Apple on Wednesday announced it plans to introduce an enhanced security setting called Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks."
The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies

Apple on Wednesday announced it plans to introduce an enhanced security setting called **Lockdown Mode** in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks."

The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies developing state-sponsored surveillanceware such as Pegasus, DevilsTongue, Predator, and Hermit.

Lockdown Mode, when enabled, "hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple said in a statement.

This includes blocking most message attachment types other than images and disabling link previews in Messages; rendering inoperative just-in-time (JIT) JavaScript compilation; removing support for shared albums in Photos; and preventing incoming FaceTime calls from unknown numbers.

Other restrictions cut off wired connections with a computer or accessory when an iPhone is locked and, most importantly, prohibit configuration profiles — a feature that's been abused to sideload apps bypassing the App Store — from being installed.

The tech giant also noted that it plans to incorporate additional countermeasures to Lockdown Mode over time, while simultaneously inviting feedback from the security research community to identify "qualifying findings" that will be eligible for up to $2 million in bug bounties.

It's worth noting that the feature will not be switched on by default, but can be accessed by heading to Settings > Privacy & Security > Lockdown Mode.

The announcement arrives a month after Apple debuted a new Rapid Security Response feature in iOS 16 and macOS Ventura that aims to deploy security fixes without the need for a full operating system version update.

Google and Meta offer analogous software features known as Advanced Account Protection and Facebook Protect that are meant to secure the accounts of individuals who are at an "elevated risk of targeted online attacks" from takeover attempts. But it won't be surprising if Google follows suit with a similar feature on Android.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware

By Deeba Ahmed
Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute…
This is a post from HackRead.com Read the original post: Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute Ratel C4 or BRc4 attack simulation/penetration testing tool in their recent and active attacks.

**Hackers Using BRc4 to Evade Detection?**

Unit 42 threat intelligent experts wrote in their report that the malicious payload linked with the BRc4 tool allows it to evade detection by most commonly used security products. Moreover, researchers believe that hackers are targeting entities worldwide, but primarily their targets are located in South and North America.

In a warning issued by the researchers, they have urged the cybersecurity fraternity to look for signs of malware, including the BRc4 tool. Researchers dubbed it a “uniquely dangerous” tool designed to avoid detection by EDR (endpoint detection and response) and AV (antivirus) scanners.

**How was The Abuse Detected?**

According to Palo Alto Networks’ researchers, someone uploaded a document to the VirusTotal website for inspection in May 2022. This document included a BRc4-associated payload. Surprisingly, 56 of VirusTotal scanners couldn’t recognize the malware, after which it was assigned Benign status. 

**Possible Perpetrator?**

Researchers identified that the malicious payload’s packaging hinted at the involvement of the APT29 group (Advanced Persistent Threat group 29) The Dukes or Cozy Bear as the deployed tactics were similar to this group. CozyBear is a Russian state-sponsored hacker group. Previously it was involved in the devastating Solar Winds attacks in 2020.

**What is BRc4 Tool, and What are its Capabilities?**

Dark Vortex sells this penetration testing tool. It is similar to the commercially available, legit Cobalt Strike attack simulation tool, which IT departments mainly use in testing defenses and staff training.

Previously, attackers used illegal versions of Cobalt Strike for scanning victims in their attacks, and now they are abusing BRc4. This tool has been used since 2020, mainly by Indian security engineer Chetan Nayak (aka Paranoid Ninja) who used to work for red teams at mainstream western security vendors.

However, the product was recently commercialized. Nayak explained that this tool was designed for reverse-engineering major security products. But Unit42 researchers claim it is a relatively new tool that boasts similar capabilities as Cobalt Strike. Once installed, BRc4 can capture screenshots, create Windows system services, patch AMSI, and upload/download documents.

**Attack Delivery Mechanism**

The malicious, self-contained, and benign ISO file is included in the primary lure file, which is a Windows shortcut file (LNK) disguised as an MS Word file, complete with the fake Word icon. The file is sent to the target via spear-phishing, or the victim downloads it by a second-stage downloader.

An analysis of the files shows it appears to be a CV for someone named Roshan Bandara, but this is actually the main malicious file. This file appears on the user’s hard drive after double-clicking, and when the lure file is clicked, it installs the BRc4.

Researchers discovered 41 malicious IP addresses, 9 BRc4 samples, and three impacted organizations.

> “While we lack insight into how this particular payload was delivered to a target environment, we observed connection attempts to the C2 server originating from three Sri Lankan IP addresses between May 19-20.”
> 
> Unit 42

**More Russian Hackers Topic**

*   Russian language hacking forums warming up to Chinese hackers
*   Pro-Russia Killnet Group Hit Top Lithuanian websites with DDoS Attacks
*   BlackGuard Password Stealing Malware Sold on Russian Hacking Forums
*   New Russian Android Malware Tracks GPS Location and Spies on Victims
*   Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

CVE-2021-4234: Access Server Release Notes | OpenVPN

Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group's notorious Pegasus spyware, target victims' smartphones using rare and sophisticated exploits to compromise Apple's iOS and Google's Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.

Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn't expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services that spyware actors target to take control of victims' devices.

“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto's Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. I expect \[spyware vendors\] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”

Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the Settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply. 

Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has previously initiated a request. That means your friend won't be able to call you on FaceTime, for example, if you've never called them. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don't talk to a particular friend for weeks after that, you'll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won't show link previews and will block all attachments with the exception of a few trusted image formats.

Lockdown Mode also strengthens other protections. For example, when a device is locked, it won't receive connections from anything physically plugged into it. And, crucially, a device that isn't already registered with one of Apple's enterprise mobile device management (MDM) programs can't be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can't remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won't be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.

Apple says the idea of Lockdown Mode feels foreign because iOS has always been developed to offer all security protections to every user. But the company saw the necessity to take drastic action as more and more spyware victims emerged worldwide. The company says it plans to continue refining Lockdown Mode and expanding it as needed. It also added a new category to its bug bounty program to reward researchers up to $2 million for finding flaws in Lockdown Mode or total bypasses. 

The company also pledged in November to donate $10 million to research and defense related to targeted spyware. On Wednesday, Apple is announcing that this money will become a grant to the Ford Foundation's Dignity and Justice Fund. At launch, advisers for the fund will come from Access Now, Citizen Lab, the Engine Room, Amnesty International, and Apple.

“The mercenary spyware industry is facilitating the spread of authoritarian practices,” Citizen Lab's Deibert emphasizes. “I applaud Apple for developing Lockdown Mode. It will be a major blow to mercenary spyware companies.”

Targeted spyware has proved a complicated threat to counter, and the industry is only growing. But a radical new defense can only help potential targets around the world who are exposed and in dire need of resources.

Apple’s Lockdown Mode Aims to Counter Spyware Threats

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

In audio DSP, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558844; Issue ID: ALPS06558844.

CVE-2022-21787: July 2022

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient().

**Next Possible Facebook Development Focus- Voice-Based Browsing**

Facebook is still the leading social network on the planet. It is not resting on its laurels and be overtaken by the competition. It is actively seeking different ways to develop and improve its main product to continue leading the pack. One possible focus of development may possibly be voice-based browsing. If Facebook’s current actions \[…\]

Continue Reading...

**Yahoo Takes Top Spot Overtakes Google In US Traffic**

Struggling Web media company Yahoo has gone through many ups and downs during the previous years. One of the original brands still surviving since the early days of the World Wide Web, Yahoo has since fallen considerably from its top perch as one of the more popular websites that helped in making the Web what \[…\]

Continue Reading...

**Tablet Shipments Predicted To Outpace PCs by 2015**

Many experts have long predicted the gradual decline of desktop personal computers in terms of demand. The advances in mobile computing have greatly affected the market as an increasing number of people prefer using laptops, smartphones and tablets. As more and more choices for mobile devices become available, things are not boding well for the \[…\]

Continue Reading...

**Gartner Reports 102 Billion App Store Downloads for 2013**

The app market has become a very lucrative market now that smartphones have taken over. People now use their mobile phones for doing many things other than making phone calls. Thanks to apps, the smartphone has become a versatile product that further makes them more appealing. And because of this, app downloads have seen a \[…\]

Continue Reading...

**Toyota Announces Cars On Auto-Pilot In Five Years**

When you take out the new flashy designs and features of cars today, you will notice that nothing revolutionary have been introduced. What may be seen as innovative lately are the use of hybrid engines that combine gas and electric power to run cars and save up on fossil fuel. You can also add GPS \[…\]

Continue Reading...

**Intel Reports Solid 3rd Quarter Earnings But With Cautious 4th Quarter Outlook**

Computer chip maker Intel recently reported a solid third quarter with better than expected earnings. But outlook for the fourth quarter remains cautious as not all business groups within the company enjoyed earnings improvements. The company reported third quarter earnings of $ 3 billion from a revenue of $ 13.5 billion, just similar to the \[…\]

Continue Reading...

**BlackBerrys BBM App Gets 10 Million Downloads In A Day**

Beleaguered BlackBerrysmartphone maker Research In Motion may have found a way to stay afloat. The company has struggled in recent years due to tight competition from iOS and Android smartphones. Its latest BlackBerry Z10 smartphone had a lukewarm reception from consumers. Although the exact sales figures are not yet known, since the company has not \[…\]

Continue Reading...

**Smartphones Now Take Up 70 Percent Of Teen Market 79 Percent For Young Adults**

It seems that feature phones are now going the way of the pager, if it has not already yet. More and more people now think of mobile phones as more than just a device to use for calling or texting. The market is becoming saturated with smartphones that allow users to do more than just \[…\]

Continue Reading...

**Twitter Goes Public Now What**

The Twitter IPO has finally pushed through after months and months of speculation. The way it is going, analysts are saying that it is faring better than when social network Facebook’s IPO of last year. The social network experienced a sudden decline in its share price in the weeks following the IPO. It took about \[…\]

Continue Reading...

**Bitcoin Popularity A Currency Revolution**

Just a couple of years ago, most people in the financial sector may not have heard of Bitcoin, the digital currency that is currently becoming a rage. In a matter of months, this fledgling digital currency has received quite an amount of publicity that has driven its name at the forefront. Suddenly, this little-known digital \[…\]

Continue Reading...

**Recent Posts**

CVE-2022-24141: iTop- Technology News

By Deeba Ahmed
Those still using older versions of the Android operating system are at risk. Microsoft’s 365 Defender team has detected a…
This is a post from HackRead.com Read the original post: Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

****Those still using older versions of the Android operating system are at risk.****

Microsoft’s 365 Defender team has detected a new and evolving Android malware that targets users’ crypto wallets to steal funds without raising suspicion. According to researchers; the malware hunts for devices still using older versions of Android OS.

Toll fraud falls into a billing fraud subcategory that automatically signs the user for a premium service without asking for user content. Since it is continuously evolving, researchers regard it as dangerous Android malware.

**A Novel Fraud**

The malware has a unique attack approach compared to other billing frauds such as call or SMS fraud. Where other types of scams utilize standard attack flow involving making calls or sending messages to premium numbers, toll fraud uses a complicated multi-step attack flow, which the malware developers are continually improving.

Furthermore, Microsoft explained that the malware targets “specific network operators” and performs its routines only if the device is subscribed to one of its approved network operators. And it uses cellular data for its malicious operations by default. In fact, it forces devices to connect to a mobile network even when a Wi-Fi connection is available.

**Attack Scenario**

According to the findings shared by Microsoft’s researchers, the evolving toll fraud scheme exploits the Wireless Application Protocol (WAP) billing mechanism to target Android users. For your information, applications use WAP to charge users for paid content via their mobile phone bills. But, the malware can easily enroll the user in premium services since it utilizes cellular networks to function.

The attack chain commences when the user disconnects from a Wi-Fi network and connects to a mobile network. The Android malware quickly launched the subscription page and automatically subscribed the user to the service.

Once this is done, the malware reads a one-time password (OTP), if any, and fills the required fields to finish the subscription process. The attackers then disguise this activity by disabling SMS notifications.

**Possible Dangers**

According to Microsoft’s blog post, Toll fraud poses numerous risks, including the unwanted increase in your monthly phone bill. Since the malware hides behind legitimate apps requiring a wide range of permissions, it becomes impossible to detect it. It hides behind apps requesting SMS permissions, personalization, editing access, and communication-related privileges. Such as wallpaper or lock screen apps, chat/messaging apps, fake antivirus, and cleaner and camera apps.

It must be noted that the malware targets phones running Android 9 or older versions. This means mobile phones using Android version 10 or higher are safe. Still, it is recommended to install antivirus apps for added protection and avoid installing apps from 3rd-party sources.

**More Android Malware News**

*   Play Store Apps Caught Spreading Android Malware to Millions
*   Watch out as new Android malware spreads through WhatsApp
*   Microsoft warns of new Android ransomware blackmailing victims
*   Web3 Backdoor Wallets Steals Seed Phrases from iOS/Android Phones
*   New Russian Android Malware Tracks GPS Location and Spies on Victims

Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."  

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

**Fourth Exploited Chrome Zero-Day Bug in 2022**

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."

Google Chrome WebRTC Zero-Day Faces Active Exploitation

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.

Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.

The vulnerability, tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**,** is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration (CWE) website.

As per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.

Moreover, with scant details revealed about the flaw—a habit of Google’s that many security researchers find frustrating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.

Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing.  Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.

“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”

****Other Fixes****

In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post.

This is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 and under active attack spurred a hasty patch  from Google.

Then in April, the company patched CVE-2022-1364, another type confusion flaw affecting Chrome’s use of V8 on which attackers already had pounced.

Another flaw patched in Monday’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google. All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.

Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.

Tag

#android