Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

Title: Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)  
Advisory ID: ZSL-2023-5770  
Type: Local  
Impact: DoS  
Risk: (3/5)  
Release Date: 11.04.2023

**Summary**

Google Chrome browser is a free web browser used for accessing the internet and running web-based applications. The Google Chrome browser is based on the open source Chromium web browser project. Google released Chrome in 2008 and issues several updates a year.

**Description**

Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

**Vendor**

Google LLC - https://www.google.com

**Affected Version**

111.0.5563.64 (Official Build) (x86\_64)  
110.0.5481.100 (Official Build) (x86\_64)  
108.0.5359.124 (Official Build) (x86\_64)  
108.0.5359.98 (Official Build) (x86\_64)

**Tested On**

macOS 12.6.1 (Monterey)  
macOS 13.3.1 (Ventura)

**Vendor Status**

\[08.12.2022\] Vulnerability discovered.  
\[13.12.2022\] Contact with the vendor, ticket 1400682 created.  
\[13.12.2022\] Vendor begins investigation.  
\[10.04.2023\] Vendor releases version 112.0.5615.49 to address this issue.  
\[11.04.2023\] Public security advisory released.

**PoC**

google\_chrome\_oom.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://bugs.chromium.org/p/chromium/issues/detail?id=1400682  
\[2\] https://chromium-review.googlesource.com/c/chromium/src/+/3861171

**Changelog**

\[11.04.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

The campaign shrouds the commodity infostealer in OpenAI files in a play that aims to take advantage of the growing public interest in AI-based chatbots.

Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages, which promise free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, users download the well-known, info-stealing malware called RedLine Stealer, the researchers have found.

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment-card details, as well as taking a system inventory to assess the attack surface for performing further attacks. It also can perform other malicious functions besides just info stealing, such as uploading and downloading files, and executing commands. This gives attackers, even with limited sophistication, various options for performing a range of cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the growing popularity of emerging AI platforms, according to a report published April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files," Veriti researchers wrote in the report. "However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user's device."

The commodity malware is an inspired choice for the campaign considering it costs only $100 to $150 to buy it on the Dark Web, which gives attackers a significant return on investment (ROI) for their cybercriminal activity, the researchers said.

"In addition, by exploiting Facebook business accounts and their exposed passwords, the attackers were able to target a vast number of users and potentially gain access to sensitive information at a relatively low cost," the Veriti research team tells Dark Reading.

**Dangers of Trojanized AI Apps **

Soon after the AI-based chatbot ChatGPT came on the scene in November, the chatter began about the various ways attackers can exploit it for malicious purposes. While some believe that this threat is being overhyped, the RedLine campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots themselves, the attackers here take advantage of recent developments in the ability to package the AI in various forms, opening the door for creating trojanized downloads. 

"One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source), which creates the perfect excuse for malicious actors to trick naïve downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard downloadable file, leading unsuspecting users to download the malware instead of the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal confidential data, compromise financial accounts, or even disrupt critical infrastructure," they wrote in the report. "Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been hijacked for the purpose of distributing RedLine Stealer through the malicious posts, the researchers said. Greece is the country where attackers reach the highest number of Facebook users, followed by India, the US, Mexico, and Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where 77% of them occurred, according to the report. The country with the next-highest percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India (4%), and Portugal (2%).

**Protecting the Enterprise From Malicious Downloads**

Veriti recommends a "comprehensive approach to cybersecurity" that includes educating employees on the risk of downloading and opening files from unknown sources, alongside "robust security configurations" to help avoid compromising enterprise systems if users inadvertently install an infostealer, such as Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before it is downloaded, the researchers said. "This can significantly reduce the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies around files downloaded from the Internet "should complement an organization's existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks."

Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

Apple Security Advisory 2023-04-10-3 - macOS Big Sur 11.7.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6macOS Big Sur 11.7.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213725.IOSurfaceAcceleratorAvailable for: macOS Big SurImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Big Sur 11.7.6 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkW2Q//bj0ZmcXsCzpQmhCc5hZ+P4cnesy9Kc4DRLofsYBtPVlR450wIjxiGqlUkpbLBWpBXaXn4EeBoqxxXB9FKXANvZVkdS+xpTLdHpdPnRMntJf3S4WiYyDr/G3coHVtHbNMbj/K/MbsRGBefVtGAueLpwwHFN5GsyvuMrp5xEl9wgQ3aMfi+x8hHXuFzxHIHyNf6OU5cBSf6R80FQcV55eOjPe9gX1B59n4ffZtaao3QqT+z++wA64eyVCVk9hSWXYsMKBNgcoyh108DHb6aYfr0G6SvcvzX2zR2zJtL0JFDNckHx/nvAws/Sd5O39oHzvS46gNcYZIHujHbemh/DsFJjgKbOd4O9oLyJeAcVjv0c5i61Qa+odERpvX2bJR8xWLlDGYIV5XmGYzxL8lksDim9hD2IOGf6P7ReARUcpahe9jaAIoj+BoFkKUMvr8iORx0752+3h+dMej1nu/1RhjmeWYawbUsH+yECu0L2GkQc0I9gFg0Dq21OFlHEfB46D+XRTWYWkM6l9KPMNcH1PX74d86ZkuqqMzlKmsRdJz0ESepIj6RzQ3Zy5SvZ63C78RJvWGPeg/8rQFIBQE9WktUoPz5+6bU/E1nq8ExbrTXxJKvt/VseIwBTi08UfQ2oYnyyAirIkTRi9PH5pviXBu9r/AiBYSj9J88QBzrV8QXHw==Lq+b-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-3

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213723.IOSurfaceAcceleratorAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.5 and iPadOS 15.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJEACgkQ4RjMIDkeNxnSrA/9GfJGP3rEWjtK1bSWO5XgjPZIN8xZcYAT2zQCHNM/CREylHDWSoamyMsxsUFkc25u0ok7Ucoj5k+44WXT7bhRqK52H5PDP6b0n3KsUnhJo+up6+AlKgqgomWntzQyjYTe36nArMvHkMAy9car/kj0l6OBAFF2pVXSTU24ubQfYOtAppQp3JNU9UnqhJ/VrQCANwvjHIsdy+EximByL3+tdCTzRi1v5SC4ZntHP0vB66YwFgrkaxmWLa/EXrA9tgJr8YX6k7LUc0MMUJSkcMg7ydojFBeVgHCVdH2rJpL8w6eVrpW7MQ5wcp6XrDm23T1lckVT8WL+LL4414gBjkfOyjjntdllGiH5For84t76bUGYDs6pb69Ztv2uAMRRP8nJAgNpsP++EnEaI0U3jMoEbq0xCv64y/EenkZm3kuTwOeo7l5Q5WzTDJTsdqZMnP+tR7nhCu41UIKN8eOelp/BqRT/4wcT8fvTNLgg/oY6TUPHYydQO48+ZjiBaryn7oXcv+EaDdggkySniijiLI4Dol20J0SHUr6LHOM6AiiMWhz5ZeIawaLcLfw/oP5+U1tio3dPeeTCwjr9hY8BB/a2rPq6UkAuReAS3ZU+b1N5swaVRYaZb41bfW5rfI571XS42mjoCCGJP8TdXk8mWeZgdvAKdLCYbIW2taTPVRhtGwE==DG1t-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-2 - macOS Monterey 12.6.5 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5macOS Monterey 12.6.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213724.IOSurfaceAcceleratorAvailable for: macOS MontereyImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Monterey 12.6.5 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkpjhAAwMSbbqdMyODDeaYJhALWUoFTVp90hcduPLHYeYEZISeQg6taWYCrbFs6XVmtw65pEjCUOUfw7yIqkWGXy4XVwo4DhBBqxUwUNZyIv16uNEgCl9bqfQKKXyii4269rCBWhlhXyen1zv/1OSMEF5dlVVf4C55cmdx2ta+th/0jCXsd9Oe4aVgDOucDg2cItZ0Aht+2AStmeBi7wKoP0XgqLVtJcHofls7O/G0DW9YVkroxyfTizf1Fd4J+O4AjYYvA0P6Jrkm7jAI+64IlHrMukxkSiD43KNCG/PhVdHO6YLXhIm9a1ziEjSaA7EGw/bYQGI2HCmbu/gSMuXlHe4Uc8OnGdRMGceV4JHD9qjQUS9/Sh/58+oa609mLvWW+VBMJXQlWOYH4hrTlGiNSfCkQa2yqkCtpk4nfTkd51y8V1x3XvlFE8092Z2XnaEz0KzebfS5dgZiLKK0Tc0Kg8tJJi7KDRnjslCnu6Ove6aYW8Jm/Mh5NPWh6b9ZAkaynZ5kyEoLzutCa10riKH1uEQCLXLWMkiswz8vbEq8uyLKRBEuZOXxstoPEQBwgwh7nahcbCBjKH89CAj+Q541x00OHIYJNL1xmfT2bhb33Bm/U5aNhLuJqkYC9LrI6Xz+lPe9T8crHtIL//NsevkOIkWEyqMk0fbJJ6KHDkq4Aj5c7jWM==Iilf-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-2

Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-3 Safari 16.4.1Safari 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213722.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDkeNxmEoQ/+OXkd6XLV13F3cbrkCvFEvHndBySG93Q5o5ys0ClKqEc94Nvt5YPWalwJugUlFAXBevTCHAND7pNNbrmYPFZY+8qrMyIU/fnhsVaCfH/o/raULxZwiE9ndskrkjToHzEdMPrdtuC08gDHmYtr2thCb3M0Fv1rRqgIZ2ES9UBrrQJgFisTgZMgkylP02gN+1Ifa9JEBe7QMyRDhoC2uUvrBZI+jZJItVdysi3O1zYkMd+5D1icpwIotP0PlCLsFUAaccNXNDtcMr/XdHAuF5dcdDj0Kylmg79zC1mz79VUch3TerWb6HunBUTONFVlzbQwqNx+Csf6bDSSx0nHuqGz6pEfR65bTbzSh01+Yqjd+uht0aZVbNlptus7LKyrusRBN7QxlvoBY5JR+/CbGy3Tunj0YJk8SLG/QFCEDugjucT9O9myohlKWf7Af+1j/M2f/YKmQCyvhfREFBee8jzWj8FLLV/a6tIfVWe/IcrLGZDP13Q3nl7Ky55YndfXpNvN4ElAbSOyop3KkrfN1TgCGjeWhP+M5dK4RS9KsC+LF3AsejnUzLcQt2qW0e3dRCiyrhAAB9nKTFYtaJGoD6+jaQiCq4qGlC9fL8QNC6NvvvBrko+jE7Ws38vzdog2MVasAb+2vENqBo7ZKrgS0W/bRHV2x/NRo0lrQfKYma1koc0==JOpa-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-3

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213721.

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.3.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDke  
Nxlhmw/9GYfPKf/wprkK1e3/sflihNqz+/qJioE7p9oNHSvPx1b5VT2ovKMOGtsD  
8AG9qzF9DsWbFFybg7gIPAjQdb8tAiipm1xJYvyqLUpD1bJFlMIB+mRqs2OFUSgF  
0p9huSBVOGasGjcHRq9g2016OJQBr/oAA3w86Re/6Q5ST2AQCc7Y3lPcebJ+2JTp  
jSU2zfnNWg3+mRL0VMleh/ZnY2+yGce7r+uaoYzDz7MULGN8/j9nYoFUbDEbgf/y  
CnCAlJdMFuW98z3Iv7U+oUP5iF2PCzIR5nfaHcoXVaZUd0H52RLyrVKvm0iV4viq  
16SNGc7hl+Si9HDsRFN+XVvQoT4r+k5yzT78Ss3iLXYyR5XOf3Xi8sZdK0eXkDmk  
Ynrv5Y+st1M550EPlAOhsO8GAAWTsHWHOxmw76DX6kbUBaEOyYMRrKhG/AYP5Djg  
ZJlIIHsdNw99wEMUVBHCXtnWEY0aO7zaHpEl5tIr6r5xJep/idO8DjD6KpxmLDT8  
ftqB/fUloaVhTht6WMYaupXn4sG/U0228v8inculiFAKWeJ9vxyWF1doEGQNErFj  
xEUSsV10u1BjXf52Wle777lbS0ro31nv2pRWVfaT8j3dpTCZvDvUVclK5AAUPlKR  
tffpSuN9DHiPEynRftyBmi431MfXLI1CgYAC0w/rRYQ/pzc9NeI=  
=nsPp  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213720.IOSurfaceAcceleratorAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.4.1 and iPadOS 16.4.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYroACgkQ4RjMIDkeNxk/Iw/9GD1PXcIq1OFLv/N8t8bEqTUhuDqbFdQ3NLcbzmSO+XnoueqvlYvXtJr/w0wv0yAo6lxkLODuI+kVX9hjbqHZzUezCkugzvz4TXWgmQI6V7+TKXC9KA7jGxH6ZUMf1a+u+0jkFRUEUsaUHxOvScSVAmw2hlJvIlnYyK/E6O5ZJrua1cBQ2pQX2hlDIYUJaNZy3E9MlSKzZclDIszckvO1yVkfEzOkdh8laZoHQ3zN+QfKXvb9IoMmO715gaNYHoO141d0RqL5nyegu4e5lYb951o0DGph2usCrCrpFD0sSquAKNriwV5tJ/DPlrStMnktYX8iogCBT/T2/AevAmrdPOil7A/2rX5pSNRifnYdAnku8FdF2zxqKdMRt10fwI4YOl2IADKz/khPtig5fcYIwcpkXgavQ0N738hg4ugF9K18S5IdY2RSTN1SQtfRjWKus6I7MgGtdIp7MW1koB/j0bF6b5Xw9GefweUzSNvn+EZT2jVLHfiD/ILkKph/QXeiQfe3VGHOs89mHY750QmuAiAT9v24IkCfni5uvrRmApJiBB8w8Hnhq1aJa+09fxiVfPwVTrKqauI5cL2p0D9iWcjlWC8W1rJR5gO2Ge8twfgbMVCXfXmD9WhEb5Z6vSNlpJLy7xXSJTn4fnJNNgJ46lmKeU+G5I2/8xP8VWrsPks==83T6-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-1

Password managers aren't foolproof, but they do help mitigate risks from weak credentials and password reuse. Following best practices can contribute to a company's defenses.

Over the past few months, several leading password managers have been victims of hacking and data breaches. For instance, LastPass, which experienced a massive breach last year, recently announced again that the company's password vault has been stolen. And thanks to the bad practice of reusing passwords too often, Norton LifeLock also reported compromises to its password manager.

Why are password managers so attractive to cybercriminals? It's simple. Password managers hold the "keys to the castle." If a password manager gets compromised, attackers gain access to all stored passwords at once, which means they can walk into any secured environment or impersonate any user, circumventing all cybersecurity defenses. The market for password managers is growing rapidly, and attackers will target anything that can get more bang for their buck.

**Attractive Targets**

Some of the most common ways password managers are being hacked include:

**1\. Malware-Targeting Password Managers**

Malware programs have been targeting password managers for the last several years. In 2014, malware called Citadel, designed to target password managers, became notorious for having compromised one in 500 PCs worldwide. However, back then, only a small number of users used a password manager. Today, the average person needs to remember upward of 100 passwords, which is why the market for password managers and the malware market for targeting them are both growing.

For example, the attack on the Solana blockchain last year that resulted in a $7 million heist was caused by malware that targeted crypto wallets and password managers called Luca Stealer; another Trojan, dubbed StealC, specifically targets browser extensions and authenticators by password managers; password stealers targeting Web browsers have also been around for decades.

**2\. Phishing Attacks Against Password Managers**

Phishing attacks targeting password managers are on the rise. For example, in January 2023, researchers came across Google Ads that were redirecting victims to fake Bitwarden and 1Password pages, trying to steal their master credentials. What's more, customers of password managers such as LastPass, who have already had their credentials exposed in an earlier data leak, are at an increased risk of scams and phishing attacks. Attackers know their email addresses, phone numbers, and the online services they use, and therefore they can be easily targeted using a variety of phishing techniques.

**3\. Software Vulnerabilities in Password Managers**

Just like all other forms of software, password managers are prone to vulnerabilities. Recently, researchers reported a vulnerability in KeePass that could allow attackers to export all usernames and passwords in clear text. Earlier this year, Google discovered that popular password managers such as Dashlane, Bitwarden, and Apple's Safari browser password manager can all be manipulated into auto-filling passwords on untrusted pages.

**4\. Credential-Stuffing Attacks Using Leaked Credentials**

Credential-stuffing attacks are becoming increasingly common. This is a type of attack where threat actors leverage previously leaked credentials (nearly 25 billion of these are for sale on underground marketplaces) to gain unauthorized access into websites, applications, and networks. Most password managers have a "master password" to access all credentials, and since 65% of users reuse their passwords across different websites, it's possible that attackers use brute-force techniques or make educated guesses on the possible password combinations. Late last year, LastPass confirmed a credential-stuffing attack against some of its users.

**Do Password Managers Make Sense in 2023?**

The benefits of having a password manager far outweigh the risks. Password managers help mitigate two of the biggest risks for users and businesses — weak credentials and password reuse. Yes, attacks on password managers are on the rise, but the probability of a business being attacked due to poor credentials or password reuse is much higher than the likelihood of a password manager getting hacked.

There are a number of things organizations can do to mitigate the risks of password managers:

*   **Security-train employees:** Most password-stealing malware gets installed when users get phished or social engineered — users download, click, or open something they shouldn't have. This is why it is extremely important for organizations to instill secure behavior in employees (alertness, strong passwords, safe browsing, responsible use of social media, not trusting anything at face value, etc.) so they don't fall victim to a phishing attack.
*   **Patch regularly:** Make sure you patch all your software and systems regularly. Unpatched software is the second-biggest reason password-stealing Trojans get installed on computers. Ensure you check and install all critical patches, especially the ones that are featured on CISA's Known Exploited Vulnerability Catalog.
*   **Use phishing-resistant multifactor authentication:** Use phishing-resistant MFA or passwordless options wherever you can. Not just to protect the master password on your password manager, but also on all of your critical websites, applications, and services.
*   **Check password-dump websites for leaked credentials:** Check online leaked-password websites (such as haveibeenpwned.com) or take breach password tests to ascertain if any of your credentials are floating around in online databases.
*   **Use a good password manager:** Use password managers that deploy strong encryption; that follow secure development life cycle (SDLC) programming; are responsive, transparent, and responsible to their customers; and that promote security features such as MFA, passwordless options, contextual features (user gets locked out if it's an unknown device or location), and phishing-detection capabilities.

Are password managers foolproof? Nope. But nothing is these days. The operating systems we use, the devices and applications we use — everything is hackable. Password managers come with some great benefits — they can tell you if your password is strong or not, they prevent you from reusing your password, some can stop you from entering credentials into bogus URLs, and some will even alert you when a website gets compromised.

As long as organizations follow the above tips and best practices, password managers can prove to be a vital tool in the defense arsenal of any organization.

How Password Managers Can Get Hacked

Your iPhone, iPad, and Mac now have a built-in password feature, complete with two-factor authentication.

Most people don't use a password manager or two-factor authentication—even people who know it's a good idea—because installing and managing _yet another app_ just sounds exhausting. Well, if you're an Apple user, you don't need another app anymore: Your device can manage your passwords and generate two-factor authentication codes for you, and you can even sync them with a Windows computer.

Password managers are important. Why? To quickly summarize, using the same password for every website and app is an open invitation for hackers to access all of your accounts. That's because passwords regularly leak, and a leaked password on one site can give hackers access to all your other accounts if you use the same password everywhere. It's best, then, to use a totally different password on every site, but no human being can remember that many passwords.

Password managers are the best solution we have at the moment, because they can generate, and then store, secure passwords for all of your services. Most people don't use one, though, because such apps can be complicated to learn, and the best ones aren't free.

So it's great that Apple offers such functionality. But there's a downside: It's a little buried, if not outright hidden. Still, if you're a Safari user with multiple Apple devices, this feature means you can quickly generate and save secure passwords for all of your accounts. Here's how. Note that you'll need a (free) iCloud account for this service to sync passwords between devices, though if you're an Apple user you almost certainly already have one.

Create Passwords

To get started, you may need to enable the feature, which you can find in System Settings on your device under **Passwords**. Make sure **iCloud Keychain** is turned on. Windows users should also install iCloud for Windows, which can sync your passwords with Chrome or Microsoft Edge.

The simplest way to add passwords to Apple's hidden password manager is to just start using your devices and saving passwords as you go. When you sign into any online account in Safari, or in any app on your iPhone or iPad, there's generally a pop-up asking if you want to save the password in your **iCloud Keychain for AutoFill.** This is the simplest way to add accounts: Just hit the **Save Password** button and your username and password will be saved.

Alternatively, if you're signing up for a new account, you will generally be offered an automatically generated strong password—if not, you can tap the key icon at the top of the keyboard on mobile or in the right side of the password field on desktop. Either way you should see the **Add New Password** option, which can automatically create a strong password for you.

From now on, when you log in to the site, your device will offer to fill out the username and password for you. It will generally use TouchID, FaceID, or your system password to confirm you identity, after which the username and password field will be filled in. This saves you from having to remember the passwords, and even the usernames, you use to log in to websites.

Browse and Edit Your Passwords

You might be wondering _where_, exactly, all of these passwords are saved. Let's head back to **Passwords** in System Settings. Here you will find a list of all the passwords you've saved.

Apple via Justin Pot

At the top of the list is a **Security Recommendations** function, which will cross-reference your saved passwords with known lists of leaked accounts. This is a useful way to know if any of your passwords absolutely need to be changed.

Below that is a search bar, which you can use to quickly find any account. Open an account to see the username, password, and URLs associated with the account. You can also add a note to any account, if you want.

Two-Factor Authentication

We've talked about how two-factor authentication keeps you more secure, but basically it means that a hacker who gets your password won't be able to log in unless they _also_ have physical access to your device. Generally two-factor authentication requires installing _yet another_ app, for generating codes, but Apple devices have this feature built in, and they can even fill in the field for you.

Head back to your list of passwords in the System Settings app. Open any account and you'll see a **Set Up Verification Code** field.

Apple via Justin Pot

Tap this and you can set up two-factor authentication for the application. How to do this depends on the specific service you're setting it up for, but it's generally in the settings of the specific app or website. You'll have a QR code to sign or, alternatively, a long code to copy.

Apple via Justin Pot

After setting this up, your Apple device will automatically offer verification codes for you every time you log in to the service on any of your devices. It's really slick, and it's a lot faster than applications like Authy or Google Authenticator.

Importing and Exporting Passwords

Note that if you have an existing password manager, you can import your passwords to Apple's system. Head back to **Passwords** in the settings app and hit the three-dot button on the right above your list of passwords. Here you will see the option to **Import passwords**.

Apple via Justin Pot

You will need to export your passwords to a CSV file before you can use this functionality. Here are instructions for the leading password managers:

*   1Password
*   LastPass
*   Bitwarden
*   Dashlane
*   Google Chrome

You can also **Export** your Apple passwords to a CSV file from here, allowing you to import them into one of these password managers. We've outlined  the best password managers for you; my personal recommendations are Bitwarden, which is free and open source, and 1Password, which is powerful and free to use.

There's not a lot of reason for the Apple faithful to do this, though. As we've outlined, Apple's password system does most of what these applications can do. The main problem is that they're hidden. 

Recently the blogger Cabel Sasser argued that Apple Passwords needs an app, which is part of why I wrote this guide. I'm not sure if I agree with his premise—I suspect most people would simply ignore any “Passwords” app, the way they ignore most applications that come bundled with their devices. Still, it is true that all of this functionality is pretty buried. I hope this article helps you find it.

Tag

#google