Additional Cybersecurity Advice

Well, this concludes the August edition of Patch Tuesday. Hope it was to your taste, and, before I scoot, here is a couple of cybersec advice.

  • Automated patch deployment. If you’re planning on staying ahead of your attackers, automatic patching & patch management is the solution. Heimdal™ Security’s Patch & Asset Management will ensure that all your apps are up to speed, regardless of OS or type of improvement-carrying package you’re going to deploy.
  • Phishing. Please do yourself a favor and stay away from suspicious emails.
  • Prioritize security updates. While scribbling your patch deployment battle plan, do make sure that you prioritize security-related updates or patches over quality updates.

Additional resources:

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Concept photo of DNS security by Heimdal
HOT
PUBLISHED BY ALINA GEORGIANA PETCU INTERMEDIATE READ

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

All you need to find out about DNS security. Ways to secure your company-owned DNS server.
HOT
PUBLISHED BY VLADIMIR UNTERFINGHER QUICK READ

Threat Hunting Journal – June 2022 Edition

Heimdal™ Security Monthly Malware Roundup
POLL OF THE MONTH
What do you think is contributing to the growth of ransomware?
EDR vs. Antivirus: How to Best Secure Your Endpoints
RECENT
PUBLISHED BY ANDREEA CHEBAC 2022.09.30

EDR vs. Antivirus: How to Best Secure Your Endpoints

Nowadays your business and your data need a carefully thought protection suit for at least two reasons.

First, cybersecurity threats are becoming more numerous and more sophisticated as time goes by. You are compelled to stay up to date with the newest malicious software and ahead of cybercriminals in an efficient, sustainable way.

Second, the vulnerability of a network is directly linked to the number of endpoints connected to that network. Living in the era of remote working, BYOD (bring your own device) policies, and smartphones as work devices, every one of them can be an entry for viruses, malware, or ransomware.

This is when the discussion about Endpoint Detection and Response – or EDR – versus Antivirus – or AV – as solutions for all these problems comes by.

In this article, we will analyze the features of EDR vs. Antivirus, the differences between them, and why your organization needs an Endpoint Detection and Response solution even if you have an AV installed.

EDR vs. Antivirus: Definitions

Endpoint Detection and Response is a multilayered, integrated cybersecurity solution designed not only to detect malware but also to defend your systems when under attack. In order to do that, EDR provides a series of tools that can collect data from endpoints, identify the origin of an attack and how it spreads, isolate an infected endpoint, and stop malicious processes.

Often EDR (that is centered on response and reducing damage in case of a breach) is part of an Endpoint Protection Platform (EPP) that handles the preventive security measures.

Antivirus is the first layer of protection in endpoint security and it’s primarily designed to identify malicious software that has infected a device. It does this by scanning systems and files for known malware (trojans, worms, ransomware) and, if it finds any, removes them from the system.

Traditionally AV solutions use a signature matching process to identify malicious code – compares files against a known database of malware -, or heuristic analysis – based on behavior. More evolved AV solutions – Next Generation Antivirus (NGAV) – base malware detection on AI, making them more efficient.

EDR vs. Antivirus: Features

To achieve their goals, the two cybersecurity solutions display a number of features that enables them to fight threat actors.

Although there are some similarities between EDR and traditional Antivirus, Antivirus alone is a less comprehensive solution.

What EDR can do:

  • can triage security alerts after analyzing them so certain threats can be remediated automatically, as setted up by your security team, and only the most important ones will need human intervention.
  • can gather and analyze data from endpoints giving you important information about the threats you are facing and threat patterns or trends. Can use the same data to preview unknown, future threats.
  • can do real-time treat hunting, identifying and responding very fast to threats that bypass traditional Antivirus.
  • offers support in case of an incident, assisting in forensic analysis too.
  • offers multiple options of response for different types of attacks (isolate and quarantine, eradication, sandboxing, etc.)

What Antivirus can do:

  • detects known threats based on their signatures like file hashes, command and control domains, IP addresses, and similar features.
  • use heuristic detection or anomaly detection to identify malware based on unusual or malicious functionality.
  • can do an integrity scan and discover if certain files from the device have been tempered by malware.
  • can identify malware that aims to acquire larger, administrative access on a device using rootkit detection.
  • can discover malicious code in real-time by scanning and monitoring recently-accessed files.
  • can help in the mitigation of some threats by removing malware infections, stopping malicious processes, and quarantining suspect documents.

EDR vs. Antivirus: Differences

We can spot a few major differences between EDR and Antivirus:

The focus of an AV solution is centered on the files that are introduced into a device, aiming to discover the malicious ones. An EDR solution has a wider focus, collecting data from the endpoint and analyzing it, all without ignoring the context.

Although AV can remove or assist in removing more basic malware, EDR has a real-time response if an incident occurs. Its efficacity relies on how fast this security solution can respond to a threat without human intervention.

Due to the signature-base detection system, some newest, fileless malware – attacks that execute in memory without creating binaries in the file system, usually used by ransomware operators – can bypass Antivirus, while EDR understands that not all contemporary attacks are file-based.

Because malware varieties are so numerous, it is nearly impossible to have them all in a list of signatures, on the other hand, since signatures only focus on a few file characteristics, malicious code can change its characteristics – polymorphic malware – and infect a device without triggering the Antivirus.

Endpoint Detection and Response solutions have deeper visibility into file modification and creation process of malware, which can also help in threat hunting and digital forensics.

The EDR solution has been created especially for the moments when an endpoint is breached. If in the AV case an attack means that you have no control over the infected endpoint, EDR allows you to control the damage, take all necessary measures to fight the threat actors, and investigate the incident.

Why You Need an EDR Solution

A good Endpoint Detection and Response solution will usually incorporate Antivirus functionalities, offering fuller protection against a wider range of threats.

Here are a few security benefits that EDR provides:

  • you will have better and deeper visibility of the security of your endpoint, as a whole, using the data-collecting feature of your EDR solution.
  • EDR will provide a fast, efficient, and integrated response in case of a security breach, as you will not need to switch to another cybersecurity solution for mitigating an attack
  • the impact and cost of an attack will be greatly reduced as you can automatize some threat response procedures with the help of an EDR solution.

How Can Heimdal® Help?

Heimdal’s Endpoint Detection and Response combines six solutions in one compact agent, a time saver that will not delay your systems.

It offers you prevention features, threat-hunting, and remediation capabilities in an easy-to-deploy solution.

This product uses Machine Learning and AI-driven intelligence to prevent advanced ransomware, insider threats, admin rights abuse, APTs, software exploits, brute force attacks, DNS and DoH Vulnerabilities, phishing and social engineering, and any other known or unknown threats.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® Threat Prevention - Endpoint

Is our next gen proactive shield that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up…

Evolution is the key word: as threats continue to evolve, your cybersecurity measures need to do the same.

From this point of view, Endpoint Detection and Response is the obvious response in the debate EDR vs. Antivirus as a cybersecurity solution.

EDR will better protect you from modern, more sophisticated, malware, will have a faster response in case of an attack, will assist the IT team in the forensic actions, and will provide them visibility through information and context to build a better defense system against the unknown number and type of threats that are out there.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

RECENT
PUBLISHED BY VLADIMIR UNTERFINGHER 2022.09.30

SOAR vs SIEM. Definitions, Scopes, And Limitations

Pros and Cons in SIEM/SOAR Combinations.
backdoor windows 1
RECENT
PUBLISHED BY CRISTIAN NEAGU 2022.09.30

Backdoor Malware Hidden Inside Windows Logo Image

Witchetty Hacking Group Behind the Malware.