By Deeba Ahmed
Bitdefender reports a surge in Stream-Jacking attacks on popular YouTube channels, distributing crypto scams and information stealers such as Redline.
This is a post from HackRead.com Read the original post: Stream-Jacking: Malicious YouTube Livestreams Aid Malware, Crypto Scams

Researchers observed that Tesla was the most targeted brand in the Stream-Jacking campaign, and these scams continue to increase on YouTube.

****_Executive Summary_****

*   **New research from Bitdefender has revealed shocking details of his threat actors hijacking YouTube accounts through stream-jacking.**

*   **The attack targets popular YouTube channels and lures their followers to a fake channel promising exclusive rewards.**

*   **The attackers use different tactics to lure channel followers, such as Livestream popups, infected links, and QR codes.**

*   **Researchers observed that Tesla was the most hijacked brand in this campaign.**

*   **The target accounts mostly had around ten million subscribers and up to 3.6 million views.**

Bitdefender has published new research, revealing a sudden rise in stream-jacking attacks targeted against high-profile, popular streaming services like YouTube and aimed at distributing malicious links or lures. The attacks lead to complete account takeover, but in some cases, the followers are lured towards mimicked channels promising rewards.

The focus of this research was stream-jacking attacks against YouTube. Researchers found that cybercriminals target accounts with large follower counts to spread fraudulent messages to the masses. They embed suspicious YouTube livestream popups in the end-users’ feeds promoting the same content but with malicious intentions. 

YouTube channels with large followership are desirable in this campaign as cybercriminals can easily monetize them after hijacking by demanding ransom from the owner or distributing malware/scams to their viewers/subscribers. These channels are primarily top-rated brands like Tesla, featuring millions of followers and billions of views.

Crypto scams on YouTube are a serious issue. In 2020, Apple co-founder Steve Wozniak sued YouTube over Bitcoin scams using his name. Wozniak accused YouTube and Google of enabling Bitcoin giveaway scams by failing to take action against them.

> _**“Observing such a “large-scale operation” made us wonder about the channels behind these scams, and, upon closer inspection, we noticed that most of the YouTube channels were, in fact, hijacked/stolen.”**_
> 
> Bitdefender

The modus operandi is generally the same involving phishing attacks. Cybercriminals send emails presenting opportunities for the owner, such as brand collaboration or sponsorship deals.

Sometimes, they may send fake copyright notices from YouTube to the owner. This email, designed as a legitimate business proposition, encourages the recipient to download a malicious file presented as a crucial element of the collaboration offer. It is usually a PDF file carrying the Redline Infostealer malware. It is a large file (over 300 MB) and can easily bypass most standard security mechanisms.

When it is opened, within 30 seconds, it starts collecting vital data from the computer, including session tokens and cookies. With this information, the attacker can access the YouTube channel directly, even if the user has enabled 2FA. After gaining control of the account, attackers re-broadcast or re-upload content after embedding a scam.

The commentary sections of these malicious livestreams could be enabled or disabled, but the catch is that subscribers of 10 to 15 years are allowed to comment. Most of the content featured on the hijacked channels are livestream scams, indicating that the original videos and playlists were made private or deleted.

Attackers also edit channel descriptions as per their requirements, but the channels also feature official Tesla playlists to create legitimacy, leaving the original owner with nothing.

> _**“The process is very likely automated, as conducting an operation on such a large scale would be time-consuming and could potentially give the actual owner of the channel enough time to spot suspicious behaviour.”**_
> 
> Bitdefender

****The Second Part****

According to Bitdefender’s report, the second part of the attack is targeting account subscribers/viewers with fraudulent offers. Attackers use several techniques to deceive channel subscribers, such as livestream popups, malicious links, and QR codes.

The mimicked channels try to create a sense of legitimacy by using official names, for instance, Tesla US, Tesla Official, Tesla (INC), and Tesla News, but, in reality, most account names involve homoglyphs where the letter L is substituted for an uppercased i (I) and include noise characters such as ‘\_’ (for instance, @tesla—us\_, @tesla—corp., @tesla\_us\_live24, etc.).

The maximum number of thumbnails in this attack features Elon Musk. The titles are also the same and less diverse. Such as:

*   Rebrands to X!
*   A New Era for Tesla Model 3 – Live Reveal with Elon Musk!
*   A New Era for Tesla Model 3 – Live Reveal with Elon Musk! Twitter
*   Live Stream of Tesla Model 3 2024 Unveiling with Elon Musk!
*   CEO Elon Musk Presents: Live Reveal of Upgraded Tesla Model 3

The videos’ descriptions, tags, thumbnails, and channel banners are also the same. Official Tesla streams mostly inspire stream titles. Sometimes, the channel name stays the same due to YouTube’s policy of two changes in two weeks, and when YouTube detects malicious activity, the account sadly gets deleted. 

Elon Musk and Tesla are the most abused Brands in YouTube scams (Screengrabs: Bitdefender)

In some instances, researchers noted a QR code embedded in the video leading to a phishing website, and if the comments section is enabled, the same link is posted there by the moderator, and sometimes the link is directly featured on the video. The malicious links promise similar rewards, such as sending cryptocurrency (e.g. bitcoin, Ethereum, BNB, USDT, Inu, Dogecoin, or Shiba) to get double the amount. 

Sometimes, the looped audio/video in the livestream are high quality, genuine-looking, deep fakes of Elon Musk. They also suggest a Telegram channel where the attackers promote phishing kits like those featured on the hijacked channel. Over 1300 crypto scams came from the same kits featured on over 150 websites, all with Cloudflare protection.

YouTube channel owners must remain vigilant and use strong, unique passwords, enable multiple layers of security (2FA or MFA), and install software to detect phishing attacks.

****_RELATED ARTICLES_****

1.  Fake YouTube Android Apps Used to Distribute CapraRAT
2.  New YouTube phishing scam using authentic email address
3.  British Military’s YouTube Accounts Hacked to Scam Crypto Users
4.  Hackers using smart home devices to live stream swatting attacks
5.  Google details cookie stealer malware campaign targeting YouTubers

Stream-Jacking: Malicious YouTube Livestreams Aid Malware, Crypto Scams

New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy.
DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41.
On

Mobile Security / Spyware

New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named **LightSpy**.

**DragonEgg**, alongside **WyrmSpy** (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41.

On the other hand, details about LightSpy came to light in March 2020 as part of a campaign dubbed Operation Poisoned News in which Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware.

Now, according to Dutch mobile security firm ThreatFabric, the attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core.

Further analysis of the artifacts has revealed that the implant has been actively maintained since at least December 11, 2018, with the latest version released on July 13, 2023.

The core module of LightSpy (i.e., DragonEgg) functions as an orchestrator plugin responsible for gathering the device fingerprint, establishing contact with a remote server, awaiting further instructions, and updating itself as well as the plugins.

"LightSpy Core is extremely flexible in terms of configuration: operators can precisely control the spyware using the updatable configuration," ThreatFabric said, noting that WebSocket is used for command delivery and HTTPS is used for data exfiltration.

Some of the notable plugins include a locationmodule that tracks victims' precise locations, soundrecord that can capture ambient audio as well as from WeChat VOIP audio conversations, and a bill module to gather payment history from WeChat Pay.

LightSpy's command-and-control (C2) comprises several servers located in Mainland China, Hong Kong, Taiwan, Singapore, and Russia, with the malware and WyrmSpy sharing the same infrastructure.

ThreatFabric said it also identified a server hosting data from 13 unique phone numbers belonging to Chinese cell phone operators, raising the possibility that the data either represents the testing numbers of LightSpy developers or victims'.

The links between DragonEgg and LightSpy stem from similarities in configuration patterns, runtime structure and plugins, and the C2 communication format.

"The way the threat actor group distributed the initial malicious stage inside popular messenger was a clever trick," the company said.

"There were several benefits of that: the implant inherited all the access permissions that the carrier application had. In the case of messenger, there were a lot of private permissions such as camera and storage access."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware

Location-enabled tech designed to make our lives easier is often exploited by domestic abusers. Refuge, a UK nonprofit, helps women to leave abusive relationships, secure their devices, and stay safe.

Pick up any piece of tech and Emma Pickering knows how it can be used to abuse, harass, and stalk women. Amazon’s Ring home doorbell cameras can monitor when someone leaves the house and who is visiting them. Until recently, Netflix showed the IP addresses where users were logged in, allowing their location to be tracked. Workout apps and websites such as Strava show where and when people are exercising. And abusers often slip small GPS trackers or audio recorders into women’s belongings or attach them to their cars.

“Perpetrators buy them in bulk, and they’ll buy probably 60 very cheaply; they’re very small and discrete,” says Pickering, who works at Refuge, the UK’s largest domestic abuse organization, where she heads a team that helps women secure their devices. Pickering says that in one case “over 200” recording devices were found in a woman’s home.

Refuge launched its Technology-Facilitated Abuse and Economic Empowerment Team in 2017, amid a surge of abusers weaponizing apps, devices, and online services to harm women. The charity helps women and their children leave abusive relationships, providing emergency accommodation, legal help, financial aid, and more. Almost every case now involves technology in some form, Pickering says, and the issue is so serious that every person the organization places into a refuge goes through a tech assessment to secure their accounts. The tech abuse team, which is made up of 11 people, is the only one of its kind in the UK and just one of a handful of similar organizations around the world.

Technology-facilitated abuse can range from harassment via phone call or text message to logging into someone’s social media and email accounts without their permission, which allows abusers to read, delete or send messages. In more extreme cases, they might install “stalkerware” on victims’ phones to monitor every tap and scroll. Nonconsensual image-sharing, commonly known as “revenge porn,” and economic abuse, where money and banking apps may be controlled by an abuser, are also frequent. In August, a report from MPs in the UK concluded that tech abuse is becoming “increasingly common.”

Pickering says her team primarily focuses on helping people in the more severe cases. “Firstly, we need to establish if it’s safe to speak to them on their device,” she says. If it isn’t, Refuge will send women a burner phone and then set them up with a new email address, using the encrypted email service Proton Mail, before sending them extra information. It’s the start of a meticulous process—known as an “attack assessment” by the team—to secure accounts and devices.

“We go through everything,” Pickering says. Refuge will ask the person they are helping to list every device and online account they and any children have. These can easily number into the hundreds. “Within the home, if they’ve fled the relationship, we also need to check anything they’ve left behind to unsync from any devices or accounts that they could still be using back home.” This will include products like Google Home Hubs, and Amazon’s Ring doorbells and Alexa, and it requires checking who set up the devices and is the administrator of the accounts, as well as which names phone contracts are in. From there, a safety plan is created, Pickering says. This can include going through the accounts and checking settings for who has access to them, removing devices connected to accounts, using secure passwords, and setting up measures such as two-factor authentication. On average, Pickering says, it can take three weeks to get through the entire process, although more complex cases take much longer.

“I don’t think people realize how serious it is, the consequences for perpetrators to have access to this information, to see that there’s evidence in someone’s phone that they’re planning to leave a relationship, read emails about financial settlements, child contact orders—it puts someone at really significant risk,” Pickering says. Even for those in nonabusive relationships, the charity has created a digital breakup tool with cybersecurity firm Avast to detail the process of separating everything from delivery apps to gaming accounts from former partners.

While the technology itself isn’t usually the problem—it’s how abusers use it to harass their victims that creates the issues—Pickering says tech companies don’t put enough thought into how their services can be used maliciously. They also don’t put enough effort into preventing such abuses. They’re not “considering having features built in that can mitigate these risks,” she says.

For instance, Apple launched its small AirTag GPS tracker without many safety features, and dozens of people have subsequently reported being tracked by the devices. (The company has made some improvements and is now working with other tracker manufacturers to make it easier to identify trackers someone has placed on your belongings). One of the biggest issues currently, Pickering says, is satellite navigation systems within cars. “My car, for instance, if I drive it somewhere, it’s connected to an app, and I don’t know how many people are on my app, it doesn’t give me notifications,” she says. There are also boundary settings that can alert a vehicle’s owner if it travels beyond a specific set of locations.

Aside from designing products better, tech companies need to make it easier for people to understand the settings on their phone and digital accounts. “Many people come to us and their confidence around tech is very limited,” Pickering says. “We have to do a lot of work with them initially to make them feel comfortable.”

While tech abuse is rising, Pickering aims to increase understanding around the problem and tackle some of the issues at its roots. “We’ve got a really big ambition to train the police,” she says, adding that officers often don’t know what to look for in cases of tech abuse and may not take issues seriously. The Refuge team has already worked with one tech company, which she says she cannot name due to an NDA, to advise on safety. “Amazon and Google could work with us,” Pickering says. “And we could help make sure that their products are developed with safety in mind.”

_This article first appeared in the November/December 2023 issue of WIRED UK._

The Team Helping Women Fight Digital Domestic Abuse

By Waqas
Artificial intelligence has the potential to revolutionize healthcare, and it is already making remarkable strides.
This is a post from HackRead.com Read the original post: AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail

ChatGPT accurately diagnosed a 10-year-old boy with tethered cord syndrome, while IBM’s AI system, Watson, identified an exceedingly rare form of leukaemia in a Japanese woman. In both instances, medical professionals were unable to make the correct diagnosis.

Remember when the **Apple Watch made headlines** for saving lives? Now, Artificial Intelligence is doing the same. A 10-year-old boy named Alex was finally diagnosed with tethered cord syndrome after seeing more than a dozen doctors who were unable to find the cause of his chronic pain. Alex’s mother, Courtney, said that she was “frustrated and desperate” when she decided to try **ChatGPT**, an artificial intelligence-powered (AI) chatbot developed by OpenAI.

Courtney entered a detailed description of Alex’s symptoms into ChatGPT, and the AI system suggested that Alex might have tethered cord syndrome. According to **Today’s report** from early September of this year, Courtney then took Alex to see a new neurosurgeon, who confirmed that ChatGPT was correct. Alex underwent surgery to fix his tethered cord, and he is now recovering well.

On another remarkable occasion, artificial intelligence showcased its diagnostic expertise, outperforming human doctors. **Back in 2016**, IBM’s artificial intelligence system, Watson, played the hero, rescuing a Japanese woman by accurately pinpointing her illness.

Watson carefully analyzed her genetic data and cross-referenced it against a staggering database of 20 million clinical oncology studies. The result was a revelation: an exceptionally rare form of leukaemia that had eluded human detection.

****Generative AI will Revolutionise Healthcare****

These stories are a reminder of the potential of **AI to revolutionize healthcare**. AI systems can be used to analyze large amounts of medical data and identify patterns that would be difficult or impossible for humans to see. This can help doctors to diagnose diseases more accurately and efficiently.

In addition to helping with diagnosis, artificial intelligence can also be used to improve healthcare in other ways. For example, AI can be used to develop new treatments for diseases, to personalize treatment plans for individual patients, and to improve the efficiency of healthcare systems.

Here are some specific examples of how artificial intelligence is being used to improve healthcare and diagnoses today:

*   **AI-powered diagnostic tools:** AI systems are being developed to help doctors diagnose diseases more accurately and efficiently. For example, AI systems can be used to analyze medical images, **such as MRI scans and X-rays**, to identify abnormalities that may be indicative of a disease.

*   **AI-powered drug discovery:** AI systems are being used to develop new drugs and treatments for diseases. One such example is Google’s two AI systems called **Target and Lead Identification Suite**. AI systems can be used to analyze large datasets of genetic and medical data to identify potential drug targets and to design new drugs that are more likely to be effective and less likely to have side effects.

*   **AI-powered personalized medicine:** AI systems are being used to personalize treatment plans for individual patients. For example, AI systems can be used to analyze a patient’s genetic profile and medical history to **identify the best treatment options** for that patient.

*   **AI-powered healthcare efficiency:** AI systems are being used to **improve the efficiency** of healthcare systems. For example, AI systems can be used to automate tasks such as scheduling appointments and managing patient records.

Artificial intelligence has the potential to revolutionize healthcare and make it more accessible and affordable for everyone. As AI systems continue to develop, we can expect to see even more innovative ways to use AI to improve healthcare and diagnoses.

In the future, AI is likely to play an even greater role in healthcare. AI systems are being developed to provide remote patient monitoring, develop new ways to deliver care and address the growing problem of healthcare disparities.

For example, AI systems could be used to develop wearable devices that can track patients’ vital signs and transmit data to doctors in real-time. This could help doctors to monitor patients who are at risk of developing complications and to intervene early if necessary.

AI systems could also be used to develop new ways to deliver care in remote and underserved communities. For example, AI could be used to develop telemedicine platforms that allow patients to see doctors remotely using video conferencing.

Artificial intelligence has the potential to make healthcare more accessible and affordable for everyone. By improving diagnosis, developing new treatments, and personalizing care, AI can help people to live longer and healthier lives.

****_RELATED ARTICLES_****

1.  China’s Baidu Introduces ChatGPT Rival Ernie Bot
2.  Using GenAI in Your Business? Here Is What You Need To Know
3.  Apple Watch saves life by notifying user about unusual heart rate
4.  ChatGPT Update Enables Chatbot to “See, Hear, Speak” with You
5.  How Collaboration Across Platforms Could Supercharge AI Performance

AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.

When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices.

In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.

Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US. Meanwhile, Human Security says it has also taken down advertising fraud linked to the scheme, which likely helped pay for the operation.

“They’re like a Swiss Army knife of doing bad things on the internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.” Reid says the company has shared details of facilities where the devices may have been manufactured with law enforcement agencies.

Human Security’s research is divided into two areas: Badbox, which involves the compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, dubbed Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.

First, Badbox. Cheap Android streaming boxes, usually costing less than $50, are sold online and in brick-and-mortar shops. These set-top boxes often are unbranded or sold under different names, partly obscuring their source. In the second half of 2022, Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. When Milisic posted his initial findings about the T95 Android box in January, the research also pointed to the flyermobi domain. The team at Human purchased the box and multiple others, and started diving in.

In total the researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. (Some of these have also been identified by other security researchers looking into the issue in recent months). The company’s report, which has data scientist Marion Habiby as its lead author, says Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.

The TV devices are built in China. Somewhere before they reach the hands of resellers—researchers don’t exactly know where—a firmware backdoor is added to them. This backdoor, which is based on the Triada malware first spotted by security firm Kaspersky in 2016, modifies one element of the Android operating system, allowing itself to access apps installed on the devices. Then it phones home. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.

Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses.

The findings tally with those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at security firm Trend Micro, says the company has seen two Chinese threat groups that have used backdoored Android devices—one it has researched deeply, the other is the one Human Security looked at. “The infection of devices is quite similar,” Yarochkin says.

Trend Micro has found a “front end company” for the group it investigated in China, Yarochkin says. “They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. Based on Trend Micro’s network data, Yarochkin believes these figures to be credible. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”

Then there’s what Human Security calls Peachpit. This is an app-based fraud element, which has been present on both the TV boxes as well as Android phones and iPhones, Reid says. The company identified 39 Android, iOS, and TV box apps that were involved. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.

The apps performed a range of fraudulent behavior, including hidden advertisements, spoofed web traffic, and malvertising. The research says that while those behind Peachpit appear different from those behind Badbox, it is likely they are working together in some way. “They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being dropped on the Badbox,” Santos says, referring to a software development kit. “That was another level of connection that we found.”

Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculate. (The Badbox backdoor was found only on Android, not on any iOS devices.) Reid says that based on the data the company has, which isn’t a complete picture due to the complexity of the ad industry, those behind the scheme could have easily earned $2 million in one month alone.

Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. “The off-brand devices discovered to be Badbox-infected were not Play Protect–certified Android devices,” Fernandez says, referring to Google’s security testing system for Android devices. “If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.” The company has a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules. Four of them have done so, as of publication.

Toward the end of 2022 and in the first part of this year, Reid says, Human Security took action against the advertising fraud elements of Badbox and Peachpit. According to data shared by the company, the amount of fraudulent ad requests from the schemes taking place now has completely dropped off. But the attackers adapted to the disruption in real time. Santos says when the countermeasures were first deployed, those behind the schemes started by sending out an update to obfuscate what they were doing. Then, he says, those behind Badbox took down the C2 servers powering the firmware backdoor.

While the attackers have been slowed, the boxes are still in people’s homes and on their networks. And unless someone has technical skills, the malware is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says. Ultimately, for people buying TV streaming boxes, the advice is to buy branded devices, where the manufacturer is clear and trusted. As Reid says, “Friends don't let friends plug in weird IoT devices into their home networks.”

Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor

Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-9

Apple Security Advisory 09-26-2023-8 - watchOS 10 addresses bypass, code execution, out of bounds read, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-8 watchOS 10

watchOS 10 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213937.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Store  
Available for: Apple Watch Series 4 and later  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple Watch Series 4 and later  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple Watch Series 4 and later  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Passcode  
Available for: Apple Watch Ultra (all models)  
Impact: An Apple Watch Ultra may not lock when using the Depth app  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-40418: serkan Gurbuz

Photos Storage  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Safari  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to identify what other apps a user has  
installed  
Description: The issue was addressed with improved checks.  
CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to UI  
spoofing  
Description: A window management issue was addressed with improved state  
management.  
CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)

Simulator  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett  
(@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee  
(@l33d0hyun) of PK Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Books  
We would like to acknowledge Aapo Oksman of Nixu Cybersecurity for their  
assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Data Detectors UI  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Find My  
We would like to acknowledge Cher Scarlett for their assistance.

Home  
We would like to acknowledge Jake Derouin (jakederouin.com) for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School, Maddie Stone of Google's Threat  
Analysis Group, and 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJkACgkQX+5d1TXa  
Ivo3WhAA1an2sh+qEnBj7zKhCx64vpUB3B6ET0lh+vMjHwu3Z7ThtdEnjwUgs1SA  
5zzj3Jsf8Zb/ivyQ+jfI5IyUZxCT+sWn3t3CHN4jb1LTsxL/h9mrP42U01GTooju  
erIvHarH2gk/Qew99cPPok7MpyNVPmRfJ3juEIZOe4CjsKLsWz6HRsiIQE/nvMta  
NUIiF6/VTzdynDEFlK7iUWS31N2nN3pLhUFwOdKz1t1lCKpWBYsSPPms6nmFLeWJ  
3rfyDPzupAQxfhldfgdBpQvYzYiDpqRNUBrFJCKG8BaKpv87AZI7NKgNv4WYNWP9  
0P3IIIAvGVpCmNcjGl18K9hiigXfs+U0QPA6DD2O2hnsUmiUbLnEc4BpkK5KO+y1  
uteIDhV8IsN4n86h9IGY2nImJtbUSADhsIRkwdbI8Z80q4zLYteKuj83FztVgSx2  
/C382yyFqMZA8DnSy+CNbCp5AsHOPAgeC+sTvnLlPfPAyJMMSyoQk8S1ARx6fqog  
TEu8GPqOWjyol8gKTTnEqufLF+lmJbNxxAKLXt7rhpiy8Bl4GUYIooKta32MshVU  
fsoujI+xVfsGwev0QZIPa+ElCMj8r2GhHqBZ+ceifRhMPBJ/UcnP6Y+ekg26pVnI  
CbJ+Aj4WU3KKRdpKWP6TT8eIOq6tvYYMJKCylCVKFeEGkpB7sEE=  
=TnBb  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-8

Apple Security Advisory 09-26-2023-7 - iOS 17 and iPadOS 17 addresses bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-7

Apple Security Advisory 09-26-2023-6 - Xcode 15 addresses memory disclosure, privilege escalation, and credential access vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-6 Xcode 15

Xcode 15 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213939.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Dev Tools  
Available for: macOS Ventura 13.5 and later  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

GPU Drivers  
Available for: macOS Ventura 13.5 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

iTMSTransporter  
Available for: macOS Ventura 13.5 and later  
Impact: An app may be able to access App Store credentials  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-40435: James Duffy (mangoSecure)

Xcode 15 may be obtained from:  
https://developer.apple.com/xcode/downloads/  To check that the Xcode  
has been updated:  * Select Xcode in the menu bar * Select About  
Xcode * The version after applying this update will be "Xcode 15".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJgACgkQX+5d1TXa  
IvrnUhAAnpI05QaADKuxrzNT8qK0AnI99sCvI1G+nRpN7FhvwAnBmMSiKPBNmpLb  
o79j75mhDYSJiojeiBR+YJBFWZUoeKWcaa4TnXWfM8CndzqAnzf7wdAoXjOsv7Li  
+e701hE3f2tsMIMhcHszvC//gVzCZotrLKCGn4bxGP4E7x4lkjj5IB9a4XxAVsgr  
OoDignacVkUmrys1nuqyWIsLDk1rAYvikqA03SmG2mRhTp86O6BhyJNHRfftEfmH  
ppD3kFlihLPUGwvqOULoNnxCkL1vlk9qt0VPQxDHZsEq6hW4/RqrHGBErDeAImhI  
0m8jOQ9raP8vAxT8tp4r86HQZBs6RDBsX8J8EwerUfW6eCoO0QRsWt9/JTbPHpxW  
MPIndWwwucJ/bC4nchOUKs3LzkRXZrmtuevvt4Z4A1pbhOYqPCojT+X/JD/7qtEm  
A/vJAO+75p8uJWn/BCF1sTzX68qMRoJUnHtOYjwgGzYZ7fg4oQVv8oIIzfxqZxiE  
pM6FdVbxbpvnpleTRvaqpjRLRb5LI8rqlMhiyRboItSmbGuAvaKgeT/9LJlA2wxA  
VWiw4lSgYJ5JvxfrsidvWtJYen7RJYyo/HiIAT1OETBIdFFSmxr5ZQvHKojmi4En  
R5z/7L6G5Xry7VE47tKbEGC3IeeojM9mjvDkpQoOfHfvoNbj1pw=  
=OVwh  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-6

Apple Security Advisory 09-26-2023-5 - macOS Monterey 12.7 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-5 Additional information for APPLE-SA-2023-09-21-7 macOS Monterey 12.7

macOS Monterey 12.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213932.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Monterey  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Disk Management  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins  
Entry added September 26, 2023

Game Center  
Available for: macOS Monterey  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Monterey  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Monterey 12.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJgACgkQX+5d1TXa  
IvqcNQ/9GQlneQRhlET+3tkaIg7g0XJE+HkDOKOR/F5oi9yAkvpg5O+jAiwKq61E  
PXvBWN6b0dhrANcRswmEDF2SWVIbPLLnkne5F6XoA18SDVxOorUYXxdsXaOIVO3J  
Zssoxhc5cFLR41m8WqnJ2MqJHhPvjKAtFjqyUXiF/ZbBqrKtnYeiho+ueG/joDbb  
lMGf2AXUQQ5Zoc7J4EPgtlrBBXIeJobcRsFrYWnvimEADfyX87w7Idf5pfbrgmbu  
xy0B4742tPztEu7SvKpZzD9CqQU7Lpm+uK4JfiZjllkibe4sYyypyVptDGQRB08S  
WJ6zPXNA5Wm2F7Fjplx9m1qPqGen2kek5dBCT09QfqFwdnjp/tiAODmdHD+PYtdI  
ANoMRQ7J2i99mm8AtKpM279sNmF5byvpAYCJypJylmy0TRspvDfWv5ekfNutZ/iG  
JnTFck0V6j+a3VAKOvyDkP0kIpbEw4Efx7r9TBqcYJq+EkxZyRNlbqZyz21d7rpN  
aQKI5Q1hCZosOZt6ndeqsymJJatMsvFFV7QUKOyFYq9+WDaj1soOgeXQKcyX2LFN  
Iq7js+tS2t+r5A8t8tZEsEKfSObgOhX3gJhA81vbkVOM0NtqFHJj/YNBI16A16rz  
GNB6OtcLdc+omv5tu9g6WGGN7GVCspY4RmmnXnAJS2YKf1lZYAA=  
=bYk1  
-----END PGP SIGNATURE-----

Tag

#apple