The large-scale supply chain attack targeting voice-over-Internet-protocol communications firm 3CX exploited a Windows flaw designated CVE-2013-3900 and described as a "WinVerifyTrust Signature Validation Vulnerability," in which one of two DLLs that were replaced with malicious versions for the attack was still designated as legitimately signed by Microsoft, BleepingComputer reports.
According to ANALYGENCE senior vulnerability analyst Will Dormann, this particular vulnerability is 10 years old, having been disclosed by Microsoft on Dec. 10, 2013, and continues to be exploited to this day, allowing attackers to add content to the EXE's authenticode signature section in a signed executable without it affecting the signature's validity.
Microsoft introduced a fix for this vulnerability on an opt-in basis, which can only be performed through a manual edit of the Windows Registry. However, Windows 10 users who employ this fix will find that it has been removed if they update to Windows 11, reopening their device to the vulnerability.
Cyberattack disclosed by HTC Global Services following ALPHV/BlackCat leak After having its data exposed by the ALPHV/BlackCat ransomware attack, IT and business process services provider HTC Global Services has disclosed being impacted by a cyberattack, reports BleepingComputer.
Numerous Web3 smart contracts, including DropERC20, AirDrop20, ERC721, and ERC1155, were discovered by Thirdweb to be exposed to a vulnerability in a widely used open-source nonfungible token library, reports SiliconAngle.
Vulnerability management: Finding and fixing fatal flaws
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Vulnerability management: Finding and fixing your fatal flaws
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news