Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.

CVE-2022-30557: Security Bulletins | Foxit Software

The technique, called store-now, decrypt later (SNDL), means organizations need to prepare now for post-quantum cryptography.

Although quantum computing is years away from commercial availability, business leaders, CIOs, and CISOs need to act now to prepare for the technology's inevitable ability to crack RSA-encrypted data. Failure to start adopting a post-quantum cryptography (PQC) strategy will put all existing encrypted data assets at risk of exposure, according to a stark warning from key technical cryptography experts issued on Wednesday.

A peer-reviewed paper chronicling that threat with a technical road map for transitioning to PQC appeared Wednesday in _Nature_, a leading journal for the science and technology communities.

The cybersecurity experts who wrote the paper, titled "Transitioning organizations to post-quantum cryptography," underscored the fact that when large and fault-tolerant (LFT) quantum computers become available, attackers will be able to use them to crack most existing public key crypto systems, including RSA and elliptic curve cryptography (ECC).

**SNDL Threat**

The paper points to three critical issues that the authors contend organizations must address. First is the existence of an active and critical threat called store-now, decrypt later (SNDL), a practice wherein attackers steal sensitive data and hold onto it with the intent of decrypting it once quantum computing becomes available.

Second, the authors warn that quantum computers will be able to break the most commonly relied on RSA and ECC to forge signatures. That would put at risk all SSL-based websites, zero-trust architectures, and cryptocurrencies, among other things, according to the authors.

And third, they highlight how the National Institute of Standards and Technology (NIST) is poised to select a set of PQC candidates that it will recommend as standards. Although the paper was written months ago before Wednesday's publication, NIST is poised to reveal the candidates within a few weeks and potentially sooner.

Dustin Moody, a NIST mathematician, confirmed the imminent announcement of the PQC algorithm candidates. Among cybersecurity standards, it is one of NIST's largest undertakings since developing Advanced Encryption Standard (AES) and Secure Hash Algorithm-3 (SHA-3). The new PQC standard will likely include more than one algorithm, Moody told Dark Reading.

"Security-wise, we want to make sure we're not putting all our eggs in one basket," Moody says. NIST is considering public key digital signatures as well as encryption or equivalently key establishment, Moody adds: "There will be at least one for each of these."

NIST's pending announcement was presaged by two directives last week from the Biden administration aimed at recognizing and addressing PQC.

**Impact on Existing Data Assets**

While the paper provides a detailed technical breakdown of PQC issues, it also aims to bring awareness of the implications of quantum computing for existing information assets and emphasize the need to develop a plan.

"For those organizations that have not started integrating PQC in their systems or even planning for it, we highly recommend starting their efforts now," the paper warns. "Those organizations and enterprises with sensitive data with time value exceeding five years should consider PQC immediately."

One of the co-authors of the paper is Jack Hidary, founder and CEO of Sandbox AQ, a software-as-a-service (SaaS) provider focused on bringing together quantum computing and artificial intelligence technology to address complex processing issues. The primary processing issue it is dedicated to is helping organizations understand the risk of quantum computing by identifying critical data assets that are encrypted and developing a strategy to protect them with the forthcoming PQC algorithms.

The first thing companies must do is undergo a discovery process to determine the value of all their data, particularly information that is encrypted. For example, a large pharmaceutical company could have IP for patented drugs that are worth billions of dollars per year in revenues and royalties. If that data were to end up in the wrong hands, it could render that IP worthless, Hidary warns.

"We realized that a white paper was necessary to give context to CISOs and to engineering teams and other leaders in the C-suite as to how this migration would occur," Hidary told Dark Reading. "And that's the motivation for this paper."

Hidary emphasizes that with SNDL, state-sponsored and independent attackers have already begun exfiltrating RSA encrypted data. "It's happening right now — they're storing that information, then they will decrypt in the future in a few years when they have additional computing power," he said. "That's the concern."

**PQC Attracts Powerful Friends**

Sandbox AQ may not be a well-known company today, having just come out of stealth mode. But it is a well-capitalized startup incubated by Google parent Alphabet, which spun out Sandbox AQ in March as a standalone company.

The company has a prominent advisory board consisting of former Google chairman and CEO Eric Schmidt, former U.S. Secretary of Defense Ashton Carter, former principal deputy director of National Intelligence Susan Gordon, and retired Admiral Mike Rogers, former Commander of the U.S. Cyber Command and a onetime director of the National Security Agency.

Before meeting with Hidary in January, Ernst & Young Americas cybersecurity lead David Burg said he knew PQC was an issue that his company would eventually have to address with its clients. But Burg acknowledges he was taken off guard over the need for EY to work on it with companies immediately.

"We left that meeting realizing that this is actually a problem set that our clients in the United States and around the world will need to deal with sooner than we thought," Burg says. The two companies formed a partnership to address the issue together.

**Protecting Health Information at Mount Sinai**

One of the clients EY is working with is the Mount Sinai Health System, which has 43,000 employees throughout its eight hospital campuses in the New York City area. Kristin Myers, who is Mount Sinai's CIO and dean of technology for its medical school, says cybersecurity is her No. 1 priority.

"In regard to quantum computing, the reality is that because of this innovation, it's going to be possible to decrypt data that is currently encrypted in the future," Myers says. "And as you can imagine for healthcare, an unauthorized disclosure of sensitive PHI \[personal health information\] would really impact patients, whether it happened now, five years from now, or beyond."

Myers says she signed up Mount Sinai with Sandbox AQ and will start conducting a review and inventory of all the encryption methods now in use. Sandbox AQ will then provide recommendations on how to move forward.

"We'll do a feasibility study of some of the products that we'll need to implement with them," she says. "This is going to be a multiyear journey with them, but just to be able to get started is going to be important for us."

Threat Actors Are Stealing Data Now to Decrypt When Quantum Computing Comes

With its latest mobile OS update, Google aims to simplify the adoption of Android’s protective features for users and developers alike.

For years, Android’s security and privacy teams have been wrestling the world’s most popular mobile operating system to make it more controllable and updatable while still being open source and easy to deploy. And while scams, malware, and rogue apps are still real threats, the debut of Android 13 at Google’s I/O developer’s conference on Wednesday feels less like triage mode and more like a logical iteration. As Charmaine D'Silva, Android’s director of product management puts it, “This is the release where we bring it all together.”

If anything, the big problem for Android security and privacy now is trying to get users, device makers, and developers to understand and be motivated to use a slew of new and recently released protective features. And after setting so many privacy and security initiatives in motion over the past few years, there's a huge amount for the Android team to maintain and try to get right at any given time.

“We will continue to go deeper, and that’s going to be a continued investment, but the challenge as you go deep is you end up fragmenting experiences, you end up actually confusing users unintentionally,” says Krish Vitaldevara, Android senior director of product management. “That’s a very hard problem to solve, and that’s what we’re going to solve with Android 13.”

Google Play Protect now scans about 125 billion apps per day on user devices to assess their behavior and attempt to identify security issues. And Google says that its Messages app now blocks 1.5 billion spam messages per month in an attempt to cut down on phishing and other scams that actually reach users. And after finally introducing end-to-end encryption in Messages last year for one-on-one texting with the long-awaited RCS messaging standard, Google says that later this year it will add end-to-end encryption in beta for group chats as well.

“We feel both excited and hopeful,” Jan Jedrzejowicz,  a Messages product manager tells WIRED. “Excited because providing out-of-box and encrypted-by-default group text messaging on Android is a huge upgrade for a large number of people all over the world. Hopeful because cross-platform messaging still uses SMS/MMS, and we really hope we can upgrade that to a more modern and encrypted protocol.”

Android 13 imposes more limitations and user controls for the permissions apps are granted and what data they can access when. For example, the operating system gives developers the option to easily incorporate Google’s “Photo picker” that lets users choose specific photos and videos to share with an app through the conduit of the picker, rather than granting the app access to their full photo library. Google has increasingly leaned on the system access that Android already has to provide specific data to apps, making it more like the bartender who’s mixing drinks than the cashier at the liquor store. Similarly, Android 13 now requires apps to request permission to access audio files, image files, and video files separately as part of an effort to limit access to different storage buckets.

Android already limited how much access apps had to the clipboard and notified users when an app grabbed something from it. But Android 13 adds another layer by automatically deleting whatever is in your clipboard after a short interval. This way, apps can’t find out old things that you copied, and—bonus—you’re less likely to inadvertently share your coworker’s list of reasons they hate your company with your boss. Android 13 also continues a process of reducing apps’ ability to require location sharing for things like enabling Wi-Fi. 

Android 13 requires new apps to ask permission before they can send you notifications. And the new release expands on a feature from Android 11 that automatically resets an app’s permissions once you haven’t used it for a long time. Since its debut, Google has extended the feature all the way back to devices running Android 6, and the operating system has now automatically reset more than 5 billion permissions, according to the company. This way, a game you don’t play anymore that had permission to access your microphone three years ago can’t still listen in. And Android 13 makes it easier for app developers to remove permissions proactively if they don’t want to retain access for longer than they absolutely need.

Making sure that Android devices around the world can get security updates has been a core hurdle for Google, since Android’s open source ethos allows any manufacturer to deploy its own version of the operating system. To improve the situation, the company has spent years investing in a framework called Google System Updates that breaks down the operating system into components and allows phone makers to directly send updates for the different modules through Google Play. There are now more than 30 of these components, and Android 13 adds ones for Bluetooth and ultra-wideband, the radio tech used at short range for things like radar.

Google is working to reduce common vulnerabilities that can show up in software by rewriting some crucial parts of the Android code base in more secure programming languages like Rust and creating defaults that nudge developers in a more secure direction with their own apps. The company has also worked to make its application programming interfaces more secure and has started offering a new service called Google Play SDK Index that provides some transparency into widely used software development kits, so developers can be more informed before they incorporate these third-party modules into their apps.

Similar to Apple’s iOS Privacy Labels, Android recently added a “Data Safety” field in Google Play to give users a sort of nutrition-fact label explaining how apps say they will handle your data. In practice, though, these types of disclosures aren’t always reliable, so Google is offering developers the option to have a third party independently validate their claims against an established mobile security standard. The process is still voluntary, though.

“We provide all these tools to developers to make their apps safer, but it’s important that they can actually prove that out and validate it through an independent third party, a set of labs testing against an established standard,” says Eugene Liderman, director of Android Security Strategy.

Android and Apple’s iOS have both been moving toward offering the ability to store government-issued identification. In Android 13, Google Wallet can now store such digital IDs and driver’s licenses, and Google says it’s working with both individual states in the United States and governments globally to add support this year.

With so much to focus on and refine, Android 13 attempts to take a sprawling situation and rein it in rather than letting it spin out of control. And Android's D'Silva says there's one release coming later this year that she's particularly looking forward to: a sort of safety center within Settings that will centralize privacy and security options in one location for users. An acknowledgment, perhaps, that it's all become too much for the average user to keep track of on their own.

Android 13 Tries to Make Privacy and Security a No-Brainer

Red Hat Security Advisory 2022-1759-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include buffer overflow, integer overflow, null pointer, out of bounds access, out of bounds read, and use-after-free vulnerabilities.

Red Hat Security Advisory 2022-1759-01

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.0.3 and below, 6.4.8 and below, 6.2.10 and below, 6.0.14 to 6.0.0. and in FortiProxy version 7.0.1 and below, 2.0.7 to 2.0.0 web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

** PSIRT Advisories**

**FortiProxy & FortiOS - XSS vulnerability in Web Filter Block Override Form**

**Summary**

An improper neutralization of input during web page generation vulnerability \[CWE-79\] in FortiProxy and FortiOS web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

**Affected Products**

FortiOS version 7.0.3 and below,  
FortiOS version 6.4.8 and below,  
FortiOS version 6.2.10 and below,  
FortiOS version 6.0.14 to 6.0.0.

FortiProxy version 7.0.1 and below,  
FortiProxy version 2.0.7 to 2.0.0.

**Solutions**

Please upgrade to FortiProxy version 7.0.2 or above.  
Please upgrade to FortiProxy version 2.0.8 or above.  
Please upgrade to FortiOS version 7.0.4 or above.  
Please upgrade to FortiOS version 6.4.9 or above.

**Acknowledgement**

Fortinet is pleased to thank Tom Tervoort for bringing this issue to our attention under responsible disclosure.

CVE-2021-43081: Fortiguard

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

****CVE-2022-29932 - Primeur Spazio MFT - Information Disclosure (Memory Leak)******Description**

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (Managed File Transfer) allows a remote unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

Vendor has acknowledged the vulnerability and promptly notified all impacted customers and provided a patch.

**Affected Product Code Base**

Primeur Spazio - 2.5.1.954.

Other versions may also be affected.

**Attack Vectors**

In order to exploit the vulnerability, an unauthenticated attacker should send crafted HTTP Request

**Discovered by**

Andrea Mattiazzo, Alessandro Cudini, Antonio Montesano, Emanuele Chiossi, Giovanni Battista Colonna

**Reference**

https://www.primeur.com/managed-file-transfer

****Proof-of-Concept (POC)****

Navigating the website without any kind of credentials and executing fuzzing on the root directory, it has been observed that some web resources were built at real-time.

After an in-depth analysis it was observed those resources (i.e. folders) are strictly related to already existent data directories (i.e. subfolders of root web folder) on the web server.

Creating a crafted HTTP request pointing to these data directories cutting the trailing "/" character, the web server answers with an unmanaged memory leak in HTTP response. As an example we created two folders on the webserver called "assets" and "pippo" in order to reproduce the unsecure behaviour obtaining the memory leak.

By downloading or navigating the resource containing the memory leak, it has been possible to gain access to the exfiltrated buffer of memory which contained the content of files exchanged by authorized users who are using the File Transfer solution, hence leading to an information disclosure.

Since folders name is usually easy-enumerable by any fuzzer, and some folders have standard naming (errors, templates, images), the bug can be easily exploited.

CVE-2022-29932: CVE-2022-29932/Proof-of-Concept.md at main · Off3nS3c/CVE-2022-29932

In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

A surprising number of the top 100,000 websites effectively include keyloggers that covertly snag everything you type into a form.

When you sign up for a newsletter, make a hotel reservation, or check out online, you probably take for granted that if you mistype your email address three times or change your mind and X out of the page, it doesn't matter. Nothing actually happens until you hit the Submit button, right? Well, maybe not. As with so many assumptions about the web, this isn't always the case, according to new research: A surprising number of websites are collecting some or all of your data as you type it into a digital form.

Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user's email address without their consent, and a staggering 2,950 logged a US user's email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances have since been resolved.

“If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it,” says Güneş Acar, a professor and researcher in Radboud University's digital security group and one of the leaders of the study. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”

The researchers, who will present their findings at the Usenix security conference in August,  say they were inspired to investigate what they call “leaky forms” by media reports, particularly from Gizmodo_,_ about third parties collecting form data regardless of submission status. They point out that, at its core, the behavior is similar to so-called key loggers, which are typically malicious programs that log everything a target types. But on a mainstream top-1,000 site, users probably won't expect to have their information keylogged. And in practice, the researchers saw a few variations of the behavior. Some sites logged data keystroke by keystroke, but many grabbed complete submissions from one field when users clicked to the next.

“In some cases, when you click the next field, they collect the previous one, like you click the password field and they collect the email, or you just click anywhere and they collect all the information immediately," says Asuman Senol, a privacy and identity researcher at KU Leuven and one of the study coauthors. "We didn’t expect to find thousands of websites; and in the US, the numbers are really high, which is interesting,” 

The researchers say that the regional differences may be related to companies being more cautious about user tracking, and even potentially integrating with fewer third parties, because of the EU's General Data Protection Regulation. But they emphasize that this is just one possibility, and the study didn't examine explanations for the disparity.

Through a substantial effort to notify websites and third parties collecting data in this way, the researchers found that one explanation for some of the unexpected data collection may have to do with the challenge of differentiating a “submit” action from other user actions on certain web pages. But the researchers emphasize that from a privacy perspective, this is not an adequate justification.

Since completing their paper, the group also had a discovery about Meta Pixel and TikTok Pixel, invisible marketing trackers that services embed on their websites to track users across the web and show them ads. Both claimed in their documentation that a customers could turn on “automatic advanced matching,” which would trigger data collection when a user submitted a form. In practice, though, the researchers found that these tracking pixels were grabbing hashed email addresses, an obscured version of email addresses used to identify web users across platforms, before submission. For US users, 8,438 sites may have been leaking data to Meta, Facebook’s parent company, through pixels, and 7,379 sites may be impacted for EU users. For TikTok Pixel, the group found 154 sites for US users and 147 for EU users.

The researchers filed a bug report with Meta on March 25, and the company quickly assigned an engineer to the case, but the group has not heard an update since. The researchers notified TikTok on April 21—they discovered the TikTok behavior more recently—and have not heard back. Meta and TikTok did not immediately return WIRED's request for comment about the findings.

“The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop,” Acar says. “An email address is such a useful identifier for tracking, because it’s global, it’s unique, it’s constant. You can’t clear it like you clear your cookies. It's a very powerful identifier.”

Acar also points out that, as tech companies look to phase out cookie-based tracking in a nod to privacy concerns, marketers and other analysts will rely more and more heavily on static IDs like phone numbers and email addresses.

Since the findings indicate that deleting data in a form before submitting it may not be enough to protect yourself from all collection, the researchers created a Firefox extension called LeakInspector to detect rogue form collection. And they say they hope their findings will raise awareness about the issue, not only for regular web users but for website developers and administrators who can proactively check whether their own systems or any of the third parties they're using are collecting data from forms without consent. 

Leaky forms are just one more type of data collection to be wary of in an already extremely crowded online field.

Tag

#ios