Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.
Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

Patch Tuesday / Windows Security

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

*   **CVE-2023-35628** (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
*   **CVE-2023-35630** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35636** (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
*   **CVE-2023-35639** (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
*   **CVE-2023-35641** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35642** (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
*   **CVE-2023-36019** (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.

Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

*   **CVE-2023-35638** (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
*   **CVE-2023-35643** (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
*   **CVE-2023-36012** (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.

**Software Patches from Other Vendors**

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Android
*   Apache Projects (including Apache Struts)
*   Apple
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Google Chromecast
*   Google Cloud
*   Google Wear OS
*   Hikvision
*   Hitachi Energy
*   HP
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek (including 5Ghoul)
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm (including 5Ghoul)
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
*   Spring Framework
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

Apple has issued emergency updates that include patches for older iOS devices concerning two actively used zero-days that were patched for iOS 17 last week

Apple has issued emergency updates that include patches for older iOS devices concerning the two actively used zero-day vulnerabilities that were patched last week in newer devices.

Updates are available for:

Safari 17.2

macOS Monterey and macOS Ventura

iOS 17.2 and iPadOS 17.2

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.3 and iPadOS 16.7.3

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

macOS Sonoma 14.2

macOS Sonoma

macOS Ventura 13.6.3

macOS Ventura

macOS Monterey 12.7.2

macOS Monterey

tvOS 17.2

Apple TV HD and Apple TV 4K (all models)

watchOS 10.2

Apple Watch Series 4 and later

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Owners of devices running iOS 16.7 and iPad iOS 16.7 are especially encouraged to update as soon as possible, since the fixed issues may have been exploited against versions of iOS before iOS 16.7.1.

Apple doesn’t disclose, discuss, or confirm details about security issues until an investigation has occurred and patches or releases are available. But both vulnerabilities were credited to Clément Lecigne of Google’s Threat Analysis Group (TAG). 

Recently we saw an update for the Chrome browser which included a patch for an actively exploited zero-day vulnerability. That vulnerability was reported by TAG’s Benoît Sevens and the formerly mentioned Clément Lecigne. These Google TAG researchers are renowned for finding and disclosing zero-day vulnerabilities used in state-sponsored spyware attacks.

**We don’t just report on Android and iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Update now! Apple issues patches for older iPhones and other devices 

By Waqas
Gaming influencers are advising CS2 players to refrain from playing the game at the moment.
This is a post from HackRead.com Read the original post: Gamers Warned of Potential CS2 Exploit That Can Reveal IP Addresses

Valve, the developer of Counter Strike 2, is expected to address the rumours surrounding the new CS2 exploit. Meanwhile, be cautious and watch out for suspicious links from unknown senders.

A recently uncovered CS2 exploit (apparently an XSS vulnerability) has raised concerns within the gaming community, posing a potential threat to player security. This exploit reportedly utilizes HTML code blocks in-game to display GIFs, placing gamers at risk.

A related screenshot has been circulating on Reddit and X (Twitter) – Credit: Ozzny on X

The implications extend to a broad spectrum of players, even those less inclined to frequent online play. Initially discovered by players experimenting with their Steam ID, the exploit allowed them to showcase NSFW GIFs to other players through the in-game kick menu.

Notable figures in the gaming community, including Ozzny, a CS2 creator with over 23,000 YouTube subscribers, have confirmed that those exploiting the glitch can access player IP addresses.

With concerns escalating about the exploit’s potential for executing code on gamers’ PCs, Ozzny and other experts strongly advise refraining from CS2 gameplay until the exploit is rectified.

> HUGE SECURITY EXPLOIT IN CS2 RIGHT NOW⚠️
> 
> This image has been going around reddit for the last few hours (very explicit, blurred for obvious reasons). People were saying it's fake, but it isn't.
> 
> Apparently, there is a security exploit with Steam names inside CS2, which allows… pic.twitter.com/lcQqsAB5Ba
> 
> — Ozzny (@Ozzny\_CS2) December 11, 2023

“Apparently, there is a security exploit with Steam names inside CS2, which allows people to change visual stuff inside the game with a simple HTML code linking an image. But this is not it you can also get the IPs of EVERYONE in the server using this method with the assistance of an IP Logger. (Not going to show much or explain how for obvious reasons, but it is very easy),” tweeted Ozzny.

In a Twitch video, Jason Thor Hall, an American cybersecurity researcher and game developer, highlighted the XSS vulnerability, urging gamers to refrain from CS2 until Valve, the developer, addresses the issue.

> — Ozzny (@Ozzny\_CS2) December 11, 2023

While the feasibility of code execution remains uncertain, the perceived risk is substantial, prompting a cautious approach. Gamers are strongly encouraged to suspend CS2 play until the exploit is patched, or clearance from Vavle is issued. The is expected to swiftly address the situation, with a fix expected shortly.

As a precautionary measure, users encountering a player with an in-game username resembling an HTML block are advised to exercise caution and avoid interaction. The safety of Steam accounts hinges on this vigilance. Updates will be provided as the situation develops.

If playing becomes unavoidable, it is crucial to remain vigilant against potential dangers, such as refraining from clicking on suspicious links or opening attachments from unknown senders.

****What exactly is an XXS vulnerability****

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. It allows a malicious user to inject client-side scripts into a web page viewed by other users.

The malicious code can then be used to steal user data, hijack user sessions, or redirect users to malicious websites. Here is a simplified explanation of how XSS works:

*   A user visits a web page that contains an XSS vulnerability.
*   The vulnerable web page accepts input from the user, such as a comment or a forum post.
*   The user’s input is not properly sanitized or validated before being displayed on the web page.
*   The malicious code is injected into the web page and executed in the user’s browser.

There is a discussion about this ongoing issue on Steam Community. Stay tuned for further updates as this story unfolds.

****_RELATED ARTICLES_****

1.  **Minecraft declared the most malware-infected game**
2.  **Hackers remotely interrupting GTA Online PC Gameplay**
3.  **Counter-Strike 1.6 game client 0-day exploited for Belonard trojan**
4.  **Gamers Beware: Crooks Relying on SeroXen RAT to Target Gamers**
5.  **Fake ROBLOX, Nintendo game cracks drop ChromeLoader malware**

Gamers Warned of Potential CS2 Exploit That Can Reveal IP Addresses

Debian Linux Security Advisory 5573-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5573-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonDecember 09, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6508 CVE-2023-6509 CVE-2023-6510 CVE-2023-6511                  CVE-2023-6512Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), the updates are pending andwill be released shortly. When completed, fixes will be made availableas 120.0.6099.71-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 120.0.6099.71-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVz/oUACgkQZF0CR8NudjeHiQ//b6jyIAPFtBShCoAqRE22aN0RvzWR2BNs0Dl7CaZxMf+/+W/c0dXH3P9UtfEDv4Wcf6l6N3SSwAkCSwQx/Fr1T3Fpm2Qgv4C1fBibU/HMK/McE47Ua22MD0ZZhuuVx6kiG3rmvlH0tfi7N9oBa+6MdlUbps2PAsa7sII7BGReYvj90z80HlPPFbSc94aw/5ywL1+14CqWEdnyRxRJj5Jk0HWolyuSAItdNF3fxExweSeYHha0UKJXwK8449833YdWXl3htjrrM0nqjOfkponeq8GbPUXXaV0hIHU0Vu3nRJ26rRiFsV9UV1gzc3JRihndHizFD+gnas2KI4EiMwFDns6u2yJv7r2YLcTGfamnPuBnwsiCFfphXA1h/1GUrhCPxxRZCXdRUS5DakiaXGNS9HhC6ELcwhMKY8YcQ3CFBubi+5Jj+nUXL+n98F1m6UwJ08KBPXMKAlNhqVlsoJ4vyPD0UlKxjsPXynnnGe0c+YJlnK4+Czo/rzTwhqPy0kStMea3I9jpsgu9iQuNODKiC1xrxt0G8iaaRePwaX/IbJyjw/8lumhMkTvQ8Os5HlZAZSiHRQUgYVonOup+QywJqidkDRqsp7dsz7yrR9n/k7H5j6/XjXkZRnb4BcB3AMJkyBy7wqL8r9UCTwBD5zdfYk3VrDqJ/Klg+tEFeRbNvik==t7or-----END PGP SIGNATURE-----

Debian Security Advisory 5573-1

Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

Every day, nearly 70 brand-new vulnerabilities are discovered in software products around the world. That’s almost 25,550 new problems each year, of which roughly 4,250 (or every one-in-six) will be classified as “critical.”

But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?

Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.

The vulnerabilities compiled show up across four major software products:

*   Adobe Flash Player
*   Adobe Acrobat Reader
*   VideoLan VLC Media Player
*   Zoom

****The most prevalent vulnerabilities:****

In the 100 most prevalent unpatched vulnerabilities, the majority **(93 out of the 100) are found in software by Adobe, Zoom, and Mozilla.** \[MOU3\] 

No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.

Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:

*   30 % UltraVNC (Server and Viewer)
*   20 % Python (versions 3.6 to 3.10)
*   18% Microsoft (Edge and Visual Studio)
*   14 % Adobe (Flash Player, Acrobat, and Reader)

Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.

****The top 5 unpatched CRITICAL vulnerabilities:****

**Adobe Flash Player**

CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

**Zoom:**

CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

**Adobe Acrobat Reader**

CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

****The top 5 unpatched IMPORTANT vulnerabilities:****

**Zoom:**

CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.

CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.

CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.

**Adobe:**

CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.

**VLC media player**

CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.

**You Can’t Fix What You Can’t See**

While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.

Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.

In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP  within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.

This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.

This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.

**Free Vulnerability Assessment**

Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.

Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Insights into your unpatched vulnerabilities 

An oversight in BCB handling of reboot reason that allows for persistent code execution

_Published December 5, 2023_

The Chromecast Security Bulletin contains details of security vulnerabilities affecting supported Chromecast with Google TV devices (Chromecast devices). For Chromecast devices, security patch levels of 2023-10-01 or later address all applicable issues in the October 2023 Android Security Bulletin and all issues in this bulletin. To learn how to check a device's security patch level, see Chromecast firmware versions & release notes.

All supported Chromecast devices will receive an update to the 2023-10-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2023 Android Security Bulletin, Chromecast devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**AMLogic**

    

CVE

References

Severity

Subcomponent

CVE-2023-48425  

A-291138519

High

U-Boot

CVE-2023-48424  

A-286458481

High

U-Boot

CVE-2023-6181  

A-291138116

Moderate

U-Boot

**System**

    

CVE

References

Severity

Subcomponent

CVE-2023-48417  

A-288311233

Moderate

KeyChain

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Chromecast firmware versions & release notes.

**Acknowledgements**

Researchers

CVEs

Nolen Johnson, DirectDefense and Jan Altensen, Ray Volpe

CVE-2023-6181, CVE-2023-48425,

Lennert Wouters, rqu, Thomas Roth aka stacksmashing

CVE-2023-48424

Rocco Calvi (TecR0c), SickCodes

CVE-2023-48417

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-10-01 or later address all issues associated with the 2023-10-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Chromecast firmware versions & release notes.

**2\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column.

**Versions**

  

Version

Date

Notes

1.0

December 5, 2023

CVE-2023-6181: Chromecast Security Bulletin—December 2023

SyncTrayzor 1.1.29 enables CEF (Chromium Embedded Framework) remote debugging, allowing a local attacker to control the application.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46899: Remove RemoteDebuggingPort for release builds · Issue #666 · canton7/SyncTrayzor

By Waqas
Another day, another Bluetooth vulnerability impacting billions of devices worldwide!
This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.

A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as **CVE-2023-45866** and disclosed by security researcher Marc Newlin. 

It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.

This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.

In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its **reliance on Bluetooth** and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning. 

Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when **Lockdown Mode** was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.

Newlin explained in his **post on GitHub** that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.

This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:

*   Android: Bluetooth must be enabled.
*   Linux/BlueZ: Bluetooth must be discoverable/connectable.
*   iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.

These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “**MouseJack**“, affecting Android devices as far back as version 4.2.2 (released in 2012). 

In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”

“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.

While a fix for the Linux vulnerability existed since 2020 (**CVE-2020-0556**), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.

It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”

1.  **BlueRepli attack bypasses Bluetooth authentication on Android**
2.  **BleedingTooth Bluetooth vulnerability allows RCE in Linux devices**
3.  **Update your devices: New Bluetooth flaw lets attackers monitor traffic**
4.  **BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs**
5.  **Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws**

Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.
"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an

Cyber Espionage / Cryptocurrency

The North Korean threat actor known as **Kimsuky** has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.

"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week.

The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.

The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor.

The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server.

It's also capable of running commands, executing additional payloads, and terminating itself, turning it into a backdoor for remote access to the infected host.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Kimsuky, active since at least 2012, started off targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, before expanding its victimology footprint to encompass Europe, Russia, and the U.S.

Earlier this month, the U.S. Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea's strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.

"Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," cybersecurity firm ThreatMon noted in a recent report.

The state-sponsored group has also been observed leveraging booby-trapped URLs that, when clicked, download a bogus ZIP archive masquerading as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that employs the cloud storage as a conduit for data exfiltration and command-and-control (C2).

**Lazarus Group Goes Phishing on Telegram**

The development comes as blockchain security company SlowMist implicated the notorious North Korea-backed outfit called the Lazarus Group in a widespread phishing campaign on Telegram targeting the cryptocurrency sector.

"More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams," the Singapore-based firm said.

After establishing rapport, the targets are deceived into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.

It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel of stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.

It is estimated that more than 250 files amounting to 1.2 terabytes have been stolen in the attacks. To cover up the tracks, the adversary is said to have used servers from a local company that "rents servers to subscribers with unclear identities" as an entry point.

In addition, the group extorted 470 million won ($356,000) worth of bitcoin from three South Korean firms in ransomware attacks and laundered them through virtual asset exchanges such as Bithumb and Binance. It's worth noting that Andariel has been linked to the deployment of Maui ransomware in the past.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#chrome