### Impact
@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

### Patches
The issue has been resolved in 4.3.2.

### Workarounds
None

### References
N/A


**@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity**

Moderate severity GitHub Reviewed Published Nov 30, 2023 in adobe/css-tools • Updated Nov 30, 2023

GHSA-prr3-c3m5-p7q2: @adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

By Waqas
Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000).
This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Currently, the FjordPhantom malware appears to be active in Southeast Asia, covering countries including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

Cybersecurity firm Promon has identified a novel Android malware named FjordPhantom that employs virtualization to target applications. This technique has not been observed in any malware previously. FjordPhantom propagates through messaging services and combines app-based malware with social engineering to deceive banking customers.

Promon indicated in its report published on November 30, 2023, that only one sample of FjordPhantom has been obtained. However, researchers suspect that the malware is operational in Southeast Asia, encompassing countries such as Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

“In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000 – £225,000) at the time of writing,” noted the report author Benjamin Adolphi and shared with Hackread.com ahead of publication on Thursday.

Further probing revealed that the malware is distributed through emails, SMS messages, and messaging apps. Users are tricked into downloading a bogus banking app, which contains FjordPhantom.

When this app gets installed, the attackers, posing as customer service representatives, guide the users about the steps to run the app. The malware uses virtualization to create a virtual container to run this app and attackers can monitor the user’s actions and steal their credentials.

The malware integrates various open-source/free projects from GitHub, incorporating a virtualization solution and a hooking framework. FjordPhantom utilizes virtualization solutions to circumvent the Android sandbox, enabling different apps to operate within the same sandbox.

This facilitates attackers in gaining access to files and memory, conducting debugging, and injecting code into other apps. The approach involves virtualization solutions loading their own code into a new process before loading the hosted app’s code. Consequently, the malware can evade traditional code injection detection methods, as it doesn’t modify the original application.

The malware leverages the hooking framework to evade SafetyNet rooting detection, screenreader detection, and dismiss dialog boxes warning the user of ongoing malicious activity on the system. Additionally, the malware logs various actions performed by the targeted applications, signifying active development and suggesting potential targeting of other apps in the future.

Screenshot credit: Promon

Researchers believe that FjordPhantom is a sophisticated Android malware used to commit real-world fraud. Here are 5 tips for Android users to protect themselves from malware, especially banking trojan:

1.  **Download apps only from trusted sources:** The safest way to get apps for your Android device is to download them from the official Google Play Store. Apps in the Play Store have been reviewed by Google and are less likely to be malicious. If you need to download an app from a third-party source, make sure to do your research and only download apps from reputable websites.
2.  **Be careful about the permissions you give apps:** When you install an app, it will ask you for permission to access certain data or features on your device. Only give apps the permissions they need to function. For example, if you’re installing a banking app, it will need permission to access your contacts and call history. However, there’s no reason for it to need permission to access your photos or location.
3.  **Keep your device up to date:** Google regularly releases updates for Android that fix security vulnerabilities. Make sure to install these updates as soon as they become available. You can enable automatic updates in your device’s settings.
4.  **Install a mobile security app:** A mobile security app can help to protect your device from malware by scanning apps and files for threats. It can also block malicious websites and phishing attempts. There are many different mobile security apps available, so do some research to find one that’s right for you.
5.  **Be cautious about what you click on:** Be careful about clicking on links in emails or text messages, even if they appear to be from someone you know. These links could take you to malicious websites that could install malware on your device.

****_RELATED ARTICLES_****

1.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**
4.  **Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots**
5.  **Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw**

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 
'payforprint_CM/Redirector.ashx?userid=' parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01.

**Integrated Software for Courts & Justice Agencies**

Regardless of size or location, courts and justice agencies have one thing in common — the need to improve access to justice for citizens, to empower legal professionals, and to enable collaboration across justice agencies.

Tyler's courts and justice software solutions help agencies share data among all of the offices in the justice system — Connecting courts, prosecutors, and public defenders, as well as jails, auditors, inspectors general, police departments, and supervision offices. This integration saves time and creates operational efficiencies, eliminating redundancies, minimizing errors, and helping you to be more responsive to your citizens.

**Civil Process**

Meet your jurisdiction's unique civil process office, field and financial requirements. Tyler's flexible configuration make operations more efficient from business processes to state reporting requirements.

Explore Civil Process

**Court Case Management - County & State**

Tyler's cutting-edge court case management systems streamline processes and eliminate mountains of paper handling. We have a track record of success across thousands of courts, from the smallest municipal court to the largest statewide systems.

Explore Enterprise Justice

**Court Case Management - Municipal**

Managing court calendars, processing defendant notices, and responding to crowded courtrooms, Tyler understands the challenges high-volume municipal, mayor, traffic and justice courts face. Municipal courts have a unique pace and rhythm, and a set of requirements that are different from those of counties, districts and states. Our Municipal Justice solution meets that pace and exceeds our clients’ expectations.

Explore Municipal Justice

**Dispute Resolution**

Expanding access to justice and allowing citizens to resolve their own disputes online, anywhere, anytime – with proven technology using Online Dispute Resolution.

Explore Online Dispute Resolution

**Electronic Filing**

More than 850,000 users file over 28 million documents annually on our platforms with 99.999% uptime. In addition to an outstanding platform with outstanding support we also provide online tools to guide self-represented litigants through the process of filing online.

Explore eFile & Serve

**Investigations & Audits**

Successful investigations and audits rely on the quality and completeness of the data collected and examined. Our solutions allow investigators to track, share, use, and analyze data in order to resolve cases efficiently.

Explore Investigations & Audits

**Jury Management**

Jury duty may be the only interaction most of your constituents have with the court. Our jury solutions provide an easy experience for citizens to navigate and answer any questions they have.

Explore Jury Management

**Justice Insights**

Tyler’s Justice Insights can provide a broader view of performance while also measuring efficiencies and outcomes across multiple departments or jurisdictions. When strategically implemented, these solutions can give you an instant view of your entire justice system so you can make more informed decisions about resources, policies, and more.

Explore Justice Insights

**Prosecution & Attorneys**

For Prosecutors, Public Defenders, or Trial Lawyers more than anyone else in the justice system, data is key, and we make it easy to track and manage the critical information you need, leveraging electronic case files, effectively managing caseloads, and easily tracking data. Additionally, re:Search® changes the way legal professionals, the courts and court staff, as well as the media and the public, search for court case data.

Explore Enterprise Attorney Manager

**Supervision**

Simplify and streamline adult and juvenile probation functions and pretrial services with Tyler’s Enterprise Supervision solution. Ease your workload with a comprehensive tool to handle multiple supervisory management functions while integrating seamlessly with the full array of Enterprise Justice solutions.

Explore Enterprise Supervision

**Virtual Court**

More than just a secure video stream, Virtual Court directly integrates with the case management system to create a seamless workflow during remote court hearings. It was developed through collaboration with courts of varying sizes from across the country to ensure it provides reliability and security required by the justice system.

Explore Virtual Court

Explore Other Courts & Public Safety Offerings

Courts and public safety agencies of all sizes and locations have one thing in common: the need to improve collaboration, to share information among agencies and all offices in the justice system, and to provide powerful tools to legal professionals for day-to-day operations.

Tyler’s courts and public safety solutions help to break down barriers and share information more easily and more securely across all public safety and justice agencies.

Explore Courts & Public Safety

**Painting the vision of **fully connected communities**.**

At Tyler, we imagine a world where all city, county, and regional government services are connected within a healthy digital infrastructure. Connecting data, processes, and people makes communities safer, smarter, and more responsive to the needs of residents.

More About Connected Communities

CVE-2023-6342: Courts & Justice | Courts & Public Safety

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

Source: Yogesh More via Alamy Stock Photo

In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its cybercriminal activity.

The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io, or just Sinbad, a crypto-mixing service that the feds said has processed millions of dollars worth of virtual currency from crypto heists by the Lazarus Group, according to a press release from OFAC.

As a result of the action, all Sinbad property and interests in property in the US or controlled by anyone in the US must be blocked and reported to OFAC, and people in the US are prohibited from having any involvement with the service. Further, anyone who engages in transactions with the service also may be exposed to sanctions.  

Crypto mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is a popular service tapped by cybercriminals to obscure their illegal transactions. In the case of Lazarus, the group used Sinbad to launder crypto from various malicious incidents, including the Horizon Bridge and Axie Infinity heist, the government said.

The prolific threat actor is well known for conducting cyberattacks on behalf of the regime of North Korea's leader, Kim Jong Un, engaging in widespread crypto theft through various cyberattacks — including targeting crypto engineers or using compromised systems to mine crypto — to fund government activities, among other endeavors. The US government officially sanctioned Lazarus in 2019, effectively making it a crime to do any kind of business with the group or its associates.

**Crackdown on Crypto Mixing**

Other cybercriminal groups also use Sinbad to keep various illegal financial activities such as drug trafficking, buying child pornography, and other Dark Web transactions away from the prying eyes of law enforcement. However, global authorities have caught on to the use of crypto mixers and are now starting to monitor and block the activity.

In March, an international law enforcement effort led by the US Department of Justice (DoJ) led to the shuttering another known crypto-mixing service, ChipMixer. Then in May and earlier this month, respectively, the feds also seized one crypto mixer, Blender.io (Blender), and redesignated another, Tornado Cash — both known to be used by Lazarus, they said.

OFAC in April also sanctioned two over-the-counter virtual currency traders who facilitated the conversion of stolen virtual currency to fiat currency for North Korean actors associated with Lazarus.

“While we encourage responsible innovation in the digital asset ecosystem, we will not hesitate to take action against illicit actors," said Deputy Secretary of the Treasury Wally Adeyemo, in a statement. "Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”

**Crypto Mixer of Choice**

All told, Lazarus, which has been active for more than 10 years, is believed to have stolen more than $2 billion worth of digital assets across multiple cryptocurrency heists, according to the US government.

Sinbad, which operates on the Bitcoin blockchain, has been one of the primary facilitators of the trafficking of these funds as the group's preferred mixing service. The service, which some security experts believe is the successor to Blender, aids cybercriminal transactions by obfuscating their origin, destination, and counterparties, so they are difficult to track.

Some of the larger sums that Lazarus has laundered through the crypto mixer include "a significant portion" of the following crypto heists: $100 million stolen in June from customers of Atomic Wallet; $620 million stolen from Axie Infinity in March 2022; and $100 million nabbed from Horizon Bridge in June 2022. 

Despite being sanctioned and constantly monitored by security researchers and global authorities alike, Lazarus remains undaunted and shows little sign of slowing down. Some of the group's most recent activity includes posing as Meta to deploy a complex backdoor at an aerospace organization, and aiming to lure crypto pros with fake job postings — the latter a common tactic of the group.

There are signs that the mounting pressure on the group has affected them, though. Lazarus recently aligned with other North Korean state-sponsored threat actors to make them collectively harder to track. However, this collaboration also sets the stage for more aggressive and complex cyberattacks that will demand strategic defense and response on the part of targets.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.

**PHPMemcachedAdmin Path Traversal vulnerability**

Critical severity GitHub Reviewed Published Nov 30, 2023 to the GitHub Advisory Database • Updated Dec 6, 2023

GHSA-8qfm-h8rh-h3r7: PHPMemcachedAdmin Path Traversal vulnerability

A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the "/pmcadmin/configure.php" parameter.

**PHPMemcachedAdmin vulnerable to cross-site scripting (XSS) via improper encoding**

Moderate severity GitHub Reviewed Published Nov 30, 2023 to the GitHub Advisory Database • Updated Dec 6, 2023

GHSA-pr4w-m4rp-gp87: PHPMemcachedAdmin vulnerable to cross-site scripting (XSS) via improper encoding

AI tools can deliver quick and easy results and offer huge business benefits — but they also bring hidden risks.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Advances in artificial intelligence (AI) and machine learning (ML) technologies continue to receive significant news coverage for the potential benefits and troubling dangers they could unleash. Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. Other experts warn that AI usage could have several negative consequences, including generating inaccurate results, data leaks, and theft. So, how can companies employ these powerful AI/ML tools without compromising their security? Below, we'll touch on the risks AI tools can present and offer eight tips that will help your company leverage these tools as securely as possible.

**The Risks of AI Tools**

In general, AI/ML is simply statistics at scale. All AI models rely on data to statistically generate results for their focus area. Therefore, most risks revolve around said data, especially confidential or sensitive data. Companies using external AI/ML tools risk that the product vendor might use your data to train their algorithms and accidentally leak or steal your intellectual property. Additionally, an AI tool that uses bad data will generate inaccurate results. Fortunately, many AI tools are quite powerful and can be used securely, with a few precautions.

**Tip 1: Remember, if it's free, you are the product.**

If you use a free AI tool or service, you should suspect it may leverage the data you provide. Many early AI services and tools, including ChatGPT, employ a usage model that's similar to social media services like Facebook and TikTok. While you don't pay money to use those sites, you are sharing your private data, which those companies use to target ads and monetize. Similarly, a free AI service can gather data from your devices and keep your prompts, which it uses to train its model. While not seemingly malicious, you never know how an AI service will monetize your data. If that company gets breached, threat actors may obtain access to your data.

**Tip 2: Have legal review agreements.**

To learn how an AI tool or service will handle your data, read the vendor's end-user license agreement, master service agreement, terms and conditions, and privacy policies. These lengthy, complex documents often use tricky language to obscure how the vendor might use your data, so company lawyers should review them. Your legal department knows the regulatory requirements for safeguarding your sensitive data, including personally identifiable information. They can interpret these documents capably and alert you if any terms put your data at risk. A data privacy officer who specializes in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or any other privacy compliance can also help review these agreements.

**Tip 3: Guard internal data.**

A simple risk of using external AI tools is that an employee — intentionally or not — could share sensitive or confidential data with the tool, exposing the data to misuse. To mitigate this threat, companies must ensure they apply least privilege principles to who can access confidential or sensitive data. Unfortunately, some organizations don't adequately block employees from accessing corporate data that their role doesn't require. If you limit employees to access only the precise data they need, you minimize the amount of data they might divulge to an external AI tool.

**Tip 4: Review settings and consider paying for privacy.**

Whether AI tools or services are free or paid, they often have settings for added privacy. Some tools can be set to not store your prompt data. Review your AI tool's privacy settings and configure them to your preferences. Also, while free tools likely reserve the right to use your data, you can pay licensing fees to get enterprise versions of AI tools that offer more protection. These tools often include features of not using your data and keeping it segmented. 

**Tip 5: Validate the security of AI tool vendors.**

Vendor and supply chain security validation should be a default practice for any new external tool or service partner you adopt. Digital supply chain breaches prove that vendors can become the weakest link in maintaining security. Therefore, third-party risk management (TPRM) products and processes are crucial to information security. A formal TPRM process is vital when using AI tools and service partners.

**Tip 6: Leverage local open source AI frameworks and tools.**

The accessibility of online, external AI tools that are free and user-friendly brings risk. To assure data privacy, consider avoiding external tools. Alternatively, there are free AI frameworks and tools you can deploy and create yourself. These frameworks require more work as well as AI and data science expertise, so they bring their own cost to use.

**Tip 7: Track your company's AI usage.**

It’s difficult to track every asset, software-as-a-service (SaaS) tool, or data store that your employees use, as the cloud and Web services have empowered everyone to use Web-based tools. The same goes for AI-based SaaS offerings. To monitor which external AI tools your employees utilize, how, and with what data, audit and document AI usage as part of the buying process. In identifying all the internal and external AI tools used, you better understand the risks you face. 

**Tip 8: Create an AI policy and raise risk awareness.**

In security, everything starts with policy. The risks your company faces depend on your specific organization's missions and needs, and the data you use. Companies that traffic in public data may face a low data-sharing risk and allow a permissive AI policy, while those that deal in confidential matters will have stringent rules around data use in external AI tools. Ultimately, you must craft an AI policy that's tailored to your company's needs. Once you have that policy, communicate it and the risks associated with AI tools with your employees regularly.

AI tools can deliver quick and easy results and offer huge business benefits while also bringing hidden risks. Fortunately, you can leverage AI tools securely by adopting a few precautions and be on your way to realizing the benefits these tools promise.

**About the Author(s)**

Chief Security Officer, WatchGuard Technologies

Corey Nachreiner is the chief security officer (CSO) of WatchGuard Technologies. Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology and security vision and direction. He has operated at the frontline of cybersecurity for 25 years, evaluating and making accurate predictions about information security trends. As an authority on network security and an internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, Forbes, Help Net Security, and more. Find him on www.secplicity.org.

8 Tips on Leveraging AI Tools Without Compromising Security

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/delete.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#git