From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.

Organizations increasingly rely on open source code. Many enjoy the convenience of using open source code to quickly innovate or spin up services without the time-consuming process of developing their own code, but there's a catch: Open source code can turn into a security nightmare for organizations.

On the eve of 2022, a zero-day vulnerability — Log4j — was exploited by threat actors and placed organizations' software and Web applications, along with their business-critical data, at an increased risk. What made this attack so far-reaching was that the vulnerability stemmed from widely used open source code.

This points to a broader issue — threat actors rely on subverting open source for malicious purposes. Often, in the case of Log4j and other software such as EspoCRM, Pimcore, and Akaunting, they are able to capitalize on the inherent vulnerabilities associated with this code and remain undetected. As an industry, there is often a belief that vulnerabilities with open source code will be easy to spot, but that isn't the case — Log4j was put into production in 2013 and nobody noticed any issues until it was already too late.

**Open Source Is a Double-Edged Sword  
**Open source code can be an amazing resource for organizations. At its core, it's ready-to-use software that enables teams to decrease development time. This speeds innovation and empowers developers to relatively quickly stand up and deploy software. Additionally, this code is supported by a community of developers who volunteer their time. This means that new features can be released and bugs can be fixed by the community with no cost passed on to the developer. It's this extraordinary benefit that _also_ presents as a security risk.

While there are numerous benefits to utilizing open source code, there also are risks associated with its use. For instance, open source can only be developed based on community involvement. If the community loses interest in the project, or if key individuals get called to work on another project, development will stall. Additionally, bugs may be overlooked as developers assume it's the community's responsibility to locate and fix them. While many hands often make light work, this is a common problem with group work that doesn't have clear processes in place to ensure a consistent product.

There's also a very common misstep that I see organizations take when it comes to open source. While many of them rely upon open source code, they don't view the code as their own and often don't apply the same security controls that they would to their own, natively built code. That means that open source libraries often escape security testing and code reviews, which creates an environment where bugs and security flaws can get baked into a product at a foundational level.

**Come Together to Secure Open Source Code  
**As an industry, there are actions that we can take to better secure our open source code from threat actors. To start, if you're using a code scanning tool, scan all the open source libraries you're using. I would also encourage developers to contribute to the project. If enough people get involved, the project owners can institute these security steps themselves. Additionally, always be sure to check what security steps the project follows before using it.

Ensuring that security is built-in upfront will help to ensure that potential vulnerability gaps are closed, and has the added benefit of helping your industry peers who rely on open source.

**Address Open Source Concerns With Attacker-Centric Behavioral Analytics  
**Open source code, and its related vulnerabilities, aren't going away anytime soon. While government agencies, such as the Federal Trade Commission, have provided guidance to reduce vulnerabilities related to open source, there are additional steps organizations can take to further mitigate any threats.

Vulnerabilities may already be present in your code and organizations cannot solely rely on security teams to find and manage those vulnerabilities. Protection starts with review by their own engineering teams. Additionally, it is important to utilize a solution that will protect your organization from these inherent vulnerabilities and block any attempts to exploit your data. Utilizing attacker-centric behavioral analytics is vital to help your organization mitigate these threats.

Signature-based defenses will often fail at protecting your organization from exploits like Log4j since attacks can be launched in a multitude of ways. Monitoring and detecting suspicious behavior over time will help to identify the various attack patterns so your organization can mount a stronger defense.

If the last two years are any indication, organizations need to be on the lookout for increased cyberattacks. In 2022, I encourage you to start securing your code at the foundational level, and together, work to secure our ubiquitous open source code upon which we so heavily rely.

The Industry Must Better Secure Open Source Code From Threat Actors

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise.

Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise.

Most advanced persistent threat groups (APTs) use known vulnerabilities in their attacks against organizations, suggesting the need to prioritize faster patching rather than chasing zero-day flaws as a more effective security strategy, new research has found.

Security researchers at the University of Trento in Italy did an assessment of how organizations can best defend themselves against APTs in a recent report published online. What they found goes against some common security beliefs many security professionals and organizations have, they said.

The team manually curated a dataset of APT attacks that covers 86 APTs and 350 campaigns that occurred between 2008 to 2020. Researchers studied attack vectors, exploited vulnerabilities–e.g., zero-days vs public vulnerabilities–and affected software and versions.

One belief the research debunked is that all APTs are highly sophisticated and prefer attacking zero-day flaws rather than ones that have already been patched. “Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” they wrote in the report.

Indeed, of the 86 APTs that researchers investigated, only eight–Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus and Rancor—exploited vulnerabilities that others didn’t, researchers found.

This demonstrates that not all the APTs are as sophisticated as many think, as the groups “often reuse tools, malware, and vulnerabilities,” they wrote in the report.

****Faster Updates Reduce Risk****

This finding promotes faster updates to fix known flaws in organizations’ systems rather than taking their time to apply updates that are released for known vulnerabilities, which seems to be the trend right now.

It typically takes more than 200 days for an enterprise to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found.

“Such behavior is rational because not all vulnerabilities are always exploited in the wild,” they wrote. However, to combat APTs, “slow updates do not seem appropriate,” researchers wrote.

In fact, faster updating could significantly lower odds of being compromised if organizations could “update as soon as an update is released,” they wrote.

Indeed, the study found that if an organization waits one month to update, they are 4.9 times more likely to be compromised; waiting three months made them 9.1 times as likely.

Still, immediate patching doesn’t guarantee that organizations won’t be compromised, researchers found. Enterprises that apply timely fixes “could still be compromised from 14 percent to 33 percent of the time,” they wrote.

****Update-Strategy Challenges****

Overall, researchers acknowledged that APTs present a unique challenge to organizations, as it’s difficult to predict if and when an attack will occur and thus it’s basically out of their control, they said.

“Unfortunately, a company cannot fully decide in advance the configuration they will have when hit (or most frequently not hit) by an attacker as it depends on the attacker’s choice,” researchers wrote.

What a company can control, however, it’s its software-update strategy, with organizations typically employing one of three options: Update immediately when new updates to software are available; wait some time to update to perform regression testing; or skip updates altogether.

Instead of updating for all new versions of software, researchers suggested a streamlined approach to focus on patching known flaws, which seems to have impact on an organization’s risk of APT attack, they said.

Organizations could perform “12 percent of all possible updates, restricting themselves only to versions that fix publicly known vulnerabilities” without significantly changing their odds of being compromised, researchers wrote.

APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.

Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.

VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.

The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.

The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.

****Exploitation Occurred After PoC Release****

The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.

After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.

“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.

After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.

“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.

The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.

The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.

The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained

According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.

The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

If you're an Apple user, make sure you patch for CVE-2022-22675, a zero-day flaw actively exported in the wild.
The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-6 tvOS 15.5

tvOS 15.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213254.

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-22675: an anonymous researcher

AuthKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A local user may be able to enable iCloud Photos without  
authentication  
Description: An authentication issue was addressed with improved  
state management.  
CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-26736: an anonymous researcher  
CVE-2022-26737: an anonymous researcher  
CVE-2022-26738: an anonymous researcher  
CVE-2022-26739: an anonymous researcher  
CVE-2022-26740: an anonymous researcher

DriverKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend  
Micro Zero Day Initiative

IOKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A race condition was addressed with improved locking.  
CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26771: an anonymous researcher

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An attacker that has already achieved kernel code execution  
may be able to bypass kernel memory mitigations  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with additional sandbox  
restrictions on third-party applications.  
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

Security  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may disclose restricted memory  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
for their assistance.

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TcACgkQeC9qKD1p  
rhiw7BAAy82XZ2+vjnjFB1FrZ7ZnKtM4pz8MMpX4ZTD2ytgkwXi0qnyzBdMe/w4p  
zrpedL4p/RfdDOiM/4kWBtiH62qetiXDcE8tBqN8WTE9rf55cX4jlXrHASohFI2q  
ErkAjo51j2fg8S7a+luyaZWzBUZqlghtzWjtFgaHOQAP5dDf+He92kDerbrIDQw9  
dg0nL4os0VFgWdX0EtFC7umK8iiTFbvtoEbLDLFODWweaJN8LOP/LHe71YzAryKg  
Dh9ItWqVdzkCOKWR8F96NnoBs7c6B4naqQkS4k2F/m6C6ckPb8LI18ss7oiD3eMB  
k7oo7+u1zQFRKmk0XlfH7awxtEHjYjjw3LT8ko9QJ8mEuspxoiwW7n1mINWa7Khp  
YoCe88xR06kfti4h6MJDSN6JpxSnikEyJzR4j4xGL6rWjqCj+XV9ejrt9EgF8BL2  
JZ+Oceoh23m7IqVoMe1Hzjf1X3nsxXJQEg/xxRwHRknAjSNtVJUKhT4/ioOc9pu6  
TROAHYdSO5yRLNUNpj9RlkBeDbXtiWgA2IEg0wcUPzwf3Uzt2Qw9zBFbMb1hPSht  
7zTIOtF4Ub+MD6cFuHbC7hL58pRmA4FzEczLG81BoGGaFOCD2QDt0/ySTFr1M+YD  
g2L2PlZNgxd0zetkTkZbvAwroMUTRSi1GqxAhVeKwbvW4XAN+yc=  
=G3ho  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-6

Apple Security Advisory 2022-05-16-5 - watchOS 8.6 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-5 watchOS 8.6

watchOS 8.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213253.

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-22675: an anonymous researcher

DriverKit  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: Apple Watch Series 3 and later  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend  
Micro Zero Day Initiative

IOMobileFrameBuffer  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26771: an anonymous researcher

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An attacker that has already achieved kernel code execution  
may be able to bypass kernel memory mitigations  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: Apple Watch Series 3 and later  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with additional sandbox  
restrictions on third-party applications.  
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2  
Available for: Apple Watch Series 3 and later  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

Security  
Available for: Apple Watch Series 3 and later  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

TCC  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to capture a user's screen  
Description: This issue was addressed with improved checks.  
CVE-2022-26726: an anonymous researcher

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may disclose restricted memory  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
for their assistance.

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TYACgkQeC9qKD1p  
rhhgaBAAq/igmuSba0Occu1TcS6aXG50gjUZyJXPu7/UVVWI4icwz+c/ruKquy/w  
XuiT+C2Q6CJIWn2qM+hHrHtgsi3EYI6XxrbgcLgmvGvbwICs9RwHyHc1ztSyurTe  
ys8gJkc+/nZWPKR4dy7JUl8NdjoTWuUyGVE9xOJQeISND5xUoDz2i9d8FKgkZta6  
FoJlIWCDuNq01vgcAfKSZqPX2mEPMnWL47Q6g69PXIs34iBcOrHNesZ/mH/jz5Nz  
aAnisEj9gC0+KERoMSmGoBrYmP7kr/DmVBEwa9cDA0rGfNntgNliQ7wbLxnT8kJG  
rJARAyLPtPsygs7UmnkDaNDkI/a63dIRWwPIKUOQYtKKqwNL5GSoytdk/OhRGjmN  
Hi7k1GmvGiJA7bFI3PIQDSi3YSC1cs9CeyIL2rNUSVmRZ7jHlXxlDQYH1/ad4DU1  
TqVw9Rwg0mlc0tYKUNjChg/uAK1G5OGidxtLRt0FzUaXvPoVLe0/btYeaH6ijfU9  
i1W+xJ8jGgWddP7r1HvNeN6B+WGuIEcla+GNduEV3+AcnxL9h6FP8sAzQuTHQtKC  
AkqUO1G20ieIQHKJPNEIpgLlrCFYVajDfRtB9zGDme6aBZNHxefOWMMxdKfnspj2  
MtFpJ9qPmpnRITjCF5z1RDfqFjXUZvePcRA6rS1Lq4ClgQ575yI=  
=zdvf  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-5

Apple Security Advisory 2022-05-16-4 - Security Update 2022-004 Catalina addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina

Security Update 2022-004 Catalina addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213255.

apache  
Available for: macOS Catalina  
Impact: Multiple issues in apache  
Description: Multiple issues were addressed by updating apache to  
version 2.4.53.  
CVE-2021-44224  
CVE-2021-44790  
CVE-2022-22719  
CVE-2022-22720  
CVE-2022-22721

AppKit  
Available for: macOS Catalina  
Impact: A malicious application may be able to gain root privileges  
Description: A logic issue was addressed with improved validation.  
CVE-2022-22665: Lockheed Martin Red Team

AppleGraphicsControl  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected application termination or disclosure of process  
memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected application termination or disclosure of process  
memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2022-26698: Qi Sun of Trend Micro

CoreTypes  
Available for: macOS Catalina  
Impact: A malicious application may bypass Gatekeeper checks  
Description: This issue was addressed with improved checks to prevent  
unauthorized actions.  
CVE-2022-22663: Arsenii Kostromin (0x3c3e)

CVMS  
Available for: macOS Catalina  
Impact: A malicious application may be able to gain root privileges  
Description: A memory initialization issue was addressed.  
CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori  
CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

DriverKit  
Available for: macOS Catalina  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

Graphics Drivers  
Available for: macOS Catalina  
Impact: A local user may be able to read kernel memory  
Description: An out-of-bounds read issue existed that led to the  
disclosure of kernel memory. This was addressed with improved input  
validation.  
CVE-2022-22674: an anonymous researcher

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-26756: Jack Dates of RET2 Systems, Inc

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-26769: Antonio Zekic (@antoniozekic)

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro  
Zero Day Initiative

Kernel  
Available for: macOS Catalina  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: macOS Catalina  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

libresolv  
Available for: macOS Catalina  
Impact: An attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26775: Max Shavrick (@_mxms) of the Google Security Team

LibreSSL  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted certificate may lead to a  
denial of service  
Description: A denial of service issue was addressed with improved  
input validation.  
CVE-2022-0778

libxml2  
Available for: macOS Catalina  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

OpenSSL  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted certificate may lead to a  
denial of service  
Description: This issue was addressed with improved checks.  
CVE-2022-0778

PackageKit  
Available for: macOS Catalina  
Impact: A malicious application may be able to modify protected parts  
of the file system  
Description: This issue was addressed with improved entitlements.  
CVE-2022-26727: Mickey Jin (@patch1t)

Printing  
Available for: macOS Catalina  
Impact: A malicious application may be able to bypass Privacy  
preferences  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2022-26746: @gorelics

Security  
Available for: macOS Catalina  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

SMB  
Available for: macOS Catalina  
Impact: An application may be able to gain elevated privileges  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

SoftwareUpdate  
Available for: macOS Catalina  
Impact: A malicious application may be able to access restricted  
files  
Description: This issue was addressed with improved entitlements.  
CVE-2022-26728: Mickey Jin (@patch1t)

TCC  
Available for: macOS Catalina  
Impact: An app may be able to capture a user's screen  
Description: This issue was addressed with improved checks.  
CVE-2022-26726: an anonymous researcher

Tcl  
Available for: macOS Catalina  
Impact: A malicious application may be able to break out of its  
sandbox  
Description: This issue was addressed with improved environment  
sanitization.  
CVE-2022-26755: Arsenii Kostromin (0x3c3e)

WebKit  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted mail message may lead to  
running arbitrary javascript  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu  
of Palo Alto Networks (paloaltonetworks.com)

Wi-Fi  
Available for: macOS Catalina  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
memory handling.  
CVE-2022-26761: Wang Yu of Cyberserval

zip  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted file may lead to a denial of  
service  
Description: A denial of service issue was addressed with improved  
state handling.  
CVE-2022-0530

zlib  
Available for: macOS Catalina  
Impact: An attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2018-25032: Tavis Ormandy

zsh  
Available for: macOS Catalina  
Impact: A remote attacker may be able to cause arbitrary code  
execution  
Description: This issue was addressed by updating to zsh version  
5.8.1.  
CVE-2021-45444

Additional recognition

PackageKit  
We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for  
their assistance.

Security Update 2022-004 Catalina may be obtained from the Mac App  
Store or Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TYACgkQeC9qKD1p  
rhjgGRAAggg84uE4zYtBHmo5Qz45wlY/+FT7bSyCyo2Ta0m3JQmm26UiS9ZzXlD0  
58jCo/ti+gH/gqwU05SnaG88pSMT6VKaDDnmw8WcrPtbl6NN6JX8vaZLFLoGO0dB  
rjwap7ulcLe7/HM8kCz3qqjKj4fusxckCjmm5yBMtuMklq7i51vzkT/+ws00ALcH  
4S821CqIJlS2RIho/M/pih5A/H1Onw/nzKc7VOWjWMmmwoV+oiL4gMPE9kyIAJFQ  
NcZO7s70Qp9N5Z0VGIkD5HkAntEqYGNKJuCQUrHS0fHFUxVrQcuBbbSiv7vwnOT0  
NVcFKBQWJtfcqmtcDF8mVi2ocqUh7So6AXhZGZtL3CrVfNMgTcjq6y5XwzXMgwlm  
ezMX73MnV91QuGp6KVZEmoFNlJ2dhKcJ0fYAhhW9DJqvJ1u5xIkQrUkK/ERLnWpE  
9DIapT8uUbb9Zgez/tS9szv5jHhKtOoPbprju7d7LHw7XMFCVKbUvx745dFZx0AG  
PLsJZQNsQZJIK8QdcLA50KrlyjR2ts4nUsKj07I6LR4wUmcaj+goXYq4Nh4WLnoF  
x1AXD5ztdYlhqMcTAnuAbUYfuki0uzSy0p7wBiTknFwKMZNIaiToo64BES+7Iu1i  
vrB9SdtTSQCMXgPZX1Al1e2F/K2ubovrGU9geAEwLMq3AKudI4g=  
=JBHs  
-----END PGP SIGNATURE-----

Tag

#zero_day