CYBERSECURITY NEWS V. February – 0-day in WebKit, AvaddonDecrypter, 12-year-old bug in Windows Defender

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

0-day in WebKit redirected iOS users to malicious sites

ScamClub, a malicious ad group, exploited a 0-day vulnerability in the WebKit engine. The attackers redirected iOS and macOS users to malicious sites where a fraudulent gift certificate scheme was deployed.

The attacks were first recorded in June 2020, while attempts to exploit the 0-day continue. The patches were released only in early February, but not all users managed to install them.

The exploited vulnerability (CVE-2021-1801) affects Safari and Google Chrome for iOS. According to researchers, over the past 90 days, attackers have delivered more than 50 million ads to end-users.

In the latest incidents, attackers tried to execute malicious code outside the ad's iframe HTML element's sandbox that doesn't let it interact with the main website.

12-year-old bug fixed in Windows Defender

Microsoft has fixed a 12-year-old vulnerability in the built-in Microsoft Defender (formerly Windows Defender) antivirus. In case of a successful attack, the bug allows getting administrator privileges.

CVE-2021-24092 was found in the BTR.sys (Boot Time Removal Tool) driver, which is used to remove files and registry entries created by malware. It affects the antivirus versions since 2009. Attackers first need to get into the victim's system at a low level and then exploit the vulnerability. The attack is rather complicated, but at the same time, it does not require any interaction with the target user.

The vulnerability also affects other Microsoft products: Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection. SentinelOne discovered it in November 2020.

The hotfix will be automatically installed on all systems running the affected versions of Microsoft Defender with automatic updates enabled.

Free decryptor for Avaddon made useless

Javier Yuste, a student at the Rey Juan Carlos University in Madrid, created a free tool called AvaddonDecrypter for decrypting files affected by the Avaddon ransomware.

This solution could only help new malware victims who haven't turned off their computers after the attack. AvaddonDecrypter dumped the infected system's RAM and scanned the memory for data that could be used to restore the original encryption key.

However, Avaddon developers quickly noticed the release of AvaddonDecrypter. Recently, they reported an update to the code, which makes AvaddonDecrypter useless.

Seeing how Avaddon fixed its encryption schemes within days, it's hard to disagree that some decryption tools should never go public.

Emergency fix for Windows 10 Wi-Fi crashes

Microsoft has released an urgent, unscheduled update, KB5001028, that fixes a bug causing Windows 10 to crash when connected to Wi-Fi over WPA3. The problem appeared after the release of updates for Windows 10 1909 (KB4598298 – dated January 21, 2021, KB4601315 – dated February 9).

As soon as the user connects to the Wi-Fi network using the WPA3 protocol, Windows crashes into a Blue Screen of Death (BSOD). However, it is recommended to use WPA3 since it is the most secure protocol.

In addition to the unscheduled update, Microsoft has published several methods to help users avoid BSOD when connecting to a wireless network.

- Update your device to Windows 10, version 2004 or Windows 10, version 20H2.

- Connect to a Wi-Fi network using WPA2. To do this, you may need to reconfigure your access point or router settings.

- Connect using a wired ethernet connection.

KB5001028 updates are free to download and install from the Microsoft Update website.