Apple Security Advisory 06-10-2024-1 - visionOS 1.2 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-06-10-2024-1 visionOS 1.2

visionOS 1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214108.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27817: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

CoreMedia  
Available for: Apple Vision Pro  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27831: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

Disk Images  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27832: an anonymous researcher

Foundation  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27801: CertiK SkyFall Team

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27836: Junsung Lee working with Trend Micro Zero Day Initiative

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27828: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory protections  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27840: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27815: an anonymous researcher, and Joseph Ravichandran  
(@0xjprx) of MIT CSAIL

libiconv  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27811: Nick Wellnhofer

Messages  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27800: Daniel Zajork and Joshua Zajork

Metal  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-27802: Meysam Firouzi (@R00tkitsmm) working with Trend Micro  
Zero Day Initiative

Metal  
Available for: Apple Vision Pro  
Impact: A remote attacker may be able to cause unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-27857: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Safari  
Available for: Apple Vision Pro  
Impact: A website's permission dialog may persist after navigation away  
from the site  
Description: The issue was addressed with improved checks.  
CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India),  
Shaheen Fazim

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: The issue was addressed by adding additional logic.  
WebKit Bugzilla: 262337  
CVE-2024-27838: Emilio Cobos of Mozilla

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 268221  
CVE-2024-27808: Lukas Bernhard of CISPA Helmholtz Center for Information  
Security

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improvements to the file  
handling protocol.  
CVE-2024-27812: Ryan Pickren (ryanpickren.com)

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed with improvements to the noise  
injection algorithm.  
WebKit Bugzilla: 270767  
CVE-2024-27850: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: An integer overflow was addressed with improved input  
validation.  
WebKit Bugzilla: 271491  
CVE-2024-27833: Manfred Paul (@_manfp) working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: The issue was addressed with improved bounds checks.  
WebKit Bugzilla: 272106  
CVE-2024-27851: Nan Wang (@eternalsakura13) of 360 Vulnerability  
Research Institute

WebKit Canvas  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed through improved state management.  
WebKit Bugzilla: 271159  
CVE-2024-27830: Joe Rutkowski (@Joe12387) of Crawless and @abrahamjuliot

WebKit Web Inspector  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 270139  
CVE-2024-27820: Jeff Johnson of underpassapp.com

Additional recognition

ImageIO  
We would like to acknowledge an anonymous researcher for their  
assistance.

Transparency  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZnfN8ACgkQX+5d1TXa  
IvoomBAA23557a2KB9vrRnWu5nGWe5qidODwqadX9qUbErqlx6Hm0IMcKEGlaNjc  
i1BKib0QXYgh9IVzwn0/Q6GZX9mncM1EKJfjPVHJjdMPAXue9Dec7PeuSr4mQHUD  
bVUh9TS+ejQo9w06AQRdVDOGRl3uXX1E90h4uMVUPOXLkiobYJMlEdU4OAAaJ2MV  
qJvfQsTyzRNy4ciaFpc+5opWmaFse1AueE+Sjz30ed9tEjbyHML+yoy39HqAMheT  
lECfaKGLp28XyxsKCKW8+F5j83R4Rwi7U0nLROiRSukrwzq+Gbi52n/BTBvlxTc3  
Ng/4drldksgm9Uu6M9rRQFSRFBFKulK9Zxrj3qUK4Q6HvCTB+N4/gE7Yf11TyxPl  
+HkwG/ScIw9S4bB88FhA8rYMKIGIlZfDfh8NHCx3Wc11LE+p6LzX2RxQNKaSjgnf  
c1+VHJ3SwX/2mbtBdfPJdu5Qr6ofhanpsCiczJP2FkuSVGCPVIoq8Vam75rrueLn  
SLCHqgVker14Z12Q3XYRjyQrsI8nftu0pGZdYruAfw93Od0tTuX6i7G9VopHPRor  
1Y6JevWkhAC54KGWDmB2SRc6e3AZRaiAE25QE6I3nwAwRUCo2JZEjoQWfxYry1l2  
G5lga3qFvcbyriNoJPUfcKU7EzPYurVbY5rqpnUFi+xTtz1iyEw=  
=9AfP  
-----END PGP SIGNATURE-----

Apple Security Advisory 06-10-2024-1

Red Hat Security Advisory 2024-3859-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3859.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:3859-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3859Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-4155====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability (CVE-2023-4155)* kernel: bluetooth: bt_sock_ioctl race condition leads to use-after-free in bt_sock_recvmsg (CVE-2023-51779)* kernel: wifi: mac80211: fix potential key use-after-free (CVE-2023-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4155References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2213802https://bugzilla.redhat.com/show_bug.cgi?id=2256822https://bugzilla.redhat.com/show_bug.cgi?id=2267787

Red Hat Security Advisory 2024-3859-03

Cybersecurity firm Recorded Future counted 44 health-care-related incidents in the month after Change Healthcare’s payment came to light—the most it’s ever seen in a single month.

In fact, ransomware attacks on health care targets were on the rise even before the Change Healthcare attack, which crippled the United Healthcare subsidiary's ability to process insurance payments on behalf of its health care provider clients starting in February of this year. Recorded Future's Liska points out that every month of 2024 has seen more health care ransomware attacks than the same month in any previous year that he's tracked. (While this May's 32 health care attacks is lower than May 2023's 33, Liska says he expects the more recent number to rise as other incidents continue to come to light.)

Yet Liska still points to the April spike visible in Recorded Future's data in particular as a likely follow-on effect of Change's debacle—not only the outsize ransom that Change paid to AlphV, but also the highly visible disruption that the attack caused. “Because these attacks are so impactful, other ransomware groups see an opportunity,” Liska says. He also notes that health care ransomware attacks have continued to grow even compared to overall ransomware incidents, which stayed relatively flat or fell overall: The first four months of this year, for instance, saw 1,153 incidents compared to 1,179 in the same period of 2023.

When WIRED reached out to United Healthcare for comment, a spokesperson for the company pointed to the overall rise in health care ransomware attacks beginning in 2022, suggesting that the overall trend predated Change's incident. The spokesperson also quoted from testimony United Healthcare CEO Andrew Witty gave in a congressional hearing about the Change Healthcare ransomware attack last month. “As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” Witty told the hearing. "As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Change Healthcare's deeply messy ransomware situation was complicated further—and made even more attention-grabbing for the ransomware hacker underworld—by the fact that AlphV appears to have taken Change's $22 million extortion fee and jilted its hacker partners, disappearing without giving those affiliates their cut of the profits. That led to a highly unusual situation where the affiliates then offered the data to a different group, RansomHub, which demanded a second ransom from Change while threatening to leak the data on its dark web site.

That second extortion threat later inexplicably disappeared from RansomHub's site. United Healthcare has declined to answer WIRED's questions about that second incident or to answer whether it paid a second ransom.

Many ransomware hackers nonetheless widely believe that Change Healthcare actually paid two ransoms, says Jon DiMaggio, a security researcher with cybersecurity firm Analyst1 who frequently talks to members of ransomware gangs to gather intelligence. “Everyone was talking about the double ransom,” DiMaggio says. “If the people I’m talking to are excited about this, it’s not a leap to think that other hackers are as well.”

The noise that situation created, as well as the scale of disruption to health care providers from Change Healthcare's downtime and its hefty ransom, served as the perfect advertisement for the lucrative potential of hacking fragile, high-stakes health care victims, DiMaggio says. “Health care has always had so much to lose, it’s just something the adversary has realized now because of Change,” he says. “They just had so much leverage.”

As those attacks snowball—and some health care victims have likely forked over their own ransoms to control the damage to their life-saving systems—the attacks aren't likely to stop. “It’s always looked like an easy target,” DiMaggio notes. “Now it looks like an easy target that’s willing to pay.”

_Updated 6/12/24 9:35am ET: This story has been updated to reflect that ransomware incident totals comprise the fist four months of the year, not just April._

Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout

Red Hat Security Advisory 2024-3763-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3763.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nghttp2 security updateAdvisory ID:        RHSA-2024:3763-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3763Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2024-28182====================================================================Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.Security Fix(es):* nghttp2: CONTINUATION frames DoS (CVE-2024-28182,VU#421644.5)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28182References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268639

Red Hat Security Advisory 2024-3763-03

Red Hat Security Advisory 2024-3756-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3756.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: idm:DL1 security updateAdvisory ID:        RHSA-2024:3756-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3756Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2024-3183====================================================================Summary: An update for the idm:DL1 module is now available for Red Hat Enterprise Linux8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 TelecommunicationsUpdate Service, and Red Hat Enterprise Linux 8.4 Update Services for SAPSolutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es):* ipa: freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force (CVE-2024-3183)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3183References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2270685

Red Hat Security Advisory 2024-3756-03

Google Chrome's transition to Manifest V3 has started and will make the life of ad blockers a lot harder.

Despite protests, Google is rolling out changes in the Chrome browser that make it harder for ad blockers to do their job.

Starting last Monday, June 3, 2024, Chrome Beta, Dev, and Canary channels will see the effects of the implementation of the new extension platform Manifest V3. The gradual disabling of V2 extensions will later follow for all Chrome users.

For those not familiar with the terms, Manifest V2 and V3 are the “rules” that browser extension developers are required to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Google explained that the goal of the new extension platform:

> “Is to protect existing functionality while improving the security, privacy, performance and trustworthiness of the extension ecosystem as a whole.”

That’s commendable, because it stops criminals from hiding the malicious intentions of their extensions when they submit them for the Google Play Store.

However, the part of the transition that hinders ad blockers lies in the fact that extensions will now have limitations on how many rules they include. Google has made some compromises after initial objections, but the limitations are still present and have a large effect on ad blockers since they historically rely on a large number of rules. That’s because, generally speaking, each blocked domain or subdomain is one rule, and cybercriminals set up new domains by the dozen.

Google has tried to address developers’ concerns by adding support for user scripts and increasing the number of rulesets for the API used by ad blocking extensions. But this might not be enough.

Users can temporarily re-enable their Manifest V2 extensions, but this option will eventually disappear.

One of the affected ad blockers is the one incorporated in our own Malwarebytes Browser Guard.

We talked to one of the developers about the plans for Browser Guard and how it will deal with the Manifest V3 rules. They told us that the new Browser Guard, which is already available in beta, will use a mix of static and dynamic rules to protect our users.

**Static rules** are rules that are contained in the ruleset files which can be seen as block lists. These files are declared in the manifest file.

**Dynamic rules** are rules that can be added and removed at runtime. Chrome allows up to 30k dynamic rules. Browser Guard uses dynamic rules for two purposes:

*   **Session rules** are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed.
*   And dynamic rules can be used to store allow lists, user blocked content, and **general rules** that block more than one domain. Take, for example, the IP address of a server that is known to host nothing but phishing sites.

And, to deal with urgent situations, we can use ruleset overrides, which are a mechanism by which we can override the static rules shipped with Browser Guard without requiring our users to add exclusions.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google&#8217;s Chrome changes make life harder for ad blockers 

**According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?**

An unauthorized attacker must wait for a user to initiate a connection.

CVE-2024-30097: Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability

Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop; the Windows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long.

Two weeks ahead of Recall’s launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says.⁩ Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. “It’s a Trojan 2.0 really, built in,” Hagenah says, adding that he built TotalRecall—which he’s releasing on GitHub—in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches.

The company unveiled Recall as part of a Surface laptop event last month. The tool continuously takes screenshots of whatever’s happening on your PC. Recall is intended to allow people to “retrieve” things you’ve done on your machine—whether it’s web pages you’ve visited or messages you’ve been sent—using natural language search queries. Microsoft’s description of the tool says Recall could be used to search for recipes you’ve looked at online but whose websites you’ve forgotten.

TotalRecall, Hagenah says, can automatically work out where the Recall database is on a laptop and then make a copy of the file, parsing all the data as it does so. While Microsoft’s new Copilot+ PCs aren’t out yet, it’s possible to use Recall by emulating a version of the devices. “It does everything automatically,” he says. The system can set a date range for extracting the data—for instance, pulling information from only one specific week or day. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, Hagenah⁩ says.

Included in what the database captures are screenshots of whatever is on your desktop—a potential gold mine for criminal hackers or domestic abusers who may physically access their victim’s device. Images include captures of messages sent on encrypted messaging apps Signal and WhatsApp, and remain in the captures regardless of whether disappearing messages are turned on in the apps. There are records of websites visited and every bit of text displayed on the PC. Once TotalRecall has been deployed, it will generate a summary about the data; it is also possible to search for specific terms in the database.

Hagenah⁩ says an attacker could get a huge amount of information about their target, including insights into their emails, personal conversations, and any sensitive information that’s captured by Recall.

Hagenah’s work builds on findings from cybersecurity researcher Kevin Beaumont, who has detailed how much information Recall captures and how easy it can be to extract it. Beaumont also says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system. “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall,” Beaumont writes.

The criticisms come as hacks of Microsoft systems have led to various US government data breaches; Nadella has said security should be Microsoft’s “top priority.” Microsoft did not respond to WIRED’s request for comment about the security features of Recall by the time of publication.

Recall’s privacy pages say it is possible to disable saving screenshots (effectively turning Recall off), pause the system temporarily, filter applications where screenshots are taken, and delete what is gathered at any time. Recall runs on the laptop itself, storing data it captures on the device and not sending this information to Microsoft’s servers. Hagenah⁩ says this claim appears to be true, with no signs that data is sent to Microsoft.

Microsoft is, at least, aware of some of the possible privacy and security-related issues with Recall: Its help pages say the system does not perform any content moderation on what is contained in the images it saves. This means, Microsoft says in the guide, that it won’t “hide information such as passwords or financial account numbers.” Security researchers have already been able to extract passwords from Recall.

Recall’s main database is stored on the laptop’s system directory, and while it needs administrator rights to access, privilege escalation attacks have been around for years, making it theoretically possible for an attacker to gain initial access to a device remotely.

Hagenah⁩ says that in cases of employers with “bring your own devices” policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops. That’s a particular risk if they’re disgruntled or leave on bad terms, he says. The UK’s data protection regulator, the Information Commissioner’s Office, has asked Microsoft to provide more details about Recall and its privacy.

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” He adds: “They also need to review the internal decisionmaking that led to this situation, as this kind of thing should not happen.”

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

A scammer tried to seduce us by offering the credentials to an account that held roughly half a million dollars.

This weekend a scammer tried his luck by reaching out to me on WhatsApp. It’s not that I don’t appreciate it, but trust me, it’s bad for your business.

I received one message from a number hailing from the Togolese Republic.

WhatsApp message from an unknow sender

> “Jay, your financial account has been added. Account Csy926. Password \[\*\*\*\*\*\*\*\*\] USDT Balance 1,660,086.50 EUR: 592,030.92 \[domain\] Keep it in a safe place.”

I asked them to send the message in English, pretending not to understand Dutch, but received no reply.

But since it was a rainy day and I’d never seen this type of WhatApp scam before, I decided to investigate.

Sometimes it takes some effort, especially when the domain is blocked for fraud by your favorite security software, but nothing was going to stop me now from looking for my new-found wealth.

Malwarebytes blocked the domain for fraud

To fully understand the message, it’s good to know that USTD stands for Tether, a cryptocurrency referred to as a stablecoin because its value is pegged to a flat currency. In the case of USTD the flat currency is the US dollar. The link makes a stablecoin’s value less volatile than that of other cryptocurrencies, which is attractive for traders that like to switch quickly between cryptocurrencies and flat currencies.

So, I visited the domain which, no surprise there, turned out to be a fake trading platform. I tried the login credentials which were so kindly provided to me.

Welcome to login

Once logged in I checked my wallet and lo and behold, I’m rich! (Or “Jay” is.)

Nice wallet

The wallet belongs to Csy926 who has VIP5 access and contains 1658670.31 USDT or $602,494.07.

I can either recharge, withdraw, or transfer my USDT tokens or transfer the cold hard cash in dollars. Knowing that in this type of scam the victim always has to invest a—relatively–small amount to get the bait, I knew what to expect.

The easiest way would have been if I could transfer the dollars to a bank account, so I tried that first.

Transfer form

Sadly, there were obstacles:

*   Transfers can only be done to other accounts on the platform and the recipient needs to be at least a VIP1 level.
*   Only VIP members can transfer without a key. Assuming Jay is the one with the key, it’s a good thing that the account has a VIP5 status.

So, to be a recipient of a US$ amount, I’ll need a VIP1 level account on the same platform.

Sadly, that’s not me. So I decided to see what I can do with the USDT tokens.

Withdraw form

The form shows a security tip warning users to fill in their withdrawal account accurately, as assets can’t be returned after transferring them out. That sucks for Jay.

But all in all, that looks promising, but again there are some problems.

*   I’ll need a TRC20 wallet. A TRC20 wallet app is an application, accessible on mobile/web or desktop devices, designed specifically for storing, managing, and engaging with TRC20 tokens.
*   Once I filled out the form and clicked on Withdraw, it turned out I needed a key.

Please enter KEY

Looks like it’s time to read the FAQs. Fortunately, this has the answers to all the “right” questions.

What should I do if I forget my KEY?

Long story short. You set the key when you open the account, and it cannot be retrieved. But…..if you have two VIP accounts you can transfer funds from the old account to your new account. And there is no need for a KEY if you have a VIP account. Considering Jay has a VIP5 account there lies an opportunity.

How to activate VIP?

And here comes the catch all of our regular readers saw coming by now, VIP accounts that are able to receive funds cost money. The cheapest—VIP1—requires a deposit of 50 USDT (roughly $50) which is not refundable and can’t be canceled. But with a VIP1 account I can only receive $30 per month and it’s only valid for 2 months. So, that’s not a big help when you are as rich as I am, sorry, Jay is.

VIP1 account is the lowest level and the cheapest

It would take me until the next ice age—4600 years—to transfer the entire amount at that rate, with the off chance that the rightful owner would drain the account or change the password as soon as they noticed the leak.

Any unsuspecting victim that has come this far and is willing to steal from the treasure dropped in their lap, now realizes that before they can enjoy all that money, they first:

1.  Need to open a new account.
2.  Make a deposit to turn it into a VIP account. The amount depends on their greed and impatience because the higher the VIP level, the larger the amount you can transfer in one day and per month.
3.  Transfer the funds from Jay’s account to their own account.
4.  Set up a TRC20 account.
5.  Withdraw the money from the new account to their TRC20 wallet.

We decided not to sponsor the scammers, so this is as far as we were willing to go, but we have a distinct feeling that along the steps we outlined there might be other fees and deposits needed.

**Don’t fall for scammers**

*   Any unsolicited WhatsApp message from an unknown person is suspect. No matter how harmless or friendly it may seem. Most pig butchering scams start with what seems a misdirected message.
*   Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
*   If it’s too good to be true, then it’s very likely not true.
*   Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
*   Use a web filtering app to shield you from known malicious websites. Preferably Malwarebytes Premium or Malwarebytes Browser Guard.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#sap