Cisco Secure Workload scores a perfect 10.0: unauth cross-tenant takeover

A use-after-free bug in Chrome's DOM engine lets an attacker run code inside the browser sandbox if a user visits a malicious page. The attack requires user interaction (visiting a crafted page), and code execution is sandboxed, which limits the blast radius. Still, sandbox escapes get chained regularly, so don't sit on this one.

Included because

remote; user interaction required; sandboxed execution; widely deployed browser

Affected estate

Google Chrome and Chromium-based browsers on all desktop platforms, versions prior to 148.0.7778.179.

How to check

Open chrome://version in the browser, or query installed browser versions via your endpoint management tool (Intune, SCCM, Jamf, etc.).

Action

Push Chrome 148.0.7778.179 or newer through your browser update channel or endpoint management platform.

Urgency

Patch this week

Why it matters

A crafted web page can trigger code execution inside the sandbox, which attackers commonly chain with sandbox escapes for full compromise.

Source

Chrome Releases Blog / Chromium bug tracker

A heap-based buffer overflow in the Microsoft Malware Protection Engine lets an attacker run code over the network without any authentication. Because Defender's engine auto-scans incoming files and network content, a specially crafted payload could trigger this just by being received. No user click needed.

Included because

unauthenticated; network-exploitable; no user interaction; ubiquitous product; CVSS 8.1

Affected estate

All systems running the Microsoft Malware Protection Engine, including Windows Defender Antivirus, Defender for Endpoint, and Microsoft Security Essentials.

How to check

Run 'Get-MpComputerStatus | Select AMEngineVersion' in PowerShell and compare against the fixed version in Microsoft's advisory. Alternatively, check via SCCM or Intune compliance reports.

Action

Confirm the engine auto-updated. If your environment blocks automatic definition and engine updates, manually trigger 'Update-MpSignature' or deploy via WSUS/SCCM.

Urgency

Patch within 24 hours

Why it matters

The Malware Protection Engine processes untrusted content automatically, so an attacker can trigger this bug just by sending a crafted file to a protected host.

Source

Microsoft Security Response Center (MSRC)

A symlink-following bug in Azure Portal's Windows Admin Center lets a local attacker who already has some level of access escalate to higher privileges. This requires local access and an authenticated session, so it's not remotely exploitable on its own. It's a privilege escalation play, most dangerous if an attacker already has a foothold.

Included because

local access required; authenticated; privilege escalation; Azure management tool

Affected estate

Windows Admin Center instances deployed as an Azure Portal extension.

How to check

In the Azure Portal, go to the Windows Admin Center extension settings and check the installed version. Compare against Microsoft's advisory for the fixed version.

Action

Update the Windows Admin Center Azure extension to the patched version via the Azure Portal.

Urgency

Patch this week

Why it matters

A local attacker with existing access can escalate to higher privileges by exploiting symlink handling, expanding a partial compromise into a full one.

Source

Microsoft Security Response Center (MSRC)

If a Splunk user has a role with access to the _internal index, they can view session cookies and response bodies containing sensitive data. This is an information disclosure bug that requires an authenticated user with specific index permissions, so it's not open to the internet. That said, stolen session cookies can lead to session hijacking and lateral movement inside Splunk.

Included because

authenticated access required; information disclosure; session hijack risk; common SIEM product

Affected estate

Splunk Enterprise below 10.2.2 and 10.0.5. Splunk Cloud Platform below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13.

How to check

Run 'splunk version' on your Splunk Enterprise instance, or check Settings > Server Settings > General in the Splunk Web UI. For Splunk Cloud, check your instance version in the Splunk Cloud admin console.

Action

Upgrade to the fixed Splunk version. Review and restrict roles that have access to the _internal index.

Urgency

Patch this week

Why it matters

Exposed session cookies let an authenticated user hijack other sessions, potentially escalating to admin-level access within your Splunk deployment.

Source

Splunk Security Advisory