On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

How Chip Makers Are Implementing Confidential Computing

At this year’s KubeCon/CloudNativeCon, both development and operations practitioners were tackling different security needs.

As a self-identified movie buff, some movie lines somehow stick with me over the years. One of them is from Ridley Scott's _Gladiator_ (2000), when a Roman senator says, "The beating heart of Rome is not the marble of the Senate, it is the sand of the Colosseum."

That line popped up in my head as I walked around the halls at KubeCon/CloudNativeCon ("KubeCon"), the marquee event for the Cloud Native Computing Foundation (CNCF). To me, the beating heart of cloud-native security is most definitely KubeCon.

This year's North American edition of the event took place last week in Detroit, bringing together thousands of participants on-site plus many others remotely. In addition to the main three-day event, the growing interest in specific projects has led the Cloud Native Computing Foundation to set up various "co-located events" ahead of the main conference.

For the 2022 event, there was not only a specific CloudNativeSecurityCon two-day event but also plenty of security content across other events, including Application Networking Day, EnvoyCon, Policy Day with OPA, ServiceMeshCon, and more, reflecting the wide interest in cloud-native security topics. Interestingly, the CloudNativeSecurityCon event has itself now "graduated" to an independent event to be hosted separately in February.

**Cloud-Native security: Development vs. Operations**

So, where is the current state of cloud-native security conversations? To Omdia, there is a strong bifurcation: development-centric concerns and operations-centric concerns. It is not as helpful to call these "Dev" and "Ops" because team structure is in flux in many organizations: some may have site reliability engineering (SRE) teams, some may call them operations, platform teams, and more.

On the development side of the ledger, three topics of interest are provenance, noise, and exposure.

Provenance asks the fundamental question: Can we trust the integrity of the external component we're incorporating into our software pipeline? While many examples exist, the 2020 SolarWinds attack was a turning point for interest in the integrity of the software supply chain. At KubeCon, there was palpable momentum behind the idea of signing software images: The sigstore project was announced as general availability and is being used by Kubernetes and other key projects.

Noise refers to reducing the number of vulnerabilities that exist in the environment, starting with slimming down the container base images that are being used. This may include using image bases such as Alpine or Debian Slim or considering "distroless" alternatives that are even smaller. The benefit is that these smaller images have minimal footprint and therefore reduced chance of vulnerabilities popping up.

Exposure: For any given vulnerability, how exposed are we as an organization? There is no better example of this in recent industry history than Log4j, of course. This is the realm of discussions on software bills of materials (SBOMs) as it relates to knowing where components may be used either as images sitting in a registry somewhere or running in production. Interestingly, as this essay is being written, there's advance notice that information about critical vulnerabilities in OpenSSL 3.x will be disclosed imminently, which will likely be another good use case for SBOMs — just where is OpenSSL 3.x used in our organization? Given that SBOM coverage is still not widespread, Omdia expects minimal SBOM usage this time around, unfortunately.

Operations teams are naturally focused on providing and operating an increasingly complex underlying platform and doing so securely. The word “platform” is particularly relevant here: There was notable interest in organizing Kubernetes and many of the growing list of CNCF projects (140 as of this writing, between the various stages of project incubation: sandbox, incubation, graduated) into easier-to-consume platforms. Of specific interest to security audiences, projects such as Cilium (using the underlying eBPF functionality) for networking and observability, SPIFFE/SPIRE (for establishing identities), Falco (for runtime security), Open Policy Agent (for policy-as-code), Cloud Custodian (for governance), and others are worth looking into. The expectation is that these projects will increasingly collaborate with "observability" aspects of cloud-native and will also be deployed using practices such as GitOps.

**Reasons for Optimism on Cloud-Native Security**

Where do we go from here? It was abundantly clear that the cloud-native community cares deeply about security and is moving forward full-speed with tackling the many topics around it. The guidance to security teams is to quickly come up to speed on how these different projects and initiatives are being implemented. It's important to note that for many organizations, this will come not in the form of explicitly using the community project (though some will), but rather as part of a packaged platform from vendors such as Red Hat, SUSE, Canonical, and others, or directly from the cloud providers such as AWS, Google Cloud, Azure, Oracle, and others.

Be aware that, in the context of open source usage, there's no such thing as really "free" — even if one chooses to use the vanilla upstream version of projects, there are inherent costs in maintaining those packages and participating in the community development.

Cloud-Native Security Was in the Air at KubeCon/CloudNativeCon 2022

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

The maintainers of the SQLite database engine have patched a high severity vulnerability that attackers could exploit to crash or control programs that rely on the software.

Developers of the software have offered The Daily Swig a convincing argument that the flaw would be difficult to exploit in practice. Even so, they have revised the software with a patch to defend against the flaw – rather than dismissing the issue as something that can be safely ignored.

SQLite is a popular open source C-language library that underpins many enterprise apps and services. Notable users of SQLite include Apple, Adobe, Google, Facebook, and Microsoft. There are billions of copies of SQLite deployed worldwide.

The SQLite team is quick to fix emerging vulnerabilities in the software due to their potentially wide-reaching impact. However, a vulnerability disclosed this month by Trail of Bits was introduced 22 years ago and highlighted how initially secure functionality could have unintended consequences much further down the line.

Catch up with the latest database-related security news and analysis

In a blog post dated October 25, Trail of Bits researcher Andreas Kellas said the vulnerability was introduced in SQLite version 1.0.12, a 2000 release that landed when the software was primarily based on 32-bit architectures. According to Kellas, the bug “may not have seemed like an error” at the time.

The high severity vulnerability is tracked as CVE-2022-35737, scoring a CVSS severity score of 7.5.

Trail of Bits said the bug impacts any app that relies on the SQLite library API.

The vulnerability is exploitable on 64-bit systems when large string inputs contain %Q, %q, or %w format substitution types that – in this scenario – might cause programs to crash or worse.

In the most severe cases – when the ! special character exists in the format string – it may be “possible to achieve arbitrary code execution, in the worst case, or to cause the program to hang and loop (nearly) indefinitely,” according to the researchers.

**Root cause analysis**

Speaking to The Daily Swig, the creator of SQLite, D. Richard Hipp, said the root cause of the problem was the use of signed 32-bit integers as a byte index into the input string and to compute the size of the output string. When an input string was large enough, the integer would overflow, and “all kinds of problems” ensued.

However, the potential impact of the flaw appears to be limited.

Hipp told us that it is not possible to reach the vulnerability for malicious purposes via SQL inputs or by passing SQLite a malformed database file. Instead, an attacker would have to abuse the use the sqlite3\_mprintf() function – or “similar C-level interfaces with a format string that includes one of the non-standard \[;...\] conversion symbols, and then pass in a string that is over 2GB in size”.

The software developer added:

“Lots of applications use SQLite, but only a small percentage of those use the sqlite3\_mprintf() API, and an even smaller percentage make use of %Q, %q, or %w. Of those that do, most do not provide a way for an attacker to arrange for a 2GB+ string to be passed into the argument to %Q, %q, or %w.”

**Unearthing Fossil**

In addition, while the project uses the Fossil control system and this software uses printf, the team couldn’t find a way to inject a 2GB string.

CVE-2022-35737 was reported to the Computer Emergency Response Team (CERT) Coordination Center by Trail of Bits on July 14. CERT confirmed the issue, reached out to SQLite maintainers, and the team fixed the bug in the software’s source code only three days later – a task accomplished by converting to the use of 64-bit integers.

The patched SQLite version, v3.39.2, was released on July 21.

“We are grateful for the responsible disclosure from the researchers who found it,” Hipp said. “It doesn’t hurt to upgrade to a newer release of SQLite. But very few if any real-world applications should be affected by this.”

The Daily Swig has reached out to Trail of Bits with additional queries and we will update this story as and when we hear back.

RELATED HyperSQL DataBase flaw leaves library vulnerable to RCE

SQLite patches 22-year-old code execution, denial of service vulnerability

Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Persistent Launches Cyber-Recovery Solution With Google Cloud

Apple Security Advisory 2022-10-27-15 - Safari 16.1 addresses code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-15 Additional information for APPLE-SA-2022-10-24-7 Safari 16.1

Safari 16.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213495.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app  
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

WebKit PDF  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend  
Micro Zero Day Initiative

Additional recognition

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Safari 16.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlhOg/+I94LgMI7No4xw6dub1rdzNTbMV6A0R14HXwA7PoMzXgXJotYFyAfGUY4  
zd2fE9ixEuXqt+OsVrQ0/ZU4HcLEJLQk2ZkULoDfNeGiuJpi6k9VhPp6995XtLNb  
zGZgMu5dOPBkYsSaM5XaVwLQPtsIbac3u/Uoo6l2TyyN1B2clsI1dS2IXS8DEHkr  
2fCImTAcFfqIW7TZ6xqAdYOL5QLoJ8qXTcjSMaWtPpPzkfpZCTTwV8ifauK5rTQd  
JsFf49RFWMNdZ3qHNRaENsFMh1Y+bMRIW6Xt41WKXhSPdNXonv93N472YGhMtt7Z  
k+IuibGRVlwzc5Ri4AnQspBjhint6vo4vbJ39h1FoSzqTm3PruH+HGrhlfMTGR8/  
0s/QDBLQbA+UlM5r6uinQ5pI771rRyHTCWOxLUVVopDOV9ImV36Y+INakc3pTXL1  
420Wg31lCMO3cwwXyVYq/zDbCpJ2gDptSWTqlubli+omxMG7LRs0Vn9P4NTosVzk  
jN49FHJE2moD8O0D+sia6+lhyVhcP8UIA3WtcXegVngrwL6sAoFa5SCp49wmbb/O  
Ye1eysxuMR2xu7piVbUpGh0wRY50MbwwSWX0vRt0CwxcoiQK90lQFbqy2RFX4eN8  
k/jjh3nPUl20WxgOfQfLfiY/9aPcQSzvcOzba2bSovdgyk8xH+o=  
=3IzG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-15

Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-13 watchOS 9

watchOS 9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213486.

Accelerate Framework  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
CVE-2022-42795: ryuzaki

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio  
Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research  
s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32858: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32898: Mohamed Ghannam (@_simo36)  
CVE-2022-32899: Mohamed Ghannam (@_simo36)  
CVE-2022-32889: Mohamed Ghannam (@_simo36)

Contacts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

Exchange  
Available for: Apple Watch Series 4 and later  
Impact: A user in a privileged network position may be able to  
intercept mail credentials  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32928: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32903: an anonymous researcher

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: A denial-of-service issue was addressed with improved  
validation.  
CVE-2022-1622

Image Processing  
Available for: Apple Watch Series 4 and later  
Impact: A sandboxed app may be able to determine which app is  
currently using the camera  
Description: The issue was addressed with additional restrictions on  
the observability of app states.  
CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)  
CVE-2022-32911: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32914: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32883: Ron Masas of breakpointhq.com

MediaLibrary  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-32908: an anonymous researcher

Notifications  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to access  
contacts from the lock screen  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32879: Ubeydullah Sümer

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to use  
Siri to obtain some call history information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32870: Andrew Goldberg of The McCombs School of Business,  
The University of Texas at Austin (linkedin.com/in/andrew-goldberg-/)

SQLite  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause a denial-of-service  
Description: This issue was addressed with improved checks.  
CVE-2021-36690

Watch app  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read a persistent device identifier  
Description: This issue was addressed with improved entitlements.  
CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32875: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),  
xmzyshypnc(@xmzyshypnc1)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617, an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Wi-Fi  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32925: Wang Yu of Cyberserval

Additional recognition

AppleCredentialManager  
We would like to acknowledge @jonathandata1 for their assistance.

FaceTime  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge an anonymous researcher for their  
assistance.

Mail  
We would like to acknowledge an anonymous researcher for their  
assistance.

Sandbox  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security for their assistance.

UIKit  
We would like to acknowledge Aleczander Ewing for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpMACgkQ4RjMIDke  
Nxmucg/+L8XHGSij8F6IoUuvCuJ3u1IUfHXE5LK0BafEddVzKS87fct6KP7L3kvE  
SfdJVCOrmfVImKn3etfpDgwgZoYqF8cxeb9PO7ObVT/15GBBfuAGc+rNZ3oAeWDJ  
iYFiiWZrDnj9gz6bo0jn4dN9q8/X9iIjUCujPdkrFzXqa+KkVub9wv6/jtJGQA3O  
YgDIaV0UvcJss0uhJR9GX+A3+4zeJgUiNq2a/1qf1nOFh/O59pbHNWYnHzB91/FE  
8V+EJgfxaK/M3zDfonPI9SMa26lO+VJejOnco98of7Kk+yNoOy6xTIkBLLBURMqN  
Jxz0I3WNxjM5TQ61WzINvd198gqjyac2nVg1S4Gqkekk6VXwmQR5zaqQmzePQqp3  
qw+qhICNqFSUJPyIDQwnuCaf1MlfEj57ustS5d8g5M1fNXBlnrtJVpI/CcPIAYvo  
7pQZy/6QptmrPp6Lgv6k/Vtxi/H5s8/tHCnhtvczbdpH6lsPmCJlDSdzsK1L8krP  
82WcjBulywZWfZ4IBNi52lD+EWlmzHomcYVGQcbd0/1FLE8h5meKCvYxM5ovfk1F  
PloJY8FQgJ3b+NcTQuTD4dZ7rc+Le5WqqD4EAgYbOKgAD6Fqy47eY8yNcYJw0qXP  
5jll4mfHUJe7NHc9frZKrdpH0Cl8o9lRdRPpM+kLqteQlpNOjao=  
=Ty+V  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-13

Apple Security Advisory 2022-10-27-12 - watchOS 9.1 addresses code execution, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-12 Additional information for APPLE-SA-2022-10-24-5 watchOS 9.1

watchOS 9.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213491.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed by removing additional  
entitlements.  
CVE-2022-42825: Mickey Jin (@patch1t)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: The issue was addressed with improved memory handling.   
CVE-2022-32932: Mohamed Ghannam (@_simo36)  
Entry added October 27, 2022

Audio  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted audio file may lead to  
disclosure of user information   
Description: The issue was addressed with improved memory handling.   
CVE-2022-42798: Anonymous working with Trend Micro Zero Day  
Initiative  
Entry added October 27, 2022

AVEVideoEncoder  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32940: ABC Research s.r.o.

CFNetwork  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted certificate may lead to  
arbitrary code execution  
Description: A certificate validation issue existed in the handling  
of WKWebView. This issue was addressed with improved validation.  
CVE-2022-42813: Jonathan Zhang of Open Computing Facility  
(ocf.berkeley.edu)

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32947: Asahi Lina (@LinaAsahi)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32924: Ian Beer of Google Project Zero

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-42808: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
state management.   
CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: A race condition was addressed with improved locking.   
CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges   
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added October 27, 2022

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges   
Description: A logic issue was addressed with improved checks.   
CVE-2022-42801: Ian Beer of Google Project Zero  
Entry added October 27, 2022

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a maliciously crafted website may leak sensitive  
data   
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois  
at Chicago; Binoy Chitale, MS student, Stony Brook University;  
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at  
Chicago; Chris Kanich, Associate Professor, University of Illinois at  
Chicago  
Entry added October 27, 2022

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2022-42811: Justin Bui (@slyd0g) of Snowflake

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app   
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

zlib  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution   
Description: This issue was addressed with improved checks.  
CVE-2022-37434: Evgeny Legerov  
CVE-2022-42800: Evgeny Legerov  
Entry added October 27, 2022

Additional recognition

iCloud  
We would like to acknowledge Tim Michaud (@TimGMichaud) of  
Moveworks.ai for their assistance.

Kernel  
We would like to acknowledge Peter Nguyen of STAR Labs, Tim Michaud  
(@TimGMichaud) of Moveworks.ai, Tommy Muir (@Muirey03) for their  
assistance.

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpQACgkQ4RjMIDke  
NxndmQ/9FlBich1M+naXLmjo/AyBTdlmBdFUH6cU92PspO7vrzTZl3Gl3dSjvGg0  
TU7AGeAAvr278Zra0Hrm+D+w2BMAd3SSIjBXyum02lx0AGyyAFaPEDVq4CpxnqUG  
AEqBRrgoU9yZpTrIQXZlsnqphdv3KLVDzqqKlZjkPzIboYJ0I0c0HMP54618kx1n  
oBtoEEjPrIhH9LJyt37FbtgRntCzuuyistaxKGugZo4UDUt8hkHLKpYHf/5BNfWl  
/SaX1sy1ZJBoOezMC7/egaHPBbJRDnU3dXSQ7ON7h6w1Tc9NeUjXP0wf8BByeIko  
zJF5StfqfBKa3fR8wl0uM4CWDuHVtVjHAv5lWSqEQoEFoAjud+Ajjr5j3DJegVW7  
Xp5Xu7W2XRR03dCM/SCQXMttr/Eu7z4EPJZD1W5y/UYH+ZwF4tq+4fxdrLOzPh4j  
uDLW+CWvF0d/+lVINDXzvzfQwEk77fbFJtUwL6Z5Sq95rtIL0/1OgtK/F/ODeyAX  
8xYDCVdbn84K0/5K58NsvLS01XKXGISVY5yWrf3R7f69AVq7aiaaREY71pkuIwKf  
+aGpuOJibybGZqIOedMES/FCYuUqZF/0N7TJH8LpmlYt/T+fXjeJkupdeT+2vpcX  
iq3rTxsee+WgHhuR/3utIdIFZwVvgZBOadtHO6vIOQ1ce1QyLqI=  
=ZTUZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-12

Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-10-27-11 tvOS 16tvOS 16 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213487.Accelerate FrameworkAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may lead to arbitrarycode executionDescription: A memory consumption issue was addressed with improvedmemory handling.CVE-2022-42795: ryuzakiAppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32907: Natalie Silvanovich of Google Project Zero, AntonioZekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Researchs.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)GPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-32903: an anonymous researcherImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing an image may lead to a denial-of-serviceDescription: A denial-of-service issue was addressed with improvedvalidation.CVE-2022-1622Image ProcessingAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A sandboxed app may be able to determine which app iscurrently using the cameraDescription: The issue was addressed with additional restrictions onthe observability of app states.CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)Image ProcessingAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HD Impact: An app may be able to execute arbitrary code with kernelprivileges Description: This issue was addressed with improved checks. CVE-2022-32949: Tingting Yin of Tsinghua UniversityEntry added October 27, 2022KernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)KernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)CVE-2022-32911: Zweig of Kunlun LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-32914: Zweig of Kunlun LabMediaLibraryAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user may be able to elevate privilegesDescription: A memory corruption issue was addressed with improvedinput validation.CVE-2022-32908: an anonymous researcherNotificationsAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user with physical access to a device may be able to accesscontacts from the lock screenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32879: Ubeydullah SümerSandboxAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to modify protected parts of the filesystemDescription: A logic issue was addressed with improved restrictions.CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive SecuritySQLiteAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause a denial-of-serviceDescription: This issue was addressed with improved checks.CVE-2021-36690WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A buffer overflow issue was addressed with improvedmemory handling.WebKit Bugzilla: 241969CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),xmzyshypnc(@xmzyshypnc1)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 242047CVE-2022-32888: P1umer (@p1umer)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds read was addressed with improved boundschecking.WebKit Bugzilla: 242762CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working withTrend Micro Zero Day InitiativeWebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 242762CVE-2022-32891: @real_as3617, an anonymous researcherWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32925: Wang Yu of CyberservalAdditional recognitionAppleCredentialManagerWe would like to acknowledge @jonathandata1 for their assistance.Identity ServicesWe would like to acknowledge Joshua Jones for their assistance.KernelWe would like to acknowledge an anonymous researcher for theirassistance.SandboxWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity for their assistance.UIKitWe would like to acknowledge Aleczander Ewing for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.Apple TV will periodically check for software updates. Alternatively,you may manually check for software updates by selecting "Settings ->System -> Software Update -> Update Software."  To check the currentversion of software, select "Settings -> General -> About."All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpUACgkQ4RjMIDkeNxmVqQ//euIvh3eN5tjkLRIDWFgteGsdR3O6GXKVcZvCiOI7EdmCksA7/3uIo3m2wAXO/XJB5GDbxwHpyIlaN6eSlQnAhUTeYuDZGTyyUKwRmyj0oYu0IQw9C1xrGefALDEqYiTwx7sQnuC6ijirFdHSO0uM+YEHCm0OZ4v2dGBJKAdIFN/5b0jq6/Y9NnWLEHSL5BLhOOEBxWoi4K2tbbE+ty8+Zqk0GrUJxaWQ7vCKPD8Ts2sNb7JAAVu5WQDYbmOyWpusZ1evUE/N0nZdqWFTwAXCTfH+4xZ4IXHTUFuHPIXuJ/2ySeqzYjldY75QvGVCy1b4wtd+C9XD7QGbpd3MHrkECZMI8pWbHkCB53Io1+zdaKiv+xmtSl0ZlFyL8f/FsR34FMzQPAhlZec60hIKHh83Lr7pOK5KrPNgAECTlxtBYD7Teau+qqTYFQgNpW5/4WtXhVpje5ILu3xzUmqBWk7QPNa7b0PdPLu6OjxE9iMVJF+p8Suk739Ex2H781uJp89tTE3UYXvhxaMYP2L0tbrEydlz+wGGI35+jrt4S82FsmvJvV9lqT8NubIG/IakSGMMlYoyb4JcCN3MJCXs2C48iydCPE4g7yaEhg4qNpcXfANdEzRh/KAenSwqbWic5nC6dxWqD4OXjyfjmpkvrq5B2lg87WesDkqMh9oJ9uWBTh8==Aea8-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-11

By Deeba Ahmed
In total, 5 dropper apps with over 130,000 downloads through Play Store distributed banking trojans like Vultur and SharkBot.
This is a post from HackRead.com Read the original post: New Dropper Apps on Play Store Targeting Banking and Crypto Wallets

Threat Fabric mobile security firm reported discovering a new wave of dropper apps has hit the official Google platform Play Store. The apps use bogus updates to get banking trojans installed on users’ devices.

**Findings Details**

In total, Threat Fabric researchers identified five dropper Android apps. These apps collectively boasted 130,000 installations. All were discovered on Google Play Store and the apps distributed banking trojans like Vultur and SharkBot.

For your information, these trojans can steal financial data and carry out on-device fraud. Here is the list of the five dropper apps, four of which were still hanging around in cyberspace.

1.  File Manager Small, Lite – No Downloads  
    
2.  My Finances Tracker – Downloaded 1,000+ times  
    
3.  Codice Fiscale 2022 – Downloaded 10,000+ times  
    
4.  Zetter Authenticator – Downloaded 10,000+ times  
    
5.  Recover Audio, Images & Videos – Downloaded 100,000+ times

**Potential Targets**

Reportedly, the dropper apps’ target includes around 231 banking apps and cryptocurrency wallet apps of financial organizations based in Germany, the UK, Spain, the USA, France, Australia, Poland, the Netherlands, and Austria.

The most recent attack wave involve the distribution of **SharkBot malware** and the targets were bank users in Italy. The attacks were discovered in early October 2022 and the dropper was disguised as the country’s tax code.

**How the Apps Install Malware?**

Google’s Developer Program Policy has restricted the use of REQUEST\_INSTALL\_PACKAGES permission to prevent its abuse through the installation of arbitrary app packages. However, the dropper bypasses this barrier by opening a fake Play Store page imitating the app listing, which results in the downloading of malware disguised as an update.

In another instance, Threat Fabric researchers detected that the dropper acted as a file manager app, a category which as per Google’s new policy can have the REQUEST\_INSTALL\_PACKAGES permission.

Additionally, Three droppers offering advertised features were also discovered, which were equipped with a secret function of prompting users to install an update after opening the app and granting permission to install apps from unverified sources.

This led to the distribution of **Vultur**. Its new variant comes with enhanced capabilities, such as it can log user interaction and interface elements more extensively, including gestures and clicks.

**Dropper Apps- An Emerging New Threat**

In their **blog post**, researchers at Threat Fabric claim to have observed a sudden increase in threat actors’ reliance on dropper apps. In fact, it has become quite a popular and effective method of distributing banking trojans to unsuspecting users. Threat actors are continuously improving their attack tactics to evade Google’s limitations and increase the attack’s effectiveness.

> “This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser.”

This uptick in dropper apps in official stores like **Google Play Store** is due to the reason that these don’t contain malware. The malicious code is fetched after the app is installed on a vulnerable device. The suspicious activities run in the background, without raising red flags.

1.  **Fake Crypto Apps on Play Store Stealing User Data**
2.  **Fake Bitcoin Wallet Apps Found on Google Play Store**
3.  **Malware infected Minecraft modpacks hit Google Play Store**
4.  **38% of Android VPN Apps on Play Store Plagued with Malware**
5.  **DawDropper Malware Targeting Android Devices via Play Store**

New Dropper Apps on Play Store Targeting Banking and Crypto Wallets

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

**Description**

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

**Proof of Concept**

1.  Go to your web phpmyfaq and visit http://<ip>/phpmyfaq/index.php?search=
2.  inject payload to param search: 1af"+onclick='alert(1)'
3.  Click on field search, you will see the popup XSS (xss executed)

Image Poc Execute: https://drive.google.com/file/d/1VSAqG3MY7uyuXzl1OwrNa-c1g1A0iv2l/view?usp=sharing

**Impact**

Attacker can execute javascript, steal the cookie.

Tag

#google