GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.

1.Version  
./MP4Box -version  
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master  
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/

Please cite our work in your research:  
GPAC Filters: https://doi.org/10.1145/3339825.3394929  
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_LINUX\_DVB GPAC\_DISABLE\_3D

2.ASAN  
\[DASH\] Updated manifest:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Manifest after update:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Setting up period start 0 duration 0 xlink none ID DID1  
\[DASH\] AS#1 changed quality to bitrate 10 kbps - Width 1280 Height 720 FPS 30/1 (playback speed 1)  
\[DASH\] AS#2 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] Segment duration unknown - cannot estimate current startNumber  
\[DASH\] Cannot try to download (null)... out of memory ?  
\[DASH\] AS#3 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#4 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#5 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] Adaptation 16: non-video in a video group - disabling it  
\[DASH\] AS#6 changed quality to bitrate 31 kbps (playback speed 1)  
\[DASH\] AS#6 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#7 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#8 changed quality to bitrate 120 kbps - Width 384 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#9 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#10 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] Segment duration unknown - cannot estimate current startNumber  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)  
\[DASHDmx\] group 0 error locating plugin for segment - mime type video/mp4 name crashes/live\_dash\_track1\_init.mp4: Requested URL is not valid or cannot be found  
Filters not connected:  
fout (dst=id\_000070,sig\_06,src\_000600,time\_26661155,execs\_144902,op\_havoc,rep\_1\_dash.mpd:gpac:segdur=10000/1000:profile=full:!sap:buf=1500:!check\_dur:pssh=v:subs\_sidx=0) (idx=1)

Arg segdur set but not used  
Arg profile set but not used  
Arg !sap set but not used  
Arg buf set but not used  
Arg !check\_dur set but not used  
Arg pssh set but not used  
Arg subs\_sidx set but not used

\=================================================================  
\==2943152==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 20 byte(s) in 2 object(s) allocated from:  
#0 0x7fb5f41339a7 in \_\_interceptor\_strdup ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:454  
#1 0x7fb5f2fd4bbc in gf\_mpd\_parse\_string media\_tools/mpd.c:75  
#2 0x7fb5f2fd4bbc in gf\_mpd\_parse\_common\_representation\_attr media\_tools/mpd.c:665

SUMMARY: AddressSanitizer: 20 byte(s) leaked in 2 allocation(s).

3.Reproduction  
./MP4Box -dash 10000 $poc

4.POC file  
crash.zip

5.Impact  
Malicious files that are opened may cause a crash

6.Credit  
LOVERJIE

CVE-2023-48039: memory leaks in gf_mpd_parse_string media_tools/mpd.c:75 · Issue #2679 · gpac/gpac

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extract_attributes media_tools/m3u8.c:329.

1.Version  
./MP4Box -version  
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master  
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/

Please cite our work in your research:  
GPAC Filters: https://doi.org/10.1145/3339825.3394929  
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_LINUX\_DVB GPAC\_DISABLE\_3D

2.ASAN  
\[M3U8\] Unsupported directive #EXT-X-VERSION:  
\[M3U8\] Attribute SEQUENCE:1 not supported  
\[M3U8\] Invalid #EXT-X-MEDIA: TYPE is missing. Ignoring the line.  
\[M3U8\] Invalid URI (URI=") in EXT-X-MAP  
\[M3U8\] Failed to parse root playlist './crashes/crash4', error = BitStream Not Compliant  
\[DASH\] Error - cannot connect service: MPD creation problem BitStream Not Compliant  
\[DASHDmx\] Error - cannot initialize DASH Client for ./crashes/crash4: BitStream Not Compliant  
Failed to connect filter fin PID crash4 to filter dashin: BitStream Not Compliant  
Blacklisting dashin as output from fin and retrying connections  
Failed to find any filter for URL ./crashes/crash4, disabling destination filter fout  
Filter fin failed to setup: Filter not found for the desired type  
Filters not connected:  
fout (dst=crash4\_dash.mpd:gpac:segdur=500000/1000:profile=full:!sap:buf=1500:!check\_dur:pssh=v:subs\_sidx=0) (idx=1)  
Arg segdur set but not used  
Arg profile set but not used  
Arg !sap set but not used  
Arg buf set but not used  
Arg !check\_dur set but not used  
Arg pssh set but not used  
Arg subs\_sidx set but not used  
Error DASHing file: Filter not found for the desired type

\=================================================================  
\==150880==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 120 byte(s) in 1 object(s) allocated from:  
#0 0x7f7fcaf3ca57 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x7f7fc9d73286 in extract\_attributes media\_tools/m3u8.c:329

Indirect leak of 11 byte(s) in 1 object(s) allocated from:  
#0 0x7f7fcaf3ca57 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154  
#1 0x7f7fc9d7385b in extract\_attributes media\_tools/m3u8.c:345

SUMMARY: AddressSanitizer: 131 byte(s) leaked in 2 allocation(s)..

3.Reproduction  
./MP4Box -dash 500000 $poc

4.POC file  
crash.00.zip

5.Impact  
Memory leaks can cause program performance degradation, system crashes, or unpredictable behavior

6.  Credit  
    jarront

CVE-2023-48090: memory leaks in extract_attributes media_tools/m3u8.c:329 · Issue #2680 · gpac/gpac

Signal’s president reveals the cost of running the privacy-preserving platform—not just to drum up donations, but to call out the for-profit surveillance business models it competes against.

The encrypted messaging and calling app Signal has become a one-of-a-kind phenomenon in the tech world: It has grown from the preferred encrypted messenger for the paranoid privacy elite into a legitimately mainstream service with hundreds of millions of installs worldwide. And it has done this entirely as a nonprofit effort, with no venture capital or monetization model, all while holding its own against the best-funded Silicon Valley competitors in the world, like WhatsApp, Facebook Messenger, Gmail, and iMessage.

Today, Signal is revealing something about what it takes to pull that off—and it’s not cheap. For the first time, the Signal Foundation that runs the app has published a full breakdown of Signal’s operating costs: around $40 million this year, projected to hit $50 million by 2025.

Signal’s president, Meredith Whittaker, says her decision to publish the detailed cost numbers in a blog post for the first time—going well beyond the IRS disclosures legally required of nonprofits—was more than just as a frank appeal for year-end donations. By revealing the price of operating a modern communications service, she says, she wanted to call attention to how competitors pay these same expenses: either by profiting directly from monetizing users’ data or, she argues, by locking users into networks that very often operate with that same corporate surveillance business model.

“By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Whittaker tells WIRED. Running a service like Signal—or WhatsApp or Gmail or Telegram—is, she says, “surprisingly expensive. You may not know that, and there’s a good reason you don’t know that, and it’s because it’s not something that companies who pay those expenses via surveillance _want_ you to know.”

Signal pays $14 million a year in infrastructure costs, for instance, including the price of servers, bandwidth, and storage. It uses about 20 petabytes per year of bandwidth, or 20 million gigabytes, to enable voice and video calling alone, which comes to $1.7 million a year. The biggest chunk of those infrastructure costs, fully $6 million annually, goes to telecom firms to pay for the SMS text messages Signal uses to send registration codes to verify new Signal accounts’ phone numbers. That cost has gone up, Signal says, as telecom firms charge more for those text messages in an effort to offset the shrinking use of SMS in favor of cheaper services like Signal and WhatsApp worldwide.

Another $19 million a year or so out of Signal’s budget pays for its staff. Signal now employs about 50 people, a far larger team than a few years ago. In 2016, Signal had just three full-time employees working in a single room in a coworking space in San Francisco. “People didn’t take vacations,” Whittaker says. “People didn’t get on planes because they didn’t want to be offline if there was an outage or something.” While that skeleton-crew era is over—Whittaker says it wasn’t sustainable for those few overworked staffers—she argues that a team of 50 people is still a tiny number compared to services with similar-sized user bases, which often have thousands of employees.

While Whittaker argues that Signal runs as lean an operation as possible, she also notes that many of its features cost more than they do for other communications platforms, due to the extra cost of enabling those features in privacy-preserving ways. Signal implements encryption, for instance, not just for the content of calls and texts, but for users’ contacts, and even for their user profile names and photos, as well as more obscure features, like users’ searches for animated GIFs. That means simple-looking elements of the app often require far more time-consuming and expensive engineering than would be necessary if they were offered without encryption.

Signal was originally founded with funding from the US State Department’s Open Technology Fund, but the service has since turned to donations to keep afloat. When the Signal Foundation was created in 2018 and WhatsApp cofounder Brian Acton left Facebook to become its president, he donated $50 million. But with Signal’s growing user base and staff, that donation wouldn't cover much more than a year’s current budget for the company. Other major donors continue to cover the foundation’s costs, Whittaker says—Twitter cofounder Jack Dorsey, for instance, has pledged $1 million a year, and others Whittaker declines to name have given similarly large contributions.

But Signal hopes to increasingly rely on donations of as little as $3 that can be made through the app itself. Monthly donations of $5 or more are rewarded with a badge for the user’s account. Those small donations, Signal says, now account for 25 percent of its operating costs, up from 18 percent last year, the first full year after Signal enabled in-app contributions. But for Signal to continue to exist and grow without depending on a few wealthy individuals, Whittaker says small user donations will need to ramp up significantly.

With a nearly $50 million annual budget, can Signal actually survive on those donations? “We have to,” says Whittaker. “Signal needs to find a way to survive in perpetuity because it is _the_ tool that we have to ensure meaningfully private communications.”

Whittaker says that charging users has never been an option—Signal would never have grown its network to a degree that could compete with iMessage or WhatsApp if it hadn’t been free all along. Nor can Signal adopt a venture capital-funded business model that would leave the service vulnerable to investors or shareholders demanding a profitable exit. Exhibit one: Elon Musk’s acquisition of Twitter and his decisions that triggered an exodus of its users. “We’re not going to get leaned on,” says Whittaker. “We’re going to stay myopically focused on our mission, without the kind of pressure to compromise that for-profit tech companies feel. And that pressure is heavy when you recognize the cost to do what we do.”

Given that privacy-focused mission, Whittaker argues that revealing Signal’s costs isn't just about helping to raise money to keep protecting users’ communications, it also serves to call out the rest of the tech industry’s anti-privacy practices.

“The default for all this is surveillance. That’s the water we swim in. So how do we swim upstream? How do we move against this and build something that can perturb that default?” she asks. “I hope being honest about these costs leads people to ask better questions of other tech organizations, to better understand what’s actually happening and how we got into a situation where a handful of companies have such an outsize power globally based on their perfecting this surveillance business model.”

Running Signal Will Soon Cost $50 Million a Year

Red Hat Security Advisory 2023-7262-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7262.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7262-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7262Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7262-01

Red Hat Security Advisory 2023-7261-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7261.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7261-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7261Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7261-01

Red Hat Security Advisory 2023-7260-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7260.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7260-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7260Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7260-01

Microsoft has patched a total of 63 vulnerabilities this Patch Tuesday. Make sure you update as soon as you can.

Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:

CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.

It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”

CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.

CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.

CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.

An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.

**Other vendors**

Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities affecting multiple Adobe products:

*   APSB23-52: Adobe ColdFusion
*   APSB23-53: Adobe RoboHelp Server
*   APSB23-54: Adobe Acrobat and Reader
*   APSB23-55: Adobe InDesign
*   APSB23-56: Adobe Photoshop
*   APSB23-57: Adobe Bridge
*   APSB23-58: Adobe FrameMaker Publishing Server
*   APSB23-60: Adobe InCopy
*   APSB23-61: Adobe Animate
*   APSB23-62: Adobe Dimension
*   APSB23-63: Adobe Media Encoder
*   APSB23-64: Adobe Audition
*   APSB23-65: Adobe Premiere Pro
*   APSB23-66: Adobe After Effects

**Android**’s November updates were released by Google.

**SAP** released its November 2023 Patch Day updates.

**SysAid** released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

 Update now! Microsoft patches 3 actively exploited zero-days 

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free via the gf_filterpacket_del function at /gpac/src/filter_core/filter.c.

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

    /home/user/vul/MP4Box_crash/id000037sig06src002502time27968081execs258947ophavocrep16
    [32m[iso file] Unknown box type 00000000 in parent moov
    [0m[32m[iso file] Unknown top-level box type 00000100
    [0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
    [0m[32m[Dasher] No bitrate property assigned to PID V1, computing from bitstream
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[32m[iso file] Unknown box type 00000000 in parent moov
    [0m[33m[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18446744073709551615/12288
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[31m[MuxIsom] Packet with no CTS assigned, cannot store to track, ignoring
    [0m[31m[IsoMedia] File truncated, aborting read for track 1
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[37mDashing P1 AS#1.1(V) done (1 segs)
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[32m[MPD] Generating MPD at time 2023-10-08T12:38:38.043Z
    [0m[32m[Dasher] End of Period 
    [0m[32m[Dasher] End of MPD (no more active streams)
    [0m=================================================================
    ==827317==ERROR: AddressSanitizer: attempting double-free on 0x619000015980 in thread T0:
        #0 0x55e7797a5972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd97945 in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17
        #2 0x7f525cd6a022 in gf_fq_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_queue.c:105:33
        #3 0x7f525cda14e5 in gf_filter_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:664:3
        #4 0x7f525cd6ede9 in gf_fs_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:782:4
        #5 0x7f525c6283f6 in gf_dasher_clean_inputs /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:164:3
        #6 0x7f525c6283f6 in gf_dasher_del /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:173:2
        #7 0x55e779809d2d in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4894:2
        #8 0x55e7797fab6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #9 0x7f525b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #10 0x7f525b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #11 0x55e779722dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    0x619000015980 is located 0 bytes inside of 1084-byte region [0x619000015980,0x619000015dbc)
    freed by thread T0 here:
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525c4f7ab6 in Media_GetSample /home/user/fuzzing_gpac/gpac/src/isomedia/media.c:619:30
        #2 0x7f525c45d7b3 in gf_isom_get_sample_ex /home/user/fuzzing_gpac/gpac/src/isomedia/isom_read.c:1975:6
        #3 0x7f525d05a156 in isor_reader_get_sample /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read_ch.c:398:19
        #4 0x7f525d04d2d5 in isoffin_process /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:1486:5
        #5 0x7f525cdafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    
    previously allocated by thread T0 here:
    LLVMSymbolizer: error reading file: No such file or directory
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd00add in gf_filter_pck_expand /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pck.c:1846:15
        #2 0x7ffd05c3a8df  ([stack]+0x328df)
    
    SUMMARY: AddressSanitizer: double-free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in free
    ==827317==ABORTING

CVE-2023-48013: double-free in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17 · Issue #2612 · gpac/gpac

Poverty, fentanyl, and lack of public funding mean morgues are overloaded with unidentified bodies. TikTok and Facebook pages are filling the gap—with AI proving a powerful and controversial new tool.

In 2021, an unidentified Black woman died by suicide after jumping off the Brooklyn Bridge. She was wearing hot pink nail polish, had a pink left eyebrow piercing and several tattoos—all distinguishing features that should have made it easier to identify her. Two years later, her identity is still unknown.

The tragedy of unidentified cadavers is something that Rionna Lee had been thinking about for years. Her mother used to transport human remains for New York’s Office of the Chief Medical Examiner, and would bring home morbid stories. One, Lee remembers, was of a man who had been hit by an MTA train. “One of the things that stuck out to me was the condition of his remains, which were scattered across the train tracks,” says Lee, 24, who now lives in Kingston, Pennsylvania. It distressed her to think of the families who would have to identify their loved ones; even more so, later, when she learned that some human remains would never be identified.

There are an average of 4,400 unidentified new cadavers per year in the US, and a total of 600,000 missing people across the country. Some of these cases are collected on databases, such as the National Missing and Unidentified Persons System (NamUs), which helps medical examiners, coroners, law enforcement officers, and members of the public solve missing, unidentified, and unclaimed cases across the country. The true scale of the problem is unknown, as the data available for the average number of unidentified cadavers comes from a 2004 census. Just 10 states have laws requiring that cases be entered into NamUs, meaning that many reports are voluntary.

As she looked into cases—including the woman with the pink nail polish—Lee noticed a pattern in which were solved and which weren’t. The decisive factor was often money. Funding from private donors, sponsorship, and public support meant that law enforcement agencies were able to access cutting-edge technology, such as Othram, a forensic genetics company, which has been pivotal in cracking several high-profile cases. Those that weren’t solved didn’t have resources behind them. Often, they were from marginalized groups. Lee, who identifies as Black and LGBTQ+, felt the need to raise awareness among overlooked members of society, those whose deaths often go unnoticed: transient individuals, racial minorities, substance users, and members of the LGBTQ+ community.

Lee set up a TikTok to try to raise awareness. After a few false starts, she went viral, attracting a following of 128,000. She set up a Facebook group—Thee Unidentified & Unsolved—which now has 39,000 members, many of whom work together to solve unidentified and unsolved cases. Thee Unidentified & Unsolved is one of several volunteer social media communities that are filling a gap left by the US state, which is getting worse due to the overlapping crises of poverty, fentanyl, and shortfalls in public funding. Now, with AI image recognition more readily available, volunteers have new tools to help them identify the deceased. This brings with it new issues around privacy and consent, but those in the communities say their work brings closure to families. “I believe everyone starts off with a name,” says Lee. “I believe everyone should be able to leave this Earth peacefully with their name.”

Lee started her TikTok campaign in October 2021. There were already several popular accounts that focused on locating missing people, but few, if any, were working to identify the deceased. She created her own page, but TikTok doesn’t allow graphic content such as morgue photos, and she struggled for traction.

She focused on cases where the decedent had been found with items that might help their friends and relatives identify them. “One of the videos I posted that gained exposure was a man with an undetermined race. He was found with a Salvatore Ferragamo gold buckle belt,” says Lee. Her audience was curious how a person with such an expensive piece of clothing could go unidentified. Her engagement grew, and finally, on November 9, 2022, one of her TikTok videos—the case of a 2022 Union County Jane Doe, a Black woman who died after being struck by multiple vehicles on US Route 22 in Hillside, New Jersey—went viral, racking up 652,000 views. A couple of days later, another video hit a million views. She created the Facebook group later that month, because the platform allows graphic content, like morgue pictures, which TikTok doesn’t. The Facebook group now has more than 39,000 members.

There are around a dozen posts each day in the group, often unsolved cases from NamUs with pictures. Members scour the internet, looking for other images, comparing images with missing person sketches or social media profiles.

Some of the identification groups work globally, others are region or country specific or dedicated to unique circumstances, such as missing and murdered Indigenous women and girls. Online detective groups often tread a delicate line between altruistic investigation and mob obsession.

Thee Unidentified has had to tread that line carefully. Earlier this year, the group helped identify Adonis Beck, a TikTok star also known as Pope the Barber. Beck was found dead on August 10. The news spread quickly, causing an influx of new members to the Facebook group. Kenyetta Burks, one of the group’s admins who had first posted Beck’s image on the group, removed the morgue photos as they were posted, but was inundated with requests from people trying to see them, many from fake accounts pretending to be relatives. Sometimes, the admins will notice comments from members who seem more intrigued by the circumstances of death than those who are empathetic to the topic of unidentified cases. In situations that appear voyeuristic, the person is suspended, and if the behavior is repeated, they are banned, Lee says.

These social media groups have helped some families find closure. In 2022, a teenage boy stumbled upon Lee’s TikTok page and identified his mother, a 2017 Jane Doe case, via her tattoos. She was hit by a vehicle while crossing a street in Pasadena, California and succumbed to her injuries in hospital. In May 2023, Burks posted a sketch, images, and information from NamUs in the Facebook group, which led to the identification of Dytavious Sanders, an MMA fighter from South Carolina, whose body was discovered earlier that month on May 9. Sander’s aunt identified him in the group and his mother asked for assistance in claiming his body.

One member of Thee Unidentified has recently began using a new tool, PimEyes, a controversial facial recognition search engine, as a means to identify the deceased via morgue photos. A quick upload produces search results in a matter of seconds. Photos from across the internet are organized in a single view, mugshots frequently among them. While this technology can accelerate the process of identifying the dead, it brings with it serious privacy concerns. In many cases, informed consent is neither obtained for the image uploaded nor the results that the technology returns, which can include the biometric data of private individuals. Thus far, a few members of the group have utilized this tool.

“While some individuals might be well-meaning, online sleuths are using dangerous surveillance tools,” says Madeleine Stone, senior advocacy officer at Big Brother Watch, a privacy campaign group. “By selling this technology, facial recognition companies risk violating the dignity of deceased individuals, but moreover are violating the privacy rights of the billions of people whose photos they have taken, processed and exploited without consent.”

PimEyes has been criticized by privacy advocates for scraping the internet for images, and giving users access to highly personal information about private individuals. PimEyes CEO Giorgi Gobronidze says that these threats are exaggerated, and that PimEyes doesn’t hold images, but just directs users to the URLs where images are hosted. “The tool is designed to help people to find the sources that publish photos, and if they shouldn't be there, apply to the website and initiate takedown.” Gobronidze says that PimEyes has many use cases, such as searching for missing people, including women and children in conflict areas, and actively cooperates with human rights organizations.

Lee says that the Thee Unidentified & Unsolved Facebook group “is not focused on the use of PimEyes…But I respect those who do use the tool and actually have successful outcomes.”

In other social media groups, PimEyes is slowly being introduced as an investigative tool for cases related to missing persons, cold cases, and human trafficking.

Experts also worry that this technology is not necessarily accurate, meaning that amateur sleuths could make mistakes with heartbreaking consequences. “This a noble goal, but a terrible approach,” says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, an organization that litigates and advocates for privacy, fighting excessive local and state-level surveillance. “This technology is biased and error prone, and I worry that a lot of worried families will be wrongly told their missing loved one is dead.”

For all of the challenges presented by volunteer online communities, the reality is that they exist in a vacuum left by the authorities.

In 2021, 106,699 Americans died of an overdose. In Seattle, the fentanyl crisis is so bad that the number of overdose deaths has doubled in the last three years, causing the morgues to overflow. The “fourth wave” of the crisis recently descended upon the US, an ongoing mass-overdose event that has consumed law enforcement agencies, stretching the resources necessary for identifying the dead. For medical examiners, the “tsunami” of bodies has resulted in staff burnout, exhausted resources, and jeopardized many offices’ accreditation due to the necessity to conduct more autopsies than industry guidelines permit .

“Unfortunately, the opioid crisis has meant more individuals are coming into the Medical Examiner’s Office for examination,” says Dr. Constance DiAngelo, Philadelphia’s Chief Medical Examiner. “Many of these folks are not initially identified.”

The authorities just don’t have the resources to investigate every case thoroughly. “Our challenges are related to funding,” DiAngelo says. “Exhumations, reinterment, DNA extraction and processing, and genealogy comparisons are expensive. A case could cost between $2,500 to $10,000, and that doesn’t include the need for staff who can be dedicated to this type of work.”

In King County, where Seattle is located, there are currently 57 unidentified people that the Medical Examiner’s Office is working to identify. This dire situation is a reality across major American metropolitan areas. In situations where people are found without identification, it can take weeks, if not months, to locate next of kin.

That waiting, and not knowing, can be agony for people whose loved ones have disappeared—like the family of Kallie Catron. Catron’s mother, Crystal Newman, last spoke with her on October 14, 2022. Catron said she missed her two children and wanted to come home. “When Halloween, Thanksgiving, Christmas, and New Year’s passed, my sister knew something was wrong and called to report a missing person,” says Sarah Forister, Catron’s aunt. “I guess you can say a mother knows when something is wrong with her baby.”

On January 22, 2023, Newman was sent a link to a post on Thee Unidentified’s TikTok page. Morgue photos, and images of her tattoos, confirmed it was Catron. “At first, we were so mad that’s how we found out,” says Forister. “But Kallie’s mom, me, and her cousins watched the video showing her morgue photo and all her identifying tattoos multiple times a day.”

Eventually, Lee asked the family if she could take down the video, as Catron had been identified. “I said yes, but please send me the video so I can watch it whenever I want to,” says Forister. Lee obliged. The community shared the family’s GoFundMe campaign to raise funds for Catron's funeral and to support her children. “We realized that if it wasn’t for Thee Unidentified community and Rionna, we could still be looking for Kallie,” Forister says.

Social Media Sleuths, Armed With AI, Are Identifying Dead Bodies

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.
Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.
The updates are in

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.

Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.

The updates are in addition to more than 35 security shortcomings addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for October 2023.

The five zero-days that are of note are as follows -

*   **CVE-2023-36025** (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
*   **CVE-2023-36033** (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability
*   **CVE-2023-36036** (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
*   **CVE-2023-36038** (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability
*   **CVE-2023-36413** (CVSS score: 6.5) - Microsoft Office Security Feature Bypass Vulnerability

Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could make it possible to bypass Windows Defender SmartScreen checks and their associated prompts.

"The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker," Microsoft said about CVE-2023-36025.

The Windows maker, however, has not provided any further guidance on the attack mechanisms employed and the threat actors that may be weaponizing them. But the active exploitation of the privilege escalation flaws suggests that they are likely used in conjunction with a remote code execution bug.

"There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero-day," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the three issues to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by December 5, 2023.

Also patched by Microsoft are two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor could leverage to trigger the execution of malicious code.

The November update further includes a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-based buffer overflow flaw in the curl library that came to light last month, as well as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).

"An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft said.

Palo Alto Networks researcher Aviad Hahami, who reported the issue, said the vulnerability could enable access to credentials stored in the pipeline's log and permit an adversary to potentially escalate their privileges for follow-on attacks.

In response, Microsoft said it has made changes to several Azure CLI commands to harden Azure CLI (version 2.54) against inadvertent usage that could lead to secrets exposure.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD (including CacheWarp)
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Arm
*   ASUS
*   Atlassian
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Intel
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   SysAid
*   Trend Micro
*   Veeam
*   Veritas
*   VMware
*   WordPress
*   Zimbra
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap