Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

**Zoom Mobile App for Android, Zoom Mobile App for iOS and Zoom SDKs - Cryptographic Issues**

*   Bulletin: ZSB-23056
*   CVEID: CVE-2023-43583
*   CVSS Severity: Medium
*   CVSS Score: 4.9
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description:

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for Android before version 5.16.0
*   Zoom Mobile App for iOS before version 5.16.0
*   Zoom Video SDK for Android before version 5.16.0
*   Zoom Video SDK for iOS before version 5.16.0
*   Zoom Meeting SDK for Android before version 5.16.0
*   Zoom Meeting SDK for iOS before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43583: ZSB 23056

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

**Zoom Clients - Improper Authentication**

*   Bulletin: ZSB-23062
*   CVEID: CVE-2023-49646
*   CVSS Severity: Medium
*   CVSS Score: 5.4
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description:

 Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom Desktop Client for macOS before version 5.16.5
*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Mobile App for Android before version 5.16.5
*   Zoom Desktop Client for Linux before version 5.16.5
*   Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
*   Zoom SDKs before version 5.16.5

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-49646: ZSB 23062

By Deeba Ahmed
Hidden Code, Hidden Profits - Tracked Before You Click - SDBN Takes Adobe to Court Over Alleged Illegal Tracking of Dutch Cizitens.
This is a post from HackRead.com Read the original post: Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Dutch privacy watchdog SDBN alleges that Adobe is spying on and collecting data from ‘virtually every Dutch internet user’ through the illegal placement of tracking cookies.

Dutch privacy watchdog Stichting Data Bescherming Nederland (**SDBN**) is suing Adobe for illegally tracking and sharing the personal data of millions of Dutch citizens.

For your information, SDBN is a Netherlands-based non-profit foundation striving to safeguard users’ privacy and data protection. Apart from Adobe, the organization is also actively pursuing lawsuits against Amazon and X (formerly Twitter).

Adobe, a United States-based design software company known for its creativity and multimedia software products, is accused of secretly collecting vast amounts of data from users visiting prominent websites and apps, including Dutch telecommunications company KPN, Stichting Pensioenfonds ABP (National Civil Pension Fund), and the Dutch Tax Authority.

According to SDBN, the collected data is then shared with multiple third parties without obtaining user consent. Moreover, the company allegedly used tactics like hidden tracking cookies and app SDKs to collect data.

In a press release that the organization shared with Hackread.com, users are kept in the dark about their digital footprints, and sometimes Adobe plants cookies before they can say no. These profiles are shared with other companies for targeted advertising.

This practice violates the General Data Protection Regulation (**GDPR**), putting users at risk of data exposure, identity fraud, and other privacy concerns. SDBN claims that Adobe is snooping on nearly every Dutch citizen, even those who have never used Adobe products.

> _“Via websites and apps, Adobe itself illegally collects an enormous amount of data on virtually every Dutch internet user, irrespective of whether they have ever used an Adobe product”._
> 
> SDBN

It warns that this data trade is not risk-free and could expose sensitive information and identity. They are taking Adobe to court, demanding an end to the covert tracking and compensation for millions of affected Dutch citizens.

Adobe profited financially from this unlawful data collection. Hence, SDBN filed a class action lawsuit demanding Adobe to cease illegal data collection, destroy all the illegally collected data, and disclose all parties with whom data has been shared. The lawsuit aims to stop tracking cookies on popular websites and hidden code in apps like Marktplaats and Buienradar. 

SDBN also demands justice for an estimated seven million Dutch citizens whose data was shared, demanding Adobe to remove every illegally collected data and give impacted users compensation for the privacy invasion. 

Dutch internet users can join the fight by signing up for a free mass claim on SDBN’s website. If a Dutch internet user has visited the aforementioned websites or used the listed apps, they may be eligible to join the lawsuit and claim compensation.

SDBN’s chairperson Anouk Ruhaak, stated that the design software vendor’s involvement in mass data collection and trading is surprising.

“While Adobe is primarily recognized as a design software supplier, what’s surprising is its simultaneous involvement in the digital personal data market – tracking your online activities. Have you made online Christmas purchases? Well, Adobe likely has a detailed record of what you browsed and where you bought your Christmas stockings or perfume.”

SDBN also shared a list of websites and apps which it claims are used by Adobe to track users. These included the following sites:

*   Abp.nl
*   Albelli.nl
*   Bruna.nl
*   Douglas.nl
*   Expedia.nl
*   Gamma.nl
*   Karwei.nl
*   ketnet.be
*   Kijk.nl
*   Kpn.com
*   Kwf.nl
*   Tui.nl
*   Unibet.nl
*   Unive.nl
*   Wsj.com
*   Footlocker.nl
*   Hallmark.com
*   Beterhoren.nl
*   Belastingdienst.nl

****Examples of mobile apps (iOS and Android) that allegedly contain Adobe tracking software include:****

*   Asos
*   RTL XL
*   MijnKPN
*   Ziggo GO
*   Buienradar
*   Marktplaats
*   PlayStation
*   TomTom Go Navigation
*   Essent Verbruiksmanager

****_RELATED ARTICLES_****

1.  **Canada Bans WeChat and Kaspersky Due to Spying Concerns**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **$4 billion lawsuit claims Google tracked iPhone users’ activities**
4.  **Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews**
5.  **Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit**

Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

> “A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address multiple vulnerabilities in Adobe software.

*   Adobe Prelude
*   Adobe Illustrator
*   Adobe InDesign
*   Adobe Dimension
*   Adobe Experience Manager
*   Adobe Substance3D Stager
*   Adobe Substance3D Sampler
*   Adobe Substance3D After Effects
*   Adobe Substance3D Designer

**Android**: Google released the Android December 2023 security updates with a fix for a critical zero-day.

**Apache** released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

**Apple** issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

**SAP** released its December 2023 Patch Day updates.

**WordPress** released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft patches 34 vulnerabilities, including one zero-day 

Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214041.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

ExtensionKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3quQACgkQX+5d1TXa  
IvoPPhAAgReQjt/dYzFqQbyMQQPLK1iDWh9s0M+PbHz5x+eS6vSX/OpkLNFy6MC1  
kHQI1EaV37/3sRqko8eX+f/deKqPi59tSV3BALedLV2v8F+4ioXIzsyGWsSYzor4  
U1l4h7fNA64060MR35dlvYnB2FsNnyVI6hlhEyfEEZXVMX4cX0KX5l5a7m/wKmQK  
tpDOak7WVEIj5aLk/e0IQBjpOJW8c2Moa8PTtERr1jJsp+PVrXNu9zZfHWhsCn02  
KPa26RRDtiru7KpXlRy2vzOQeCgJmRZH1CKVWKSiLEjTZnKWM1IF1LTYBJalDGbS  
nOvV6BcVD4rdbbi4cYlPic+Z65YKw+ctW0bNAgnim8RyOF28VNQX8DOcYKZnyqPS  
jYLG5rAq0oKtJztwDkIKc2nc0FrxZzV3f4QwTaFWbVzN0koYJJpVKDs5GgGQ/2MG  
4MtuxRuK2j5eibLInW33K58XCVpAidhiU5YaeIG5dbzf0YKXsUmKImmXap5SKnSe  
fwf6kEFR7keGiu8tlEOnBonDIOhFyWeiK785WhxdwrWMJNHQUegTTYItNrtrzaZr  
Q/lDfMQ9/1L38Jj/OuR1WSdBpDKmT9jepE2mLZb4fQasALJlGh9g1uFTaTl883QG  
uADzZx+TIGO2RIlMGPxwwr4+I2kpi1x/amwRjzCzvwr9+nQDyyk=  
=MttV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-8

Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214040.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AVEVideoEncoder  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qngACgkQX+5d1TXa  
Ivrv3RAAuQY01CVjPIhf1IVMNryEZAW+NEm29U419ldBlHWNENHiXD7dF5cPNcDd  
fVlyxJ4zXCjIMflrS5oOGjqtsJvMfL99QaF9of5elxBjF8wA3d3bslESVveUw4/n  
OflBE44Ghbg2nNd/wQiiLCDWCbKyVk9R5Vm1c2L5+afg4dyppaNME4oxq7itnyjr  
UmNv7Sb2pxjjew0L9YAV15DaZmH30By6jRIKynS0+P1Eys/Vx3JVwC6QOOba6ixF  
OxO/Ki4vFAuwxnC9hGbYon6QTpMAuI0nzQAD/RYtpQMtkPkZ3dPPeA7DBs8TIxIo  
8QKfABYt5QY+VKFaTbNclzMu0/l/l3AcaZsbKTsyM1rEH8hACZKlkVQxQ3GhVXbe  
Hmc6JqOA+fpVJya7RUNCyo3Kq4jKf8Rgj+rDJyHSqZ8vEHr/qrLmgvEsHfhAPq46  
tUZMuVrHtcREKzxLh2Os4hCs68kcEG3w9Q2n5a5UHskLBYimhFTsp5ajClNC1l1w  
KiVW8SmDL7zt5ApNWRNa1Pc3ZxvAUousVbuMWt6VP40mz9AHKs8VsoscMwQkzscs  
OMkrHUJdQfki+GLsd4Zk54/VjQR1CFtr1xBPZkKPW4WCinjAiw73fuOCzTz4f+rZ  
Dwvd0BGIGPWaRewZhcxPXrSHDj91bbBLRkOPn5JVDkbP3eXRbAU=  
=IKXm  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-7

One Identity Password Manager versions prior to 5.13.1 suffer from a kiosk escape privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20231206-0 >  
=======================================================================  
               title: Kiosk Escape Privilege Escalation  
             product: One Identity Password Manager Secure Password Extension  
  vulnerable version: <5.13.1  
       fixed version: 5.13.1  
          CVE number: CVE-2023-48654  
              impact: critical  
            homepage: https://www.oneidentity.com/products/password-manager/  
               found: 2023-10-09  
                  by: Stefan Schweighofer (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"One Identity delivers solutions that help customers strengthen operational  
efficiency, reduce risk surface, control costs and enhance their  
cybersecurity. Our Unified Identity Platform brings together best-in-class  
software to enable organizations to shift from a fragmented identity strategy  
to a holistic approach."

Source: https://www.oneidentity.com/company/

Business recommendation:  
------------------------  
The vendor provides a patch version 5.13.1 which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
The Password Manager Application by One Identity enables users to reset  
their Active Directory passwords on the login screen of a Windows client, with  
the Secure Password Extension. The Secure Password Manager Extension launches a  
Chromium based browser in Kiosk mode to provide the reset functionality.

Due to application-specific functionalities the Password Manager Extension  
suffers from two exploitable Kiosk Escape vulnerabilities which allow a local,  
pre-authenticated attacker to escalate the privileges to SYSTEM.

1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
The Password Manager Extension uses Google ReCAPTCHA, which enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.  
This is possible due to the fact that Google ReCAPTCHA links to external  
websites, which open in a new browser window and enable an attacker to  
navigate to other external websites.

2) Password Manager Kiosk Escape after Session Timeout  
The Password Manager application provides a link to a help page of  
One Identity. This link references an external site and is therefore hidden  
in the Kiosk Mode browser of the Password Manager Extension. If the Password  
Manager Extension website is loaded after an active session expires the  
link to the external One Identity websites gets shown. This enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.

Proof of concept:  
-----------------  
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
An attacker requires access to a locked machine, where the Password Manger  
Extension is installed, either via physical (pre-auth) or remote (RDP) access.  
 From the login screen the Password Manger Extension Kiosk mode browser can  
be launched.

Since Google ReCAPTCHA is used on the Password Manger website the Google  
ReCAPTCHA icon is also shown on the website and provides a link to an  
external website via the "Privacy" button of the Google ReCAPTCHA field.

2) Password Manager Kiosk Escape after Session Timeout  
An attacker requires access to a username to login to either the Password Manager  
website or a logged in user, which leaves the session open until the session  
expires. Since the Password Manager uses Active Directory credentials, the  
username from the Windows login screen can be used to log into the website.  
For this attack the session of a logged-in user has to expire.

After the session expiration the Password Manager website gets reloaded and displays  
a help icon that is usually hidden. The help icon links to the external  
One Identity website., from witch it is possible to navigate to the Google Search  
website using the Sign In option of the One Identity website. The Sign In page  
has the option to login with a Facebook account and information about cookies  
is displayed on this page, which links to a Google Chrome website.

For both vulnerability 1 and 2, an attacker can use the Google Search website and  
trigger the "search by image" feature. This "search by image" feature can be used  
to trigger an upload, which then opens a file explorer window for file selection.

The file explorer window makes it possible to input "cmd" in the path field  
of the file explorer to open a command prompt. The created command prompt  
is executed with highest "nt authority\system" permissions.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 5.13

It is assumed that all previous versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-11-06: Contacting vendor through vendor security contact form  
             https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability  
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with  
             product team needed.  
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities  
             and will release an update soon. Asking for CVE numbers.  
2023-11-15: Vendor will not assign CVE numbers, we are going to request them.  
             Patch release scheduled for 17th or the week after.  
2023-11-17: Receiving one CVE number from MITRE, asking about the second one;  
             No response.  
2023-11-20: Asking for status update as no patch was released on 17th.  
2023-11-21: Patch was postponed to 1st December, setting our release date to  
             6th December.  
2023-12-01: Vendor releases fixed version v5.13.1.  
2023-12-06: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch which can be downloaded from  
https://support.oneidentity.com/password-manager/5.13.1

The release notes of the vendor can be found here:  
https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023

One Identity Password Manager Kiosk Escape Privilege Escalation

Apple Security Advisory 12-11-2023-3 - iOS 16.7.3 and iPadOS 16.7.3 addresses code execution and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-3 iOS 16.7.3 and iPadOS 16.7.3iOS 16.7.3 and iPadOS 16.7.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214034.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherFind MyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code execution.Apple is aware of a report that this issue may have been exploitedagainst versions of iOS before iOS 16.7.1.Description: A memory corruption vulnerability was addressed withimproved locking.WebKit Bugzilla: 265067CVE-2023-42917: Clément Lecigne of Google's Threat Analysis GroupWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive information. Appleis aware of a report that this issue may have been exploited againstversions of iOS before iOS 16.7.1.Description: An out-of-bounds read was addressed with improved inputvalidation.WebKit Bugzilla: 265041CVE-2023-42916: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.3 and iPadOS 16.7.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qXoACgkQX+5d1TXaIvoPShAAjPSR538Ul0j+LcQE0x90MRfNyylza/kJygxDUojXji7lvnUB0s7Ft3CfPAIOPSqfyR1wAVhBPjeAPut+xp5553BBg0lUqSFldKWbP0y68zFAhc7DRIxLhqEs2N3/Dy5UYu834IQ1CaIlkAgwR4lh7Eni1he5thOyXjPzCoGo6ucGXHCoZO7JrsR5zkUFXVfdbE+k8fZVxlROFX7nBw/j9k8bDvrLPqcx4wupvTWsJI8FctUHeYQebK+77G0gJwBfwkdrYbOOCnI4RcRNranAhrr3h+oVgxVgZu+lJOLeooMfwlN/fujjEvKVPfNO/7UAP3m6Qtv8ZogHedN3pKKgvN0xn/FG9gKf2Y+EwgUOnjvWr15IIAku5M4jESTagyfYz8y+Q4qbrSgV1lC3DSgDoJQPp2civp6bqcsNXajGF00F95iQysx0wHaaKMIJazVnoN0bjZ4yk1xiTjPkft3Jn+kfPd1cjWprGlGKn92XPYLDbwXcxvnCkagVa4eJ6GY7DQ8HJJLClawx4OQE1K+VULTPLDOoJnwI5BA2RdU9LRm1h+YOM31jc47zupr+YHdebroeLerLX/KNNT5GUtfs0p794FwVyoQzwsKOiQXHMxzug3lCGdkGdg5ErMHcIGwZXq+Ko2sUn59Gub+7MGetPjU7OlAwU2h3nFOf3JEt8ww==khhF-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-3

Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-2 iOS 17.2 and iPadOS 17.2iOS 17.2 and iPadOS 17.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214035.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherBluetoothAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker in a privileged network position may be able toinject keystrokes by spoofing a keyboardDescription: The issue was addressed with improved checks.CVE-2023-45866: Marc Newlin of SkySafeEntry added December 11, 2023ExtensionKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Find MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42898: Junsung LeeCVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)Safari Private BrowsingAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Private Browsing tabs may be accessed without authenticationDescription: This issue was addressed through improved state management.CVE-2023-42923: ARJUN S DSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: The issue was addressed with improved checks.CVE-2023-42897: Andrew Goldberg of The McCombs School of Business, TheUniversity of Texas at Austin (linkedin.com/andrew-goldberg-/)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259830CVE-2023-42890: Pwn2carWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamAdditional recognitionSafari Private BrowsingWe would like to acknowledge Joshua Lund of Signal Technology Foundationfor their assistance.Setup AssistantWe would like to acknowledge Aaron Gregory of Acoustic.com and EasternIllinois University – Graduate School of Technology for theirassistance.WebKitWe would like to acknowledge 椰椰 for their assistance.Wi-FiWe would like to acknowledge Noah Roskin-Frazee and Prof. J.(ZeroClicks.ai Lab) for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.2 and iPadOS 17.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qS0ACgkQX+5d1TXaIvpuvRAAsTLfKiqLQl5qptq6yCPw8oPdttsnGkfZG//ISfcC46tZQI0BGjdFTEww2QUYOde00FMqk99ubD0/lE7gs/BdVP+1cSiG90FfZsHt/q0Jm+eIbhIsQdCs8eLcBOVAdPRLCJ1kdD13zbpnHH+IoZUPVTlY4gVo5ps1DP1iOHBWMN2ks3RNW7+NQ3ygCxyCs9qLce+zC7p69rCbCSvqmdEfC7OZ2tEFwELJcWgDDzVpa9nxBMSXp67qvFamSHsdZu+mBOyDpgRaQ77s/LL6Aj/EUzGoqu9j0K+fYht/prPtswa7mBvqi3qXyJUUW1TqQzquo3jRoestFuyuLol9PsufcJB2HbsswT/9qaYx9fO6g6M3uj3fu9NkojPtO45gxHkaIcO/h0ixpGrjg8ZlfKTkGN7DoQ97pv+DxUrhIFskUKRZLF5Xb6B5mztLBu5UePYRPVHi9qe48qN8/g7X8z9VvzmR++ns45ODRns7/PH8DHlJXa8+xoJkn+9nL2Q9x7zkcD/YNbgMstROhtbqczk1tSbqF+J9tnKC+PzW+vhBwDMat8h+jC7QKPh0d9oTBNiqhECRlb+6OewTf5f1UBbrgjGOvk/xgz+RS96aAOUNkcoJ6WDXcSlga3ERMO1jBqle3G3LlSvTqtwJ53PHnzBMogk1m5Bo0OSOJYjIOczKm3g==71FW-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-2

Apple Security Advisory 11-30-2023-3 - macOS Sonoma 14.1.2 addresses code execution and out of bounds read vulnerabilities.

  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-11-30-2023-3 macOS Sonoma 14.1.2

macOS Sonoma 14.1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214032.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

macOS Sonoma 14.1.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmVpE+0ACgkQX+5d1TXa  
IvoY4Q//bNy4CuK4jcpHmFirjOgmyd8Sp+9aYQ5XkQ/GEZdUETxdK9rnjGBPfVO4  
N6cfPpoiw030zlxJyYBhA+1UjQHC6ynENqII2WPoWWDH2TXdq+Iym4NQdPoaK5oL  
aTWpWz3ZmSmZ2MKGHX+3oUo5M7bl6prTePPGu9Z17f/SPfSKdYeo2/N170kCZP21  
0x0Hzr62jcYwbNjBlu1mD9PsC382VsSrCnb4awKOqYQ6BA/Ij8gEnobjWgtSyzi5  
iSc12Jgq77OLBUtxVDj/tmmDByOL13RJd2dfFZO4B+TIZ9mTuFwoUBVwDDcLvRhl  
4KKGDwge7egeUirYV+rF1DVxE0vFUqq37Lw0H2hAp/pYH/DzxrFecaVeO4VLol8M  
tyY1clSf306D/p/FoXoetCFR1I35SY2L2AEYN9PwUQq2JRDbBZeWHSzv5zXWbnFH  
eG2frM/faoR79ThU+jzaiJZvg+LXSf3QH/CTSmRhMKxuYwP7eUEv6zrX0wdoDw5C  
ik0Q6D/iN0ZMz/NrydBBR7skfJDRzwYTmmdnFUHMq++NhRCuQnIR5gUVbGGFURMS  
71rNTnRDp4Q23ecDoUvksBGr+mwXv0AH+5TOn/aFJ426FfTTuMIQ2gee04HqiYWY  
35Q4hRgFoso7zDNt/gqGo1lrSYXDfNTF9Ka4Hv9YtS2qbBUJ4X4=  
=Iax0  
-----END PGP SIGNATURE-----

Tag

#ios