In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/113c274067bc9c4c653a6dd09fb2e456  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in ntfs\_trim\_fs+0x84e/0x960  
Read of size 2 at addr ffff888104fea640 by task syz-executor.0/8081

CPU: 1 PID: 8081 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_trim\_fs+0x84e/0x960  
ntfs\_ioctl\_fitrim+0x23e/0x340  
ntfs\_ioctl+0x9c/0xd0  
\_\_x64\_sys\_ioctl+0x193/0x200  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fac7f88eacd  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fac805f9bf8 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 00007fac7f9bbf80 RCX: 00007fac7f88eacd  
RDX: 0000000020000040 RSI: 00000000c0185879 RDI: 0000000000000003  
RBP: 00007fac7f8fcb05 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000  
R13: 00007ffcb363e05f R14: 00007ffcb363e200 R15: 00007fac805f9d80  
</TASK>

Allocated by task 8074:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
\_\_kmalloc+0x349/0xd40  
tomoyo\_encode2.part.0+0xec/0x3b0  
tomoyo\_encode+0x28/0x50  
tomoyo\_realpath\_from\_path+0x186/0x620  
tomoyo\_path\_perm+0x219/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 8074:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
tomoyo\_path\_perm+0x240/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888104fea640  
which belongs to the cache kmalloc-32 of size 32  
The buggy address is located 0 bytes inside of  
32-byte region \[ffff888104fea640, ffff888104fea660)

The buggy address belongs to the physical page:  
page:ffffea000413fa80 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff888104feafc1 pfn:0x104fea  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00043f1b88 ffffea000414bec8 ffff888011840100  
raw: ffff888104feafc1 ffff888104fea000 000000010000003d 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 6509, tgid 6509 (syz-executor.3), ts 50269499850, free\_ts  
50269456139  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node+0x38/0x60  
\_\_vmalloc\_node\_range+0x3d3/0x1320  
vzalloc+0x67/0x80  
alloc\_counters.isra.0+0x5d/0x6f0  
do\_ipt\_get\_ctl+0x5de/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
\_\_vunmap+0x6ff/0xaa0  
\_\_vfree+0x3c/0xd0  
vfree+0x5a/0x90  
do\_ipt\_get\_ctl+0x7b2/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff888104fea500: fa fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc  
ffff888104fea580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\>ffff888104fea600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
^  
ffff888104fea680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
ffff888104fea700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\==================================================================

CVE-2023-26606: LKML: Palash Oswal: KASAN: use-after-free Read in ntfs_trim_fs

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/cb298c137f3dbfb95a609671a61103fb  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

I found a related discussion in the past about a similar bug here :  
https://groups.google.com/g/syzkaller-bugs/c/BFLa1ZwXyG0/m/UIh6Pl2GBAAJ

Console log :

loop3: detected capacity change from 0 to 4096  
\==================================================================  
BUG: KASAN: slab-out-of-bounds in ntfs\_attr\_find+0xb87/0xce0  
Read of size 2 at addr ffff888106fc30ab by task syz-executor.3/11599

CPU: 0 PID: 11599 Comm: syz-executor.3 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_attr\_find+0xb87/0xce0  
ntfs\_attr\_lookup+0x1051/0x2040  
ntfs\_read\_locked\_inode+0xb0c/0x5ab0  
ntfs\_iget+0x12d/0x180  
ntfs\_fill\_super+0x1ed0/0x8590  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f0e85e9146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f0e849fda08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f0e85e9146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f0e849fda60  
RBP: 00007f0e849fdaa0 R08: 00007f0e849fdaa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007f0e849fda60 R15: 0000000020000040  
</TASK>

Allocated by task 1:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
\_\_kernfs\_create\_file+0x51/0x350  
sysfs\_add\_file\_mode\_ns+0x20f/0x3f0  
internal\_create\_group+0x314/0xba0  
internal\_create\_groups.part.0+0x90/0x140  
sysfs\_create\_groups+0x25/0x50  
kobject\_add\_internal+0x318/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
netdev\_queue\_update\_kobjects+0x1fe/0x4e0  
netdev\_register\_kobject+0x333/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
do\_one\_initcall+0xfe/0x650  
kernel\_init\_freeable+0x6c3/0x74c  
kernel\_init+0x1a/0x1d0  
ret\_from\_fork+0x1f/0x30

The buggy address belongs to the object at ffff888106fc3000  
which belongs to the cache kernfs\_node\_cache of size 168  
The buggy address is located 3 bytes to the right of  
168-byte region \[ffff888106fc3000, ffff888106fc30a8)

The buggy address belongs to the physical page:  
page:ffffea00041bf0c0 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x106fc3  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00041bc848 ffffea00041a9fc8 ffff88810006f200  
raw: 0000000000000000 ffff888106fc3000 0000000100000011 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 1, tgid 1 (swapper/0), ts 8385653965, free\_ts 0  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc+0xb69/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
kernfs\_create\_dir\_ns+0x48/0x150  
sysfs\_create\_dir\_ns+0x127/0x290  
kobject\_add\_internal+0x2c9/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
net\_rx\_queue\_update\_kobjects+0x264/0x510  
netdev\_register\_kobject+0x278/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
page\_owner free stack trace missing

Memory state around the buggy address:  
ffff888106fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\>ffff888106fc3080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00  
^  
ffff888106fc3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00  
\==================================================================

CVE-2023-26607: LKML: Palash Oswal: KASAN: slab-out-of-bounds Read in ntfs_attr_find

In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/bed0eba75def3cdd34a285428e9bcdc4  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in \_\_list\_del\_entry\_valid+0xf2/0x110  
Read of size 8 at addr ffff8880273c4358 by task syz-executor.1/6475

CPU: 0 PID: 6475 Comm: syz-executor.1 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
\_\_list\_del\_entry\_valid+0xf2/0x110  
inode\_cgwb\_move\_to\_attached+0x2ee/0x4e0  
writeback\_single\_inode+0x3fa/0x510  
write\_inode\_now+0x16a/0x1e0  
blkdev\_flush\_mapping+0x168/0x220  
blkdev\_put\_whole+0xd1/0xf0  
blkdev\_put+0x29b/0x700  
deactivate\_locked\_super+0x8c/0xf0  
deactivate\_super+0xad/0xd0  
cleanup\_mnt+0x347/0x4b0  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f22bd29143b  
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 90 f3 0f 1e fa 31 f6  
e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffe505103b8 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6  
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f22bd29143b  
RDX: 00007f22bd228a90 RSI: 000000000000000a RDI: 00007ffe50510480  
RBP: 00007ffe50510480 R08: 00007f22bd2fba1f R09: 00007ffe50510240  
R10: 00000000fffffffb R11: 0000000000000246 R12: 00007f22bd2fb9f8  
R13: 00007ffe50511520 R14: 0000555556f4bd90 R15: 0000000000000032  
</TASK>

Allocated by task 7810:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc\_lru+0x25b/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_build\_inode+0x146/0x2d0  
vfat\_create+0x249/0x390  
lookup\_open+0x10bc/0x1640  
path\_openat+0xa42/0x2840  
do\_filp\_open+0x1ca/0x2a0  
do\_sys\_openat2+0x61b/0x990  
do\_sys\_open+0xc3/0x140  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kmem\_cache\_free.part.0+0xfc/0x4a0  
i\_callback+0x3f/0x70  
rcu\_core+0x785/0x1720  
\_\_do\_softirq+0x1d0/0x908

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
destroy\_inode+0x129/0x1b0  
iput.part.0+0x5cd/0x800  
iput+0x58/0x70  
dentry\_unlink\_inode+0x2e2/0x4a0  
\_\_dentry\_kill+0x374/0x5e0  
dput+0x656/0xbe0  
\_\_fput+0x3cc/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880273c4080  
which belongs to the cache fat\_inode\_cache of size 1488  
The buggy address is located 728 bytes inside of  
1488-byte region \[ffff8880273c4080, ffff8880273c4650)

The buggy address belongs to the physical page:  
page:ffffea00009cf100 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff8880273c4ffe pfn:0x273c4  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea00009cf0c8 ffff88801820e450 ffff888103e00e00  
raw: ffff8880273c4ffe ffff8880273c4080 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Reclaimable, gfp\_mask  
0x242050(\_\_GFP\_IO|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE|\_\_GFP\_RECLAIMABLE),  
pid 7810, tgid 7808 (syz-executor.1), ts 50543388569, free\_ts  
21285403579  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_lru+0xe72/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_fill\_super+0x1c37/0x3710  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
slabs\_destroy+0x6a/0x90  
\_\_\_cache\_free+0x1e3/0x3b0  
qlist\_free\_all+0x51/0x1c0  
kasan\_quarantine\_reduce+0x13d/0x180  
\_\_kasan\_slab\_alloc+0x97/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
getname\_flags+0xd2/0x5b0  
vfs\_fstatat+0x73/0xb0  
\_\_do\_sys\_newlstat+0x8b/0x110  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff8880273c4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff8880273c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff8880273c4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

CVE-2023-26605: LKML: Palash Oswal: KASAN: use-after-free Read in inode_cgwb_move_to_attached

Plus: Iran’s secret torture black sites, hacking a bank account with AI-generated voice, and Lance Bass’ unhinged encounter in Russia.

Late last week, Twitter announced that it would no longer allow users to secure their accounts using SMS-based two-factor authentication (2FA) unless users paid for its Twitter Blue subscription—a move that’s baffled security experts. It’s especially confusing because SMS 2FA is widely considered to be one of the less secure multi-factor authentication options. Fortunately, Twitter will still allow anyone to use other 2FA options, including authentication apps and physical security keys. Here’s how to switch away from SMS 2FA.

Physical security keys are one of the most secure methods of multi-factor authentication. But they’re not just for logging in to Twitter. You can also unlock your iPhone using a physical key in just a few steps. Unlocking a device isn’t the only security issue iPhone users need to worry about. Research published this week details a new class of bugs that affected Apple’s iOS and macOS that could have potentially allowed an attacker to access a target’s message, photos, and call histories. So if you haven’t updated to the latest version of those operating systems, now is the time.

If anyone knows what it’s like to be targeted by hackers, it’s Ukraine. Over the past year, the country’s systems have faced an unprecedented Russian bombardment of data-destroying “wiper” malware, according to multiple cybersecurity firms. Researchers say Russia unleashed more wipers on Ukraine than at any point in its long-running cyberwar against its neighbor. The only upside—if you can call it that—is that the newly discovered wipers are less destructive than earlier Russian wipers, especially compared to NotPetya, which Russia unleashed on Ukraine in 2017. The malware spread around the world, causing a still-unmatched $10 billion in damage.

In addition to cyberattacks, Russia’s war has also severely impacted Ukraine’s electric grid, which has caused blackouts and internet outages. To keep themselves online and connected to each other and the world, Ukrainians have increasingly turned toward high-capacity lithium-ion batteries to keep cell phone towers online when Russia attacks Ukraine’s electric grid. 

Elsewhere in the world, China hawks in the US Congress continue to gather support for a nationwide ban on TikTok, which is owned by China-based ByteDance. The intense focus on a single app, which TikTok critics claim is a national security threat, has some wondering why lawmakers care so much about Americans’ privacy when it comes to TikTok but not US-based tech firms. The answer? Silicon Valley is our friend, China isn’t.

That notion doesn’t always ring true, however. Mozilla researchers this week say they found rampant inaccuracies in the privacy claims app developers make on Google Play’s Data Safety labels. Facebook received a “poor” grade from Mozilla, while Google’s YouTube, Gmail, and Google Maps apps ranked as “needs improvement.” 

But that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Tuesday, TechCrunch reported that the US Department of Defense had secured an unprotected server that had been leaking internal US military emails to anyone who knew where to look. The server was hosted on Microsoft’s Azure and was part of an internal government mailbox system that stored terabytes of internal military emails. According to TechCrunch, a simple misconfiguration allowed anyone who knew the server’s IP address access the sensitive data using only a web browser—no password needed.

The exposed server was discovered by security researcher Anurag Sen, who provided the details to TechCrunch. The data had been exposed for two weeks, but it’s unclear if anyone other than Sen accessed it while it was available.

US Special Operations Command’s spokesperson Ken McGraw told TechCrunch that an investigation is underway. “We can confirm at this point \[that\] no one hacked US Special Operations Command’s information systems,” said McGraw.

In an investigation published Tuesday, CNN pinpointed the locations of more than three dozen black sites across Iran where protesters were brutally tortured. According to the report, many are undeclared prisons inside government facilities or makeshift jails in warehouses. Some are even in the basements of mosques. Survivors of torture at these sites told CNN that the brutality they faced was unprecedented: electrocutions, removal of nails, lashings, beatings, and sexual violence.

Iran was rocked by protests last year during the Mahsa Amini uprising, which prompted a spread of black sites around Iran’s capital city, Tehran. According to the investigation, these unofficial detention centers were instrumental in making torture systematic and laid the groundwork for scores of death sentences against protesters. More than 100 protesters have been charged with crimes that carry the death sentence.

CNN reached out to the Iranian government for comment on the allegations of torture in their secret prisons but has not received a response.

On Thursday, Vice reporter Joseph Cox detailed how he was able to break into his bank account using an AI-generated voice. Banks across the US and Europe have implemented so-called “voice verification” technology that lets customers log in to their bank accounts over the phone. While advertised as a safe and convenient form of authentication, Cox’s experiment demonstrates a very real, albeit rare, attack that fraudsters could exploit to access bank accounts.  

Using a free voice creation service to spoof his own voice, Cox gained entry into his account at Lloyds Bank. To do this, all he had to do was record about five minutes of speech and upload it to the service. Within minutes, the service spit out a synthetic voice capable of fooling his bank’s voice verification software. Lloyds Bank told Vice that it is aware of the threat of synthetic voices and is deploying countermeasures. 

In an interview with Ars Technica, Lance Bass, a former member of NSYNC, recalled how he was held at gunpoint by Russian officials after failing to secure funding for a trip to space. In 2002, the singer was scheduled to spend 10 days aboard the International Space Station alongside two cosmonauts. When the singer and his production team couldn’t come up with $20 million to finance the trip, he says that Russian officials threatened him at gunpoint. 

“There were a lot of problems with Russia and Hollywood in trying to make this happen,” Bass told Ars. “There were even a couple of weekends that I would get kicked off the base in Russia. They would put a gun to my head and be like, ‘Where’s the money? Where’s the money?’”

Bass never ended up going to space.

Security News This Week: Sensitive US Military Emails Exposed

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVE-2023-26545

In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b048cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/76ca8fcd92332c75a0a7efaa26269c42  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :  
loop0: detected capacity change from 0 to 4096  
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)  
\==================================================================  
BUG: KASAN: use-after-free in run\_unpack+0x89a/0x940  
Read of size 1 at addr ffff888024b21900 by task syz-executor.0/16961

CPU: 0 PID: 16961 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
run\_unpack+0x89a/0x940  
run\_unpack\_ex+0xb8/0x620  
ntfs\_iget5+0xc18/0x3270  
ntfs\_fill\_super+0x27de/0x3d30  
get\_tree\_bdev+0x440/0x760  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fcf8309146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fcf83dc4a08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007fcf8309146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fcf83dc4a60  
RBP: 00007fcf83dc4aa0 R08: 00007fcf83dc4aa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007fcf83dc4a60 R15: 0000000020002a00  
</TASK>

Allocated by task 6460:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_sendmsg\_locked+0xc44/0x2fd0  
tcp\_sendmsg+0x2b/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 6460:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
skb\_free\_head+0xac/0x110  
skb\_release\_data+0x56f/0x850  
skb\_release\_all+0x46/0x60  
\_\_kfree\_skb+0x11/0x20  
tcp\_ack+0x1e54/0x5af0  
tcp\_rcv\_established+0x14b5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
\_\_release\_sock+0x12f/0x3a0  
release\_sock+0x54/0x1b0  
tcp\_sendmsg+0x36/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
xfrm\_policy\_kill+0x120/0x250  
xfrm\_policy\_delete+0x65/0x90  
sk\_common\_release+0x24e/0x330  
inet\_release+0x12e/0x270  
\_\_sock\_release+0xcd/0x280  
sock\_close+0x18/0x20  
\_\_fput+0x27c/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888024b21800  
which belongs to the cache kmalloc-1k of size 1024  
The buggy address is located 256 bytes inside of  
1024-byte region \[ffff888024b21800, ffff888024b21c00)

The buggy address belongs to the physical page:  
page:ffffea000092c840 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x24b21  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea0000a00188 ffffea000077b9c8 ffff888011840700  
raw: 0000000000000000 ffff888024b21000 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2c2220(\_\_GFP\_HIGH|\_\_GFP\_ATOMIC|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_NOMEMALLOC|\_\_GFP\_THISNODE),  
pid 16, tgid 16 (ksoftirqd/0), ts 86734280820, free\_ts 86664849571  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node\_track\_caller+0x38/0x60  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_write\_xmit+0x1c72/0x6170  
\_\_tcp\_push\_pending\_frames+0xaa/0x380  
tcp\_rcv\_established+0x9d5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
tcp\_v4\_rcv+0x3cf0/0x3f70  
ip\_protocol\_deliver\_rcu+0x9b/0x7c0  
ip\_local\_deliver\_finish+0x2fb/0x4e0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
drain\_freelist+0x9c/0xe0  
cache\_reap+0x1b9/0x2f0  
process\_one\_work+0x9c7/0x1650  
worker\_thread+0x623/0x1070  
kthread+0x2e9/0x3a0  
ret\_from\_fork+0x1f/0x30

Memory state around the buggy address:  
ffff888024b21800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff888024b21900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff888024b21980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

CVE-2023-26544: LKML: Palash Oswal: KASAN: use-after-free Read in run_unpack

By Owais Sultan
The AI software market has rapidly grown over the past few years. And, based on expert forecasts, it’s…
This is a post from HackRead.com Read the original post: 3 Ways Artificial Intelligence Is Transforming the Stock Market Landscape (and Making It More Secure)

The AI software market has rapidly grown over the past few years. And, based on expert forecasts, it’s not slowing down. According to Statista, the size of the AI software market is predicted to reach a whopping $126 billion by 2025, which is more than 12x what it was in 2018.

And while (at least right now) the majority of the world’s population sees AI as a fun way to generate images they can show off on social media, for investors, artificial intelligence comes with much more impactful benefits.

If you’ve ever wondered whether AI could genuinely transform the stock market landscape or make it more secure, the following are the changes that are already happening.

**Building More Profitable Stock Portfolios**

One of the most prominent advantages of using AI for trading is speed. An artificial intelligence piece of software can scrape the internet in search of information in a matter of minutes. But even more impressively, it can process all that information in the blink of an eye — something that would take humans hours to do equally thoroughly.

For this reason, AI has the potential to aid traders in making quicker investing decisions. And, considering how time-sensitive successful trading can be, this is a huge benefit.

But is AI, in itself, enough to aid traders in building more profitable stock portfolios? Well, as of right now, it’s not. 

These days, making sound investing choices still requires extensive insights, experience, and a bit of human touch. That’s why the best way of utilizing AI is to combine it with other trustworthy stock market investing tools. Nonetheless, the future is guaranteed to see an advancement in artificial intelligence software. In a few years, AI solutions _might_ be enough to inform solid, risk-proof investment decisions.

**Fraud Detection**

Another highly-impactful effect of employing AI solutions in finance is that this tech could allow organizations to protect themselves from an ever-growing rate of cyber threats. In fact, AI can be so competent at detecting and flagging irregular and malicious trading activity that Nasdaq started applying it to the U.S. stock market in 2019.

Of course, considering that the development of effective security-oriented AI solutions _is_ still expensive, it’s safe to expect the trend to be slow on the uptake. But it is safe to say that, in the future, more and more financial organizations will be starting to implement AI solutions in their fraud detection and security systems to minimize risk and maximize their security.

**Improved Customer Service**

One unexpected way AI is transforming the stock market landscape is by making communication between financial service providers and their customers vastly less complicated and more straightforward.

In the past, clients who had any account queries or required technical data had to get in touch with a customer service representative, who would then have to collect and send that data. But now, these requests can be dealt with almost momentarily, mainly thanks to the speed with which AI can conduct similar tasks.

With artificial intelligence software, a simple request can be met in minutes without relying on excessive employee involvement. And best of all, the results are immediately felt, as operational costs are vastly reduced. The speed with which matters are taken care of also results in a significant improvement in customer satisfaction rates. 

Considering that both of these factors play parts in securing the future of any financial institution, it’s safe to say that the role of AI in improving customer service is tremendous.

**Final Thoughts**

Artificial intelligence solutions that have the potential of transforming (and securing) the stock market landscape are not yet at their peak level. Realistically speaking, we still have a decade or so to go before we can say that we’ve successfully changed the world of finance.

However, we can say with absolute certainty that the change _is_ coming. And we can rest assured that it’s going to be positive.

What remains to be seen is how small and mid-size organizations will cope with developing and implementing AI in their workflows — whether they’ll go the custom route or pull the trigger and share solutions for the sake of mutual prosperity. 

1.  How to use AI in cybersecurity?
2.  Incorporating machine learning in data mapping
3.  Using Machine Learning for content moderation?
4.  Cybersecurity trends affecting cybersecurity stocks
5.  Google Vertex AI Vision: Revolutionizing E-Commerce?

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

3 Ways Artificial Intelligence Is Transforming the Stock Market Landscape (and Making It More Secure)

The cloud-native application protection platform market is expanding as security teams look to protect their applications and the software supply chain.

As more organizations shift to cloud-native application development to support new business features and digital transformation initiatives, software supply chain issues have become more visible. Because cloud-native development relies so heavily on open source software, organizations have to start thinking about the components that go into these applications.

To build these cloud-native applications, developers have adopted agile application development practices and rapid release cycles, and they rely heavily on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may primarily come from an established ecosystem, it is common for some to originate from unknown sources or obsolete projects.

Traditional security approaches aren't designed to handle this new approach to application development, especially for modern cloud compute and serverless architectures. This is the area cloud-native application protection platforms evolved to address. Gartner describes CNAPP as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."

According to a recent Frost & Sullivan report, sales of CNAPP topped $1.7 billion in 2021, nearly 49% higher than 2020. Frost & Sullivan projects that CNAPP revenues will grow at a compound annual growth rate of almost 26% from 2021 to 2026. The report's author, industry principal for global cybersecurity Anh Tien Vu, forecasts that by 2026, revenues will exceed $5.4 billion "because of the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."

**Prevent Problems During Development**

Attackers are increasingly homing in on cloud-native targets to exploit vulnerabilities that enter the software supply chain. Last year, the Log4Shell vulnerability in the widely deployed Log4j Java runtime library illustrated the broad impact such a vulnerability can have on the application ecosystem. Given the widespread distributed deployment of Java applications, organizations had to scramble to find and patch them after Apache Foundation's public disclosure.

"With Log4j, people didn't know whether those libraries were in use or not," says Enterprise Strategy Group senior analyst Melinda Marks. Experts frequently cite Log4j as a wake-up call to CISOs and CIOs that software development lifecycles need to collaborate more closely and shift left.

Marks says CNAPP enables organizations to establish DevSecOps processes in which software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, but it also goes further. "This is important for preventing security issues before you deploy your applications to the cloud, because once you deploy them, they're available for the hackers," Marks says.

**Monitor Runtime to Identify Priorities**

CNAPPs consolidate siloed capabilities, including the scanning of development artifacts such as containers and infrastructure as code (IaC), cloud security posture management (CSPM), cloud infrastructure management (CIEM), and runtime cloud workload protection platforms. Besides providing a more unified approach and better visibility of the risk of cloud-native computing environments, CNAPP provides common controls to mitigate vulnerabilities.

Notably, CNAPP also facilitates collaboration among application development, cybersecurity, and IT infrastructure teams, paving the way for detecting and mitigating vulnerabilities before applications are deployed into production. Security vendors such as Check Point and Palo Alto Networks are adding CNAPP capabilities to their security platforms.

Marks warns that there's a misconception about shifting security left: that it's all about moving security up front in the software development and build cycles. "There's also the need to tie in the runtime monitoring and have that context for developer workflows, so they're not wasting time on fixing things that have no impact on how the application is actually going to run in the cloud," she says.

Tackling Software Supply Chain Issues With CNAPP

Debian Linux Security Advisory 5359-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5359-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930                  CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 CVE-2023-0941Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 110.0.5481.177-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34kwACgkQEMKTtsN8TjZFwhAAk2JqYKeasa9sMSwiBcpaz+HBtIimsS/ue/TIddRuwcUwpif2qSF+QyL6ac1Wc/jIwW4F7OY9d5Ww8AkvGnxcdzt9dI+g3lPUDByqYJutWahICxm6ZBxrY2ms0NbTYK4hzFBVyobfnQF/EzOGLpyarauFTjBW1sbtCSFnXYeMHd5+rpw5bYTx5JZPoG2fGHuAcXE2CoKGm41tqzegYdKrv33eID3EB91ne/oMqTp4/q1QEVeZiQ0JdRPHq8fJG+FOdPdU3K/eROkkxvakd+QCTcGetKONQ0HFkr43BLP8EAMBAbg4Ds+zaJ+xgenHusSrN+Q7MQraYgqZ6DInzrJXBeeXSu9zm+iwEpJXuerQv3iYDn0o75gzL+qtoh31mePFB6jihIgHo0adqu6upNedFGe+YY1RuJuYWlw2cvjagdaSgotuGbNirXXDYUlQMA82eu+d3yv1hexkbCNQGykGOmuF7J2O+Vwb34Hf6MlDAxrdOuaEcxw8siOsa/MhXKYT1nmxASizffo2mmk/HJatqoTQXtxOWaVIv2Q/ySCc9WsESCRzh1J1gjf8+RH3T/O6T1EfM5oKi4bEZMhcxPhM+ue2DpBxVIB1qPDlOOsqQeLfaBwdcqmeXIl+pZhQBsB9A6okzNfoktEKUysQkKRlTPSl9QCQpd/cdVCwFMfXWA0==4fPc-----END PGP SIGNATURE-----

Debian Security Advisory 5359-1

With the right kind of exploit, there's hardly any function, app, or bit of data an attacker couldn't access on your Mac, iPad, or iPhone.

A new class of bugs in Apple's iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could "allow bypassing code signing to execute arbitrary code in the context of several platform applications," Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, "leading to escalation of privileges and sandbox escape on both macOS and iOS."

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim's photos, messages, call history, location data, and all kinds of other sensitive data, even the device's microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There's no indication that they've been exploited in the wild.

**NSPredicate: A Fresh Cyberattack Vector**

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This "innocent-looking class," as Emmitt put it, is much deeper than it may appear at first glance. "In reality, the syntax of NSPredicate is a full scripting language."

In other words, through NSPredicate, "the ability to dynamically generate and run code on iOS had been an official feature this whole time," he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in "coreduetd" or "contextstored," root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device's home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device. Gaining access is typically the easy part, with methods like phishing and other social engineering being so widely effective, but it also means there are steps anybody can take to harden their defenses.

"Individuals should continue to stay vigilant against social engineering and phishing attacks," McKee says, "while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity."

**Patching Might Not Be the End of the Story**

If they haven't already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn't mean, however, that vulnerabilities of this kind won't pop up again.

Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by NSO Group in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to close the hole but evidently didn't finish the job, paving the way for the new discoveries.

"Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers," explains Doug McKee, director of vulnerability research for Trellix. "Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future."

**The Myth of Apple’s Superior Security?**

The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.

"Since the first version of iOS on the original iPhone," Emmitt explained, "Apple has enforced careful restrictions on the software that can run on their mobile devices."

The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but they're not "on the list," they'll be shut out. And "as macOS has continually adopted more features of iOS," Emmitt noted, "it has also come to enforce code signing more strictly."

As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.

"I think that there is a misconception when it comes to Apple devices," says Mike Burch, director of application security for Security Journey. "The assumption by the public is that they are more secure than other systems. It is true that Apple has many security features and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider."

Tag

#ios