A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.

*   **Projects beta**
*   Projects, the flexible tool for planning and tracking work on GitHub Enterprise Server, is now available as a beta. A project is an adaptable spreadsheet that integrates issues and pull requests to help users plan and track work effectively. Users can create and customize multiple views, and each view can filter, sort, and group issues and pull requests. Users can also define custom fields to track the unique metadata for a team or project, allowing customization for any needs or processes. This feature is subject to change. For more information, see "About Projects (beta)."
    
*   **Instance administration**
*   Site administrators can improve the security of an instance by creating dedicated user accounts for the Management Console. Only the root site administrator can create user accounts. To control access for the user accounts, assign either the editor or operator role. Operators can manage administrative SSH access for the instance. For more information, see "Managing access to the Management Console."
    
*   To establish or comply with internal policies, site administrators can use the Management Console to configure an instance's policy for retention of data related to checks, including checks data generated by GitHub Actions and the Statuses API. Administrators can enable or disable retention, set a custom retention threshold, or set a custom hard-delete threshold.
    
*   When generating support bundles using the ghe-support-bundle command-line utility, site administrators can specify the exact duration to use for collection of data in the bundle. For more information, see "Command-line utilities."
    
*   **Identity and access management**
*   Users can review and revoke both browser and GitHub Mobile sessions for a GitHub Enterprise Server instance. For more information, see "Viewing and managing your sessions."
    
*   **Policies**
*   Enterprise owners can configure whether repository administrators can enable or disable Dependabot alerts. On instances with a GitHub Advanced Security license, enterprise owners can also set policies to control whether repository administrators can enable GitHub Advanced Security features or secret scanning. For more information, see "Enforcing policies for code security and analysis for your enterprise."
    
*   **Audit logs**
*   Enterprise and organization owners can support adherance to the principle of least privilege by granting access to audit log endpoints without providing full administrative privileges. To provide this access, personal access tokens and OAuth apps now support the read:audit_log scope. For more information, see "Using the audit log API for your enterprise."
    
*   Enterprise owners can more easily detect and trace activity associated with authentication tokens by viewing token data in audit log events. For more information, see "Identifying audit log events performed by an access token."
    
*   Enterprise owners can configure audit log streaming to a Datadog endpoint. For more information, see "Streaming the audit log for your enterprise."
    
*   **GitHub Advanced Security**
*   Enterprise owners on an instance with a GitHub Advanced Security license can view changes to GitHub Advanced Security, secret scanning, and push protection enablement in the audit log. Organization owners can view changes to custom messages for push protection in the audit log. For more information, see the following documentation.
    
    *   "business_secret_scanning category actions," "business_secret_scanning_push_protection category actions," and "business_secret_scanning_push_protection_custom_message category actions" in "Audit log events for your enterprise"
    *   "Reviewing the audit log for your organization"
*   Enterprise owners on an instance with a GitHub Advanced Security license can ensure compliance and simplify the rollout of secret scanning and push protection to all organizations on the instance using the REST API. This endpoint supplements the existing web UI, as well as the endpoints for repositories and organizations. For more information, see "Code security and analysis" in the REST API documentation.
    
*   Enterprise and organization owners who use secret scanning on an instance with a GitHub Advanced Security license can use the REST API to specify a custom link to display when push protection blocks a push containing a secret. For more information, see "Code security and analysis" or "Organizations" in the REST API documentation.
    
*   Users on an instance with a GitHub Advanced Security license who dismiss a secret scanning alert can help other users understand the reason for dismissal by providing an optional comment using the web UI or REST API. For more information, see the following documentation.
    
    *   "Managing alerts from secret scanning"
    *   "Secret scanning" in the REST API documentation
*   Users on an instance with a GitHub Advanced Security license can filter results from the Code Scanning API based on alert severity at either the repository or organization levels. Use the severity parameter to return only code scanning alerts with a specific severity. For more information, see "Code Scanning" in the REST API documentation.
    
*   Users on an instance with a GitHub Advanced Security license can analyze two additional languages for vulnerabilities and errors using CodeQL code scanning. Support for Ruby is generally available, and support for Kotlin is in beta and subject to change.
    
    *   Ruby analysis can detect more than twice the number of common weaknesses (CWEs) it could detect during beta. A total of 30 rules can identify a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. GitHub Enterprise Server supports all common Ruby versions, up to and including 3.1.
    *   Kotlin support is an extension of existing Java support, and benefits from the existing CodeQL queries for Java, which apply to both mobile and server-side applications. GitHub has also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection, and more.
    
    For more information about code scanning, see "About code scanning with CodeQL."
    
*   Users on an instance with a GitHub Advanced Security license who use CodeQL code scanning can customize the build configuration for Go analysis within the GitHub Actions workflow file. Existing CodeQL workflows for Go analysis require no changes, and will continue to be supported. For more information, see "Configuring the CodeQL workflow for compiled languages."
    
*   **Dependabot**
*   To improve code security and simplify the process of updating vulnerable dependencies, more users can receive automatic pull requests with dependency updates.
    
    *   GitHub Actions authors can automatically update dependencies within workflow files.
    *   Dart or Flutter developers who use Pub can automatically update dependencies within their projects.
    
    For more information, see "About Dependabot security updates."
    
*   Dart and JavaScript developers on an instance with the dependency graph enabled can receive Dependabot alerts for known vulnerabilities within a project's dependencies.
    
    *   For Dart, the dependency graph detects pubspec.lock and pubspec.yaml files.
    *   JavaScript developers who use Node.js and npm can receive alerts for known vulnerabilities within Yarn v2 and v3 manifests. This supplements the existing support for v1 manifests. The dependency graph detects package.json, and yarn.lock files.
    
    For more information, see the following articles.
    
    *   "About the dependency graph"
    *   "Browsing security advisories in the GitHub Advisory Database"
    *   "About Dependabot alerts"
*   Python developers who use supported package managers on an instance with the dependency graph enabled can receive Dependabot alerts for dependencies within pyproject.toml files that follow the PEP 621 standard. For more information, see "About Dependabot version updates."
    
*   Python developers who receive Dependabot alerts can reduce the number of version updates when a current dependency requirement is already satisfied by a new version. To configure this behavior, use the increase-if-necessary versioning strategy. For more information, see "Configuration options for the dependabot.yml file."
    
*   Enterprise owners can retrieve Dependabot alerts for the instance using the REST API. This endpoint is in beta and subject to change. For more information, see "Dependabot alerts" in the REST API documentation.
    
*   Organization owners can retrieve Dependabot alerts for the organization using the REST API. This endpoint is in beta and subject to change. For more information, see "Dependabot alerts."
    
*   Users can programmatically view and act on Dependabot alerts using the REST API. New endpoints to view, list, and update Dependabot alerts are available in beta. These endpoints are subject to change. For more information, see "Dependabot alerts" in the REST API documentation.
    
*   **Code security**
*   To increase visibility into security posture and improve risk analysis, users can access coverage and risk views within the security overview. The coverage view shows enablement across repositories, while the risk view surfaces alerts across repositories. Organization owners, security managers, and repository administrators on an instance with a GitHub Advanced Security license can enable security features from the security overview's coverage view. The views replace the "Overview" page, and are in public beta and subject to change. For more information, see "About the security overview."
    
*   Contributors can define a repository's security policy by creating a SECURITY.md file. To increase the policy's visibility, GitHub Enterprise Server will link to the policy from the repository's **Code** tab. For more information, see "Adding a security policy to your repository."
    
*   The Dependency review API is generally available, and the associated GitHub Action now allows users to reference a local or external configuration file. For more information, see the following documentation.
    
    *   "Dependency review" in the REST API documentation
    *   "Configuring dependency review"
*   The GraphQL API provides access to a repository's dependency graph. This feature is in preview and subject to change. For more information, see "Objects" in the GraphQL API documentation.
    
*   **GitHub Actions**
*   During configuration of storage for GitHub Actions, site administrators can avoid risks associated with the input of sensitive secrets and access keys by using OIDC to connect to object storage providers. GitHub Actions on GitHub Enterprise Server supports OIDC for connections to AWS, Azure, and Google Cloud Platform. This feature is in beta and subject to change. For more information, see "Enabling GitHub Actions for GitHub Enterprise Server."
    
*   To prevent untrusted logging of data from the set-state and set-output workflow commands, action authors can use environment files for the management of state and output.
    
    *   To use this feature, the runner application must be version 2.297.0 or later. Versions 2.298.2 and later will warn users who use the save-state or set-output commands. These commands will be fully disabled in a future release.
    *   To use the updated saveState and setOutput functions, workflows using the GitHub Actions Toolkit must call @actions/core v1.10.0 or later.
    
    For more information, see "Workflow commands for GitHub Actions."
    
*   The ability to share actions and reusable workflows from private repositories is generally available. Users can share workflows in a private repository with other private repositories owned by the same organization or user account, or with all private repositories on the instance. For more information, see the following documentation.
    
    *   "Managing GitHub Actions settings for a repository"
    *   "GitHub Actions Permissions" in the REST API documentation
*   Users can improve workflow readability and avoid the need to store non-sensitive configuration data as encrypted secrets by defining configuration variables, which allow reuse across workflows in a repository or organization. This feature is in beta and subject to change. For more information, see "Variables."
    
*   Users can dynamically name workflow runs. run-name accepts expressions, and the dynamic name appears in the list of workflow runs. For more information, see "Workflow syntax for GitHub Actions."
    
*   Users can prevent a job from running on a runner outside the intended group by defining the names of the intended runner groups for a workflow within the runs-on key.
    
        runs-on:
          group: my-group
          labels: [ self-hosted, label-1 ]
        
    
    Additionally, GitHub Enterprise Server will no longer allow the creation of runner groups with identical names at the organization and enterprise level. A warning banner will appear for any runner groups within an organization that share a name with a runner group for the enterprise.
    
*   Users can enforce standard CI/CD practices across all of an organization's repositories by defining required workflows. These workflows are triggered as required status checks for all pull requests that target repositories' default branch, which blocks merging until the check passes. This feature is in beta and subject to change. For more information, see "Required workflows."
    
*   To enable standardization of OIDC configurations across cloud deployment workflows, organization owners and repository administrators can configure the subject claim format within OIDC tokens by defining a custom template. For more information, see "About security hardening with OpenID Connect."
    
*   To enable more transparency and control over cache usage within repositories, users who cache dependencies and other reused files with actions/cache can manage caches from the instance's web UI. For more information, see "Caching dependencies to speed up workflows."
    

*   Users can set expectations surrounding availability by displaying a local timezone within their profiles. People who view the user's profile or hovercard will see the timezone, as well as how many hours behind or ahead they are of the user's local time. For more information, see "Personalizing your profile."
    
*   **GitHub Discussions**
*   To improve discoverability, GitHub Discussions features the following improvements.
    
    *   Repository owners can pin discussions to a specific category.
    *   Category titles and descriptions are displayed on the category's page.
*   **Organizations**
*   To manage how organization members fork repositories, organization owners can set a dedicated forking policy for any organization. This policy must be stricter than an a forking policy set for the enterprise. For more information, see "Managing the forking policy for your organization."
    
*   Organization owners can improve organization security by preventing outside collaborators from requesting the installation of GitHub and OAuth apps. For more information, see "Limiting OAuth App and GitHub App access requests."
    
*   **Repositories**
*   To avoid providing full administrative access to a repository when unnecessary, repository administrators can create a custom role that allows users to bypass branch protections. To enforce branch protections for all users with administrative access or bypass permissions, administrators can enable **Do not allow bypassing the above settings**. For more information, see "Managing custom repository roles for an organization" and "About protected branches."
    
*   Repository administrators can ensure the security and stability of branches by requiring pull request approval by someone other than the last pusher, or by locking the branch. For more information, see "About protected branches."
    
*   In scenarios where someone should review code within a GitHub Actions workflow before the workflow runs, repository administrators can require approval from a user with write access to the repository before a workflow run can be triggered from a private fork. For more information, see "Managing GitHub Actions settings for a repository."
    
*   **Issues**
*   The GraphQL API supports creation and removal of the link between a branch and an issue. For more information, see the following documentation.
    
    *   "Creating a branch to work on an issue"
    *   "createLinkedBranch" and "deleteLinkedBranch" in the "Mutations" GraphQL API documentation
    *   "Objects" in the GraphQL API documentation
*   **Pull requests**
*   Users with multiple email addresses associated with their accounts can better ensure that Git commits created by squash-merging are associated with the correct email address. When merging the pull request, a drop-down menu will appear, allowing the user to select the email address to use as the commit's author.
    
*   **Releases**
*   Users can mark a specific release within a repository as the latest release using the web UI, REST API, or GraphQL API. For more information, see the following documentation.
    
    *   "Managing releases in a repository"
    *   "Releases" in the REST API documentation
    *   "Objects" in the GraphQL API documentation
*   **Integrations**
*   Users can save time and switch context less often by receiving and acting on real-time updates about GitHub Enterprise Server activity directly within Slack or Microsoft Teams. GitHub's integrations for these services are now generally available. For more information, see "GitHub extensions and integrations."

CVE-2023-22381: Release notes - GitHub Enterprise Server 3.8 Docs

Overcoming the obstacles of this security principle can mitigate the damages of an attack.

When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company's most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it.

"Least privilege" is defined by NIST's Computer Security Resource Center as "the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function." That sounds simple, but things have changed. Data is now spread across multiple clouds, hundreds of SaaS apps, and systems old and new. As a result, all modern companies accumulate "access debt" — unnecessary permissions that were either too broad in the first place or no longer necessary after a job change or termination.

A KPMG study found that 62% of US respondents experienced a breach or cyber incident in 2021 alone. If any employee falls prey to phishing, but they only have access to non-sensitive information, there may be no economic impact at all. Least privilege mitigates the damage of an attack.

There are three obstacles to achieving least privilege: visibility, scale, and metrics.

**Visibility Is the Foundation**

It's hard to manage something you can't see, and access permissions are spread across countless systems in the enterprise. Many are managed locally within the unique access controls of a system (e.g., Salesforce admin permissions). Even when companies implement an identity provider, such as Okta, Ping, or ForgeRock, this only shows the tip of the iceberg. It cannot show all the permissions that sit below the waterline, including local accounts and service accounts.

    

Source: Veza

This is especially relevant today, with so many companies conducting layoffs. When terminating employees, employers revoke access to the network and SSO (single sign-on), but this does not propagate all the way to the myriad systems in which the employee had entitlements. This becomes unseen access debt.

For companies where legal compliance mandates periodic access reviews, visibility is manual, tedious, and vulnerable to omissions. Employees are dispatched to investigate individual systems by hand. Making sense of these reports (often, screenshots) might be possible for a small company, but not for one with a modern data environment.

**Scale**

Any company might have thousands of identities for employees, plus thousands more for non-humans, like service accounts and bots. There can be hundreds of "systems," including cloud services, SaaS apps, custom apps, and data systems such as SQL Server and Snowflake. Each offers tens or hundreds of possible permissions on any number of granular data resources. Since there is an access decision to make for every possible combination of these, it's easy to imagine the challenge of checking a million decisions.

To make the best of a bad situation, companies take a shortcut and assign identities to roles and groups. This addresses the scale problem but worsens the visibility problem. The security team might be able to see who belongs to a group, and they know the label on that group, but labels don't tell the whole story. The team can't see access at the level of tables or columns. When identity access management (IAM) teams are receiving a never-ending stream of access requests, it's tempting to rubber stamp approvals for the closest-fit group, even if that group confers broader access than necessary.

Companies can't overcome the scale challenge without automation. One solution is time-limited access. For example, if an employee was given access to a group but doesn't use 90% of the permissions for 60 days, it's probably a good idea to trim that access.

**Metrics**

If you can't measure it, you can't manage it, and nobody today has the tools to quantify how much "privilege" has been granted.

CISOs and their security teams need a dashboard to manage least privilege. Just as Salesforce gave sales teams the object model and dashboards to manage revenue, new companies are creating the same foundation for managing access.

How will teams quantify their access? Will it be called "privilege points"? Total permission score? A 2017 paper coined a metric for database exposure called "breach risk magnitude." Whatever we call it, the rise of this metric will be a watershed moment in identity-first security. Even if the metric is an imperfect one, it will shift a company's mindset toward managing least privilege like a business process.

**Going Forward**

The landscape has changed, and it has become practically impossible to achieve least privilege using manual methods. Fixing this will require new technologies, processes, and mindsets. The CISOs and CIOs I work with believe least privilege is possible, and they're making prudent investments to move beyond the bare minimum of quarterly access reviews. It won't be long before manual reviews are a thing of the past, and automation tames the complexity of modern access control.

Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?

Categories: Business
Protect your organization from mobile phishing and malware attacks.



(Read more...)




The post Crushing the two biggest threats to mobile endpoint security in 2023 appeared first on Malwarebytes Labs.

Don’t let their small size fool you: mobile devices can have a big impact on your security posture. It’s easy to see why, considering that almost **half of organizations** said they suffered a mobile-related compromise in 2022.

Malware and phishing are two particular mobile threats that you need to defend against in 2023. Just check out the following stats from last year:

*   **18 percent of clicked phishing emails** in 2022 came from a mobile device. (Verizon Mobile Security Index 2022)
*   **46 percent organizations** that had suffered a mobile-related security breach in 2022 said that **app threats were a contributing factor**. (Verizon Mobile Security Index 2022)
*   9 percent of organizations suffered a **mobile malware attack** in 2022. (Check Point 2023 Cyber Security Report)

In addition, according to Malwarebytes research, 45 percent of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices.

In this post, we’ll talk about the threat that phishing and malware pose to mobile endpoint security and how to crush them.

**Mobile devices have a huge target on their backs**

Mobile devices are a key part of today’s modern business: 56 percent of employees rely on at least four to eight enterprise applications on their mobile device.

But wherever sensitive data exists, threat actors are out there trying to get their hands on it.

The explosion of bring-your-devices (BYOD) policies during and after the pandemic created a large, new attack surface. **Employees love mobile devices for their convenient access to corporate data systems; attackers love them for the same reason**.

**Malware on Android**

First things first, malware is a much bigger threat to Android devices than it is to iOS devices, as iOS malware is extremely rare.

Malware on mobile Android devices comes in many forms, including adware, ransomware, trojan-banker (aka ‘bankers’), and trojan-dropper (aka ‘droppers’). Droppers, considered the “most Trojan of Trojans,” disguise themselves as innocent apps to steal personal and financial data. Droppers can install copies of themselves, and because they can drop software that downloads other malware, they can be used to establish a permanent gateway into a smartphone, and then into a business

In our 2022 State of Malware Report, Malwarebytes found that droppers accounted for 14 percent of detections on Android. Other malware is more widespread, but **droppers pose the greatest danger to organizations**.

_Examples of recent Android malware_

**Phishing on iOS and Android**

Phishing has always worked wonders for attackers, and if it ain’t broke, don’t fix it—including on mobile devices. In fact, Zimperium found the number of phishing sites that target mobile devices specifically has seen 50 percent growth from 2019-2021.

Phishing attacks on Android and iOS range from email to banking, SMS (smishing), and even attempting to trick users into handing over legitimate two-factor authentication codes.

Targeted phishing campaigns on enterprise mobile devices are common, with threat attackers often impersonating companies such as Apple, PayPal, and Amazon.

**Mobile Device Management (MDM) ain’t the solution**

A common misconception that we hear when we talk about mobile endpoint security is that MDM is the solution to all of our mobile malware and phishing woes.

It’s not.

Mobile device management services only secure use of corporate data, but are not designed to counter threats such as malware and phishing on iOS and Android devices.

Organizations should look beyond MDM platforms and toward mobile security products that use a variety of techniques, including behavioral analysis, to crush mobile threats. Some features of a robust mobile threat defense product include:

*   24/7 real-time protection against emerging threats
*   Advanced antivirus, anti-malware, anti-spyware capabilities
*   Malicious app protection
*   App privacy audit
*   Safe web browsing
*   Block ads and ad trackers
*   Filters suspicious fraudulent texts
*   Spam call blocking

**Malwarebytes makes mobile device security easy**

With Malwarebytes Mobile Security for Business, you can put a damper on mobile attacks on your organization in just a few clicks.

In Nebula, our cloud-hosted security platform made for small to large businesses (OneView for MSPs), all you have to do to get started is activate the endpoint agent for your mobile devices.

From there, you set how your mobile endpoints behave by adding a new policy and selecting **Web protection and Ad block** for iOS and **Behavior protection** for ChromeOS and Android.

Once you save this policy, you’re set**!**

Admins gain immediate visibility into mobile device activity, enabling IT teams to easily identify and report malicious threats, PUPs, and PUMs.

The Malwarebytes Mobile Security app on IOS (left) and Android (right)

The statistics don't lie—phishing and malware pose a big threat to mobile endpoint security in 2023. But with a mobile threat defense solution like Malwarebytes Mobile Security, you can crush threats like these and more. Get a free trial and/or quote below!

**Get a quote or free trial of Malwarebytes Mobile Security**

Crushing the two biggest threats to mobile endpoint security in 2023

Cross-Site Request Forgery (CSRF) vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin <= 5.2.3 leads to plugin settings change.

**Solution**

Update the WordPress Conversios.io plugin to the latest available version (at least 5.2.4).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Conversios.io Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 5.2.4.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46797: WordPress Actionable Google Analytics and Google Shopping plugin for WooCommerce plugin <= 5.2.3 - Cross Site Request Forgery (CSRF) - Patchstack

By Owais Sultan
Video editing SDKs are great tools for creating and launching your products much more quickly. However, picking the…
This is a post from HackRead.com Read the original post: 5 Best Video Editing SDKs for iOS

Video editing SDKs are great tools for creating and launching your products much more quickly. However, picking the one that is perfect for you can be a burdensome mission.

To find your ideal video editor SDK for iOS, you should take numerous parameters into account, such as the video editing features you want to integrate, camera characteristics, the variety of effects and filters, and of course, technical aspects.

Surely, much research is necessary to find the optimal solution. The best way out may be to integrate an SDK into a sample app to fully evaluate its performance and compatibility with other components.

In this article, let’s explore the top 5 video editing SDKs for iOS that will definitely level up your development process and make it as easy as taking candy from a baby.

**1 Banuba Video Editing SDK**

This SDK will let you transform your app into an indispensable video editing tool that your users will adore. Its collection of visual effects and filters is impressively rich, while its integration takes up to one week only.

It offers a plethora of recording and editing features, the possibility of creating slideshows from photos, changing backgrounds, beautification, immersive face AR masks, and so on. By rotating videos, changing their speed, and adding the most trendy tracks, your users will get fully absorbed into the professional video editing world.

Additionally, applying voice effects is possible. With this tool, your users can create high-quality videos directly on their devices and export them in HD, Full HD, or QHD. By the way, it is compatible not only with iOS but also with Android. Plus, the SDK includes periodic updates and new features, making it one of the most powerful SDKs in the niche.

**2 Pixel SDK**

Pixel SDK is written in Swift, a powerful and intuitive multi-paradigm programming language developed by Apple. Logically, the SDK is a perfect choice for iOS developers. It aims at facilitating developers’ lives, including over 40 ready-made real-time filters and giving them a chance to create their own filters too. 

With Pixel SDK, they will not have to worry about creating and maintaining video editing software, as everything is done for them: cropping, rotation, trimming, perspective correction, dark mode support, scaling, etc.

It even allows you to import video content from DSLR cameras. Pixel SDK will let you fully focus on your business instead of constantly thinking about all the hardware problems and software updates.     

**3 IMG.LY**

With IMG.LY Video Editor SDK, you have the flexibility to customize every aspect of your app’s capabilities. It has an intuitive UI, a great filter collection, and captivating effects for your users to create professional-grade videos easily. Due to its variety of frames, stickers, and visual effects, turning your video into a top-notch social media post will not be a problem at all. 

Plus, your users will be able to undo and redo editing operations, fill their content with more depth and focus, and create video collages. All this provides them with greater control and flexibility during the editing process.

**4 Very SDK**

Smart shooting, audio and video editing featured templates and video export… The Very SDK offers all this and even more. And its beautifying and real-time filters will make your users look flawless on their device screens. It is even possible to create multi-frame videos to share as much content as you can at once. 

Sound effects and voice changes are also a reality with the Very SDK. It comprises 16 voice effects like the voices of monsters, kids, echo, and much more. Plus, adding subtitles or split-screen effects to your videos is not a problem either.  Finally, this SDK offers tet-a-tet online support 24/7 and regular updates.

**5 Movieous Short Video SDK**

This Chinese video editing SDK is packed with a vast array of features to take your video editing game to the next level. With this very SDK, you’ll gain access to advanced capabilities, such as video recording and editing, segment recording, and the ability to delete video clips with ease.

This SDK even provides options for both auto and manual focus, as well as the ability to mute your microphone during recording. Additionally, Movieous Short Video SDK also allows you to operate your flash with ease, switch dynamically between cameras, and even add a watermark to your videos for that professional touch.

Finally, you’ll also be able to stitch together your videos with seamless transitions for a polished and seamless final product. With all these features and more, this SDK is the ultimate tool for your creative endeavours.

**✋ Wrapping Up**

In short, choosing the right video editing SDK for your iOS app development can be a challenging task, but with the top 5 video editing SDKs we’ve explored, you’re one step closer to finding the perfect solution.

Each of these SDKs offers unique features that will enhance your app’s functionality and help you stand out from the competition. From the impressive visual effects and filters of Banuba Video Editing SDK to the easy-to-use and intuitive UI of IMG.LY, each SDK has something to offer. By integrating these SDKs into your app, you’ll empower your users to create engaging and professional-looking videos in no time. 

1.  Tools for Testing Your Proxy Servers
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Top 7 PDF Tools to Edit, Merge/Split and Protect PDF
4.  AI-Powered tools spark creativity and help create designs
5.  Brief guide to building audio, video live streaming platform

5 Best Video Editing SDKs for iOS

As more businesses shift away from running workloads on dedicated virtual machines to running them inside containers using workload orchestrators like Kubernetes, adversaries have become more interested in them as targets. Moreover, the benefits Kubernetes provides for managing workloads are also extended to adversaries. As adversaries leverage Kubernetes to run their workloads, their understanding of how these platforms work and can be exploited increases.

Azure Kubernetes Service (AKS) Threat Hunting

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

VMware Workspace ONE Content contains a passcode bypass vulnerability. A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode.

Advisory ID: VMSA-2023-0006

CVSSv3 Range: 6.3

Issue Date: 2023-02-28

Updated On: 2023-02-28 (Initial Advisory)

CVE(s): CVE-2023-20857

Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857)

****1\. Impacted Products****

*   VMware Workspace ONE Content

****2\. Introduction****

A passcode bypass vulnerability affecting VMware Workspace ONE Content was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

****3\. Passcode bypass vulnerability (CVE-2023-20857)****

VMware Workspace ONE Content contains a passcode bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode.

To remediate CVE-2023-20857 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank Jasper Westerman, Jan van der Put, Yanick de Pater and Harm Blankers of REQON B.V. for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Workspace ONE Content

Any

Android

CVE-2023-20857

6.3

moderate

23.02

None

None

Workspace ONE Content

Any

iOS

CVE-2023-20857

N/A

N/A

Unaffected

N/A

N/A

****4\. References****

****5\. Change Log****

**2023-02-28: VMSA-2023-0006  
**Initial security advisory.

****6\. Contact****

CVE-2023-20857: VMSA-2023-0006

Red Hat Security Advisory 2023-0977-01 - Red Hat OpenShift Data Science 1.22.1 security update. Issues addressed include an improper authorization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Data Science 1.22.1 security update  
Advisory ID:       RHSA-2023:0977-01  
Product:           RHODS  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0977  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4415 CVE-2022-23521 CVE-2022-40303   
                   CVE-2022-40304 CVE-2022-41903 CVE-2022-47629   
                   CVE-2023-0923   
=====================================================================

1. Summary:

An update for kubeflow, dashboard, deployer is now available for Red Hat  
OpenShift Data Science 1.22.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Science 1.22.1 (kubeflow, dashboard, deployer)  
security update

Security Fix(es):

* odh-notebook-controller-container: Missing authorization allows for file  
contents disclosure (CVE-2023-0923)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2171870 - CVE-2023-0923 odh-notebook-controller-container: Missing authorization allows for file contents disclosure

5. JIRA issues fixed (https://issues.jboss.org/):

RHODS-6123 - Update dsp repo to match upstream kfp-tekton repo  
RHODS-6136 - Verify status of manifests  
RHODS-6330 - Remove Openvino and Etcd images from quay for self-managed deployments  
RHODS-6779 - [Model Serving] fallback image for ovms is not published, leading to image pull errors in upgrade scenarios

6. References:

https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-0923  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zstzjgjWX9erEAQjCMQ/8Ce6TeflSnK0MOAMQlzjGPk7KarX0KSM3  
n21ANpVAhbwkN/85y3SEyLdC+0Yx7nP3N9Qtogjb7f86JMjilTN/L+wDkgju5V8J  
HZmGxS/pVF67eonoj3xJQ9SaeLUfsaiLXI0q5xwr3ZgnKTVAXN3S10Wr6zeC6Y+R  
+xZ5z5I1ffK1Ufkls3X7mwta87CAMzbDunmq37jNubVeid8iRrETsQAc9+h5cZ08  
o1j55joyE/B4lBKbP58xVWA4vM2znP9lCntBvAa0oOE+l8vGzkOuJhlS6xGtOyO8  
W/60Sd57pNK9QZ+T1n+PRCsOcxZHcmECYC+SQpOJjduCZeS2stjigqm8s91WIg8S  
gKLBBMo5nCU0UjgtS1fZqxbqvpFDUp8TvLaPGclmoV3vZTycYi0mL7LqRghXXPJ0  
1sNi/GXAnUrKwNzX9WALaYk7CWT28E223xjLQwqMyT5HGfypB7eFDVjNOnQR8AI6  
+GVafTiBIHYcTfY/2heFQtzYJmzF0OLQvv1H+zaeevcTxdfIPtxlKZmQwefDlXHW  
m6pOMsRUg0iX+8VzN4kPQUUaDo9H3X98nG2yvws8unAKs8v/VlfNJr1kLztwEzto  
9k0x/k5d9IZzuX/iBX7cGcAxD6scFc/IMlZ87GIvBZIZNkCXqaBaY1uAWeBiekqc  
NyJ+NGzOeX0=  
=VmLa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0977-01

Red Hat Security Advisory 2023-0959-01 - The GNU tar program can save multiple files in an archive and restore files from an archive. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: tar security update  
Advisory ID:       RHSA-2023:0959-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0959  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-48303   
=====================================================================

1. Summary:

An update for tar is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The GNU tar program can save multiple files in an archive and restore files  
from an archive.

Security Fix(es):

* tar: heap buffer overflow at from_header() in list.c via specially  
crafted checksum (CVE-2022-48303)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2149722 - CVE-2022-48303 tar: heap buffer overflow at from_header() in list.c via specially crafted checksum

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
tar-1.34-6.el9_1.src.rpm

aarch64:  
tar-1.34-6.el9_1.aarch64.rpm  
tar-debuginfo-1.34-6.el9_1.aarch64.rpm  
tar-debugsource-1.34-6.el9_1.aarch64.rpm

ppc64le:  
tar-1.34-6.el9_1.ppc64le.rpm  
tar-debuginfo-1.34-6.el9_1.ppc64le.rpm  
tar-debugsource-1.34-6.el9_1.ppc64le.rpm

s390x:  
tar-1.34-6.el9_1.s390x.rpm  
tar-debuginfo-1.34-6.el9_1.s390x.rpm  
tar-debugsource-1.34-6.el9_1.s390x.rpm

x86_64:  
tar-1.34-6.el9_1.x86_64.rpm  
tar-debuginfo-1.34-6.el9_1.x86_64.rpm  
tar-debugsource-1.34-6.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-48303  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zr9zjgjWX9erEAQgFCQ//alfcFGj94ZyrA/2mgvlCz9Cx3lJtojvl  
P1Stw3/AW7q7wMoQ94RDVBKfknI1rU0hwQtrsJ0c8z9hBhoMld1AoaQkaQvlg30E  
ifinlww6QW27/27MZ61+9OIqTvpI8S4II/QN3VNlEgghm3REM0Kkg2m0hdOVE0NM  
+wnjffllagS03wMl25+iOsFU6wXGfXOvPdQb/PtoMuXjdP+Nm54cCUe1vlBI0Sjw  
QribodKXmeymcn9aCgV/uUEZfcS7zy+Iv1UIIBsgvC10TrkXWYnZK+ttqljIiMhs  
IRMpKtY8MpcFNw5RXOk5CnAjY79D3sp85068IudDiq3dl3VHQKG1cJGJodXqz60p  
oT91felsjMoOFa9ey1CE8wEqAjWLVSQWZpZs3QZ+WRZ8GERv8OWA8TCY14L9iwuh  
3Jd7BxdBNQhhS5IJpDIDO1qPP8jeC5AD91CVRofG5RYLT7nsjrHhNnPBtgtl+1Vn  
kGsBKwPAoQMW5Lg8YWB+Ucfc8OEeCrHGFgUTrmHdRHxvvbVw+11Mctg3lDYmwAgr  
KGgCmxt5UVt30iOQioTUDUdoKLKZBvqiiOeeFdh7z/juz6ErecHGT40LKDkcFJmY  
V7QgOQw90htZfuKn53QTb/eatT2biH5THvwxs4SEXtjqkNrUySaMzOO8XE0qaMG7  
t6zN1bJxMiU=  
=ISNA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#ios