A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

CVE-2023-22974: OpenEMR Patches - OpenEMR Project Wiki

Integer overflow in PDF in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)

CVE-2023-0933

Use after free in WebRTC in Google Chrome on Windows prior to 110.0.5481.177 allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-0932: Stable Channel Desktop Update

Use after free in Prompts in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVE-2023-0941

Google's Android and Chrome Vulnerability Reward Programs (VRPs) in particular saw hundreds of valid reports and payouts for security vulnerabilities discovered by ethical hackers.

Google addressed more than 2,900 security vulnerabilities in its products and platforms last year, awarding more than $12 million in bug bounty rewards to researchers in a record-breaking cash storm.

The total well outpaces last year's total of $8.5 million in rewards paid.

According to the tech behemoth's annual "Vulnerability Reward Program" (VRP) report, several VRP segments saw record highs in 2022, including the Android ecosystem, which doled out a cool $4.8 million to bug hunters. That total included the highest paid bounty in Google VRP history ($605,000), for a critical-rated exploit chain submitted by a white-hat known as "gzobqq."

    

Total 2022 stats. Source: Google

Meanwhile, the invite-only Android Chipset Security Reward Program (ACSRP) — which is run in tandem with manufacturers of Android chipsets — awarded $486,000 in collective bounties in 2022, across 700 valid security reports.

Over at the Chrome VRP, $4 million was paid across approximately 470 valid security bug reports. Of that, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser, and nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS.

And finally, the company's relatively new open source software (OSS) VRP — launched last August to cover supply chain issues in Google packages — released more than $110,000 in rewards to its roughly 100 participating bug hunters.

**Changes Afoot for Google Bug Bounty Hunters in 2023**

Sarah Jacobus, technical program manager at the Vulnerability Rewards Team, noted in a blog post today that more opportunities are coming for Google's bug hunters, including an expansion of the Android and Google Devices VRPs to include the latest versions of Google Nest and Fitbit as in scope.

Also, "2023 will be the year of experimentation in the Chrome VRP," she wrote. "Please keep a lookout for announcements of experiments and potential bonus opportunities for Chrome Browser and ChromeOS security bugs."

She also noted that the relatively new Google Play Security Reward Program (GPSRP) will look to expand its stable of bug hunters throughout this year and plans to sponsor various bounty events focused on Android and Google Play apps in order to attract new talent.

Google Delivers Record-Breaking $12M in Bug Bounties

Technology tuck-in enhances industry's broadest XDR security platform.

**DALLAS****,** **Feb. 22, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has announced the signing of a definitive agreement to acquire Anlyz, a leading provider of security operations center (SOC) technology. The acquisition will extend Trend's orchestration, automation and integration capabilities and will enable enterprises and Managed Security Service Providers (MSSPs) to improve operational efficiencies, cost effectiveness and security outcomes.

The deal encompasses intellectual property, industry expertise and more than 40 technical employees all focused on bolstering Trend's security platform strategy. With this acquisition, the company will expand its engineering team of over 3000, adding a new research & development center in Bangalore, India.

Managed Security Service Providers (MSSPs) will be empowered to grow their strategic SOC services while minimizing the complexity of the underlying security stack by reducing the number of technology vendors needed. Trend's enterprise customers will benefit from a comprehensive extended detection and response (XDR) and incident response orchestration platform that can maximize analyst productivity and help relieve resource constraints.

Gartner research stated, "As buyers, both end customers and service providers, continue to consolidate vendors/providers, buyers will seek best-of-suite and integrated solutions over best-of- breed point solutions. Preferred technology vendors will be those that ease integration with other IT and security technology and tools within the environment, supporting efforts toward use-case-based outcomes."\[1\]

"We are happy to welcome the Anlyz team into the Trend family – together we are increasing SOC effectiveness and reducing both the technology and resources burdens," said Kevin Simzer, Chief Operating Officer at Trend Micro. "Due to market pressure, we see organizations moving past security point-solution experiments in preference for platform breadth that allows for vendor consolidation, maximized return on investments and efficiencies."

Trend Micro and Anlyz have been technology alliance partners since 2021 and share more than 30 joint customers that are positioned to move forward quickly to capitalize on the opportunities ahead.

\[1\] Gartner®, Emerging Trends: Future of Security Services, Shawn Eftink, John Collins, November 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Eventus TechSol is one of the many MSSPs powering joint customers delivering measurable "XDR Powered SOC" improvements for clients. "We have reduced the mean-time-to-detect and mean-time-to-respond ratio, down from weeks to hours for incidents," said Jay Thakker, Practice Head at the company. "We use playbooks for log enrichment and automated response as well as threat intelligence and threat hunting capabilities provided by the platform to proactively hunt for known and behavioral attacks."

Anlyz has primarily focused on security orchestration and case management delivering powerful SOAR capabilities for MSSPs to manage the incident response process across multiple clients. It also offers intelligent log aggregation enabling data ingestion and enrichment across a range of data sources and security solutions, using a high performance, scalable architecture. Trend will leverage Anlyz's SOAR solution and rich set of product connectors to broaden its platform and enable additional integration and automation options across customers' IT ecosystems.

Trend's MSSP channel customers will benefit from:

*   An anchor technology platform to manage the SOC function for their clients
*   A reduced requirement to architect individual custom solutions for their customers, thanks to an integrated core stack and multi-tenant view out of the box
*   Visibility, analysis, and automation across Trend, third-party products, and customer instances, making it easier to manage XDR across multiple customers
*   A scalable, flexible, and feature-rich platform to appeal to all types of customers no matter the size and complexity of their IT environment

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These forward-looking statements include, but are not limited to, statements concerning the future plans or prospects for the acquisition. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) data, research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Prospectus) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

SOURCE Trend Micro Incorporated

Trend Micro Acquires SOC Technology Expert Anlyz

Patch released for bug that poses a critical risk to vulnerable technologies

John Leyden 22 February 2023 at 14:23 UTC

Patch released for bug that poses a critical risk to vulnerable technologies

A security flaw in a bundle anti-malware scanner product has created a serious security risk for some products from networking giant Cisco.

More particularly, a vulnerability in the ClamAV scanning library (tracked as CVE-2023-20032) created a critical security risk for Cisco’s Secure Web Appliance as well as various versions of Cisco Secure Endpoint (including Windows, MacOS, Linux, and cloud).

Cisco released an advisory on the vulnerability – alongside patches for affected products – last week. Although the vulnerability is not under active attack, patching is nonetheless recommended.

The partition scanning buffer overflow vulnerability poses a critical risk to vulnerable technologies.

Catch up with the latest network security news and analysis

As explained in Cisco’s security advisory, a vulnerability in the HFS+ partition file parser of ClamAV creates a mechanism to push malicious code onto either endpoint devices or vulnerable instances of Cisco’s Secure Web Appliance.

The vulnerability, which stems from an absent buffer size check, creates a heap buffer overflow risk in scanning HFS+ partition file. An attacker might be able to create a malicious partition file before offering it up for scanning by ClamAV.

“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco’s advisory explains.

**Use case**

ClamAV (Clam AntiVirus) is a free software, anti-malware toolkit originally developed for Unix. The technology - acquired by Cisco through an acquisition 10 years ago, has been ported to run on various operating systems including Linux, macOS, and Windows.

One of the main use cases for the technology is on mail servers as a server-side malware-in-email scanner.

However, Cisco has confirmed that neither its Secure Email Gateway nor its Secure Email and Web Manager appliances are vulnerable to this particular security bug.

**Who guards the guards?**

Any vulnerability in a security utility that allows potential miscreants to hack into affected devices show how tools designed to increase security can increase the attack surface exposed to potential attackers.

The security flaw in ClamAV’s HFS+ partition file parser, along with lesser a remote information leak vulnerability (tracked as CVE-2023-20052) in the DMG file parser of the same technology, were both discovered by Google engineer Simon Scannell. Google notified Cisco about security bugs in ClamAV last August.

An advisory by Google, posted on GitHub, offers a full technical run-down of the more serious CVE-2023-20032 vulnerability and its potential exploitation.

“We rate the vulnerability as high severity as the buffer overflow can be triggered when a scan is run with CL\_SCAN\_ARCHIVE enabled, which is enabled by default in most configurations.

“This feature is typically used to scan incoming emails on the backend of mail servers. As such, a remote, external, unauthenticated attacker can trigger this vulnerability,” Cisco’s advisory explains.

A technical blog post by German cybersecurity vendor ONEKEY concludes that the two flaws in ClamAV illustrate that “file format parsing is a difficult and complex endeavor”.

LIKED THIS ARTICLE? Sign up to our new newsletter – Daily Swig Deserialized

Cisco ClamAV anti-malware scanner vulnerable to serious security flaw

By Habiba Rashid
The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan.
This is a post from HackRead.com Read the original post: Android voice chat app with 5m installs leaked user chats

OyeTalk was leaking unencrypted data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services.

A popular Android voice chat app, OyeTalk, has leaked private user data, including their unencrypted chats, usernames, and cellphone International Mobile Equipment Identity (IMEI) numbers.

With over five million downloads on **Google Play**, the app has compromised the privacy of all its users while simultaneously exposing them to malicious threats.

OyeTalk on Android

OyeTalk was leaking data through unprotected access to **Firebase**, Google’s mobile application development platform that provides cloud-hosted database services.

The researchers warned that malicious actors could have deleted the dataset, resulting in a permanent loss of users’ private messages, if the leaked data had not been backed up. 

According to the Cyber News **blog post**, Despite being informed of the data spill, the app developers failed to close off public access to the database. Google’s security measures had to step in, since the spill got too big, to close off the database.

This isn’t all. The developers also carelessly left sensitive information hardcoded in the application’s client-side, including a Google API (application programming interface) key and links to Google storage buckets. The exploitation of this security practice in the past has resulted in data loss or a complete takeover of user data stored on open Firebase or other storage systems.

It turns out, this was not the first occurrence of a data leak affecting OyeTalk. The researchers found that the database had been discovered and marked as vulnerable by unknown actors, likely with no malicious intent. The database contained specific fingerprints used to mark open Firebases, known as “**Proof of Compromise**” (PoC) and Evidence of Compromise (EoC) or Indicator of Compromise (IOC).

**Repercussions**

The repercussions of a data leak like the one that occurred with the OyeTalk voice chat app can be severe and far-reaching. First and foremost, the personal information of users can be compromised, leaving them vulnerable to scams.

Furthermore, the leak of personal data can also have a negative impact on the reputation of the app and the company behind it. Users may lose trust in the app and its ability to protect their data, leading to a decline in its user base and revenue. This can also result in legal consequences for the company, as they may face lawsuits and fines for violating data privacy laws.

Overall, the OyeTalk data leak can have significant and lasting consequences for users, the app and its company, and society at large. It underscores the importance of robust data protection measures and responsible handling of personal information and highlights the need for ongoing vigilance in the face of ever-evolving **cybersecurity threats**.

1.  **23 Android apps leaked sensitive data of 100m users**
2.  **GoKeyboard App Spying on Millions of Android Users**
3.  **Dune! game app leaked personal data of Android users**
4.  **Login Details of Tech Giants Leaked in Data Center Hacks**
5.  **Iranian hackers drop RatMilad Android spyware in VPN app**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Android voice chat app with 5m installs leaked user chats

If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner,

If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner, contractor or reseller, or the use of IT software or platform, or another service provider. Organizations are now sharing data with an average of 730 third-party vendors, according to a report by Osano, and with the acceleration of digital transformation, that number will only grow.

****The Importance of Third-Party Risk Management****

With more organizations sharing data with more third-party vendors, it shouldn't be surprising that more than 50% of security incidents in the past two years have stemmed from a third-party with access privileges, according to a CyberRisk Alliance report.

Unfortunately, while most security teams agree that supply chain visibility is a priority, the same report notes that only 41% of organizations have visibility into their most critical vendors and only 23% have visibility into their entire third-party ecosystem.

The reasons for the lack of investment into Third Party Risk Management (TPRM) are the same that we consistently hear – lack of time, lack of money and resources, and it's a business need to work with the vendor. So, how can we make it easier to overcome the barriers to managing third-party cyber risk? Automation.

****The Benefits of Automation****

Automation empowers organizations to do more with less. From a security perspective, here are just some of the benefits automation provides, as highlighted by Graphus:

*   76 % of IT executives in a cybersecurity survey said that automation maximizes the efficiency of security staff.
*   Security automation can save more than 80% over the cost of manual security.
*   42% of companies cited security automation as a major factor in their success at improving their cybersecurity posture.

With regards to TPRM, automation can transform your program by:

****Step 1 - Assess your vendors with Continuous Threat Exposure Management (CTEM)****

Continuous threat exposure assessments include comprehensive assessments that incorporate the following:

*   Automated asset discovery
*   External infrastructure/Network Assessments
*   Web application security assessment
*   Threat intelligence informed analysis
*   Dark web findings
*   More accurate security rating

This is a more comprehensive analysis of third parties compared to just sending questionnaires. A manual questionnaire process can take between 8-40 hours per vendor, provided that the vendor responds quickly and accurately. But this approach doesn't allow the ability to see vulnerabilities or validate the effectiveness of the required controls in a questionnaire.

Incorporating an automated threat exposure assessment capability and integrating it with questionnaires can reduce the time to review vendors, and we've found that the combination can reduce the time to assess and onboard new vendors by 33%.

****Step 2 – Use a Questionnaire Exchange****

Organizations that manage many questionnaires, or vendors that respond to many questionnaires, should consider using a questionnaire exchange. Simply stated, it's a hosted repository of completed standard or custom questionnaires that can be shared with other interested parties upon approval.

If you select a platform that performs the automation described above, both parties get a verified and automated approach to the most recent questionnaires that are auto-validated by continuous assessments. Again, this can save your team time by requesting access to existing questionnaires or scaling their time in the response of a new questionnaire that can be reused upon request.

****Step 3 - Continuously combine threat exposure findings with the questionnaire exchange****

Security ratings alone don't work. Using questionnaires alone to assess third parties doesn't work. Threat exposure management, which incorporates accurate security ratings from the direct assessments, combined with validated questionnaires - where the questionnaire is querying the assessment and updating the security rating - provides you with a powerful solution for continuous Third-Party Risk Management. Platforms that use active and passive assessments, and don't solely rely on historical OSINT data, provide the most accurate attack surface visibility – since it's of a third-party at that time.

This information can be leveraged to auto-validate the applicable controls in the questionnaire for security and compliance framework requirements and flag any discrepancy between the client answer and the technology assessment finding. This gives organizations a real "trust but verify" approach toward third-party reviews. Since this can be done quickly, you can be notified when third parties become non-compliant with specific technical controls.

Organizations looking to maximize the efficiency of their third-party cyber risk management program should look to add automation to their processes. In more difficult macro-economic environments companies can turn to automation to reduce the toil that their team performs, while still achieving progress and results, in exchange for team members being able to focus on other initiatives.

**Note:** Victor Gamra, CISSP, a former CISO, has authored and provided this article. He is also the Founder and CEO of FortifyData, an industry-leading Continuous Threat Exposure Management (CTEM) firm. FortifyData empowers businesses to manage cyber risk at the organizational level by incorporating automated attack surface assessments, asset classification, risk-based vulnerability management, security ratings, and third-party risk management into an all-in-one cyber risk management platform. To learn more, please visit www.fortifydata.com.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3 Steps to Automate Your Third-Party Risk Management Program

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Tag

#google