Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Dimension | APSB23-20

Adobe has released an update for Adobe Dimension. This update addresses  critical and important vulnerabilities in  Adobe Dimension.  Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user.      

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25879  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25880  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25881  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25882  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25883  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25884  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25885  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25886  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25887  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25888  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25889  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25890  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25891  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25892  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25893  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25894  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25895  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25896  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25897  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25898  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25899  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25900  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25901  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25902  

Integer Overflow or Wraparound (CWE-190)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25903  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25904  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25905  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25906  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-25907  

Out-of-bounds Read (CWE-125)  

Memory leak  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26327  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26328  

Out-of-bounds Read (CWE-125)  

Memory leak  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26329  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26330  

Out-of-bounds Read (CWE-125)  

Memory leak  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26331  

Out-of-bounds Read (CWE-125)  

Memory leak  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26332  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26333  

Access of Uninitialized Pointer (CWE-824)  

Memory leak  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26334  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26335  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26336  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26337  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26338  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26339  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26340  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26341  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-26342  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26343  

Access of Uninitialized Pointer (CWE-824)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26344  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26345  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26346  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26348  

Use After Free (CWE-416)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26349  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26350  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26351  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26352  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26353  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26354  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26355  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26356  

Adobe would like to thank the following researchers  for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell working with Trend Micro Zero Day Initiative  - CVE-2023-25879, CVE-2023-25880, CVE-2023-25881, CVE-2023-25882, CVE-2023-25883, CVE-2023-25884, CVE-2023-25885, CVE-2023-25886, CVE-2023-25887, CVE-2023-25888, CVE-2023-25889, CVE-2023-25890, CVE-2023-25891, CVE-2023-25892, CVE-2023-25893, CVE-2023-25894, CVE-2023-25895, CVE-2023-25896, CVE-2023-25900, CVE-2023-25902, CVE-2023-25905,  CVE-2023-25906, CVE-2023-25907, CVE-2023-26327, CVE-2023-26328, CVE-2023-26329, CVE-2023-26333, CVE-2023-26335, CVE-2023-26338, CVE-2023-26339, CVE-2023-26340, CVE-2023-26341, CVE-2023-26342, CVE-2023-26343, CVE-2023-26344, CVE-2023-26345, CVE-2023-26346, CVE-2023-26348, CVE-2023-26349, CVE-2023-26337  
    
*   Michael DePlante (@izobashi) working with Trend Micro Zero Day Initiative -  CVE-2023-25897, CVE-2023-25898, CVE-2023-25899, CVE-2023-25901, CVE-2023-26330, CVE-2023-26331, CVE-2023-26350, CVE-2023-26351, CVE-2023-26352, CVE-2023-26353, CVE-2023-26354, CVE-2023-26355, CVE-2023-26356, CVE-2023-26332, CVE-2023-26334, CVE-2023-26336 
*   Chen Qininying (yjdfy) - CVE-2023-25903, CVE-2023-25904

March 16,  2023: CVE-2023-26337 credited to Mat Powell working with Trend Micro Zero Day Initiative  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-26356: Adobe Security Bulletin

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.2.034. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of IFC files. Crafted data in an IFC file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16581.

**BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications**

**Bentley ID:** BE-2022-0006  
**CVE ID:** CVE-2022-28314, CVE-2022-28315, CVE-2022-28316, CVE-2022-28317, CVE-2022-28318, CVE-2022-28641, CVE-2022-28301, CVE-2022-28302, CVE-2022-28646, CVE-2022-28647, CVE-2022-1229  
**Severity:** 7.8  
**CVSS v3.1:** AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
**Publication date:** 2022-04-05  
**Revision date:** 2022-04-05

**Summary  
**MicroStation and MicroStation-based applications may be affected by IFC file parsing vulnerabilities when opening maliciously crafted IFC files. Exploiting these vulnerabilities could lead to code execution.

**Details  
**The following vulnerabilities related to this advisory were discovered by TrendMicro ZDI: ZDI-CAN-16332, ZDI-CAN-16367, ZDI-CAN-16368, ZDI-CAN-16369, ZDI-CAN-16379, ZDI-CAN-16390, ZDI-CAN-16392, ZDI-CAN-16446, ZDI-CAN-16570, ZDI-CAN-16573 and ZDI-CAN-16581. Using an affected version of MicroStation or MicroStation-based application to open a IFC file containing maliciously crafted data can force an out-of-bounds read or write, stack overflow or uninitialized variable vulnerabilities. Exploitation of these vulnerabilities within the parsing of IFC files could enable an attacker to execute arbitrary code in the context of the current process.

**Affected Versions**

**Applications**

**Affected Versions**

**Mitigated Versions**

MicroStation

10.16.02.\* and prior versions

10.16.03.\* and more recent

Bentley View

10.16.02.\* and prior versions

10.16.03.\* and more recent

**Recommended Mitigations  
**Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open IFC files coming from trusted sources.

**Acknowledgement  
**Thanks to Mat Powell and Anonymous of Trend Micro Zero Day Initiative for discovering these vulnerabilities.

**Revision History**

**Date**

**Description**

2022-04-05

First version of this advisory

CVE-2022-1229: BE-2022-0006 | Bentley Systems | Infrastructure Engineering Software Company

Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-7 watchOS 9.4

watchOS 9.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213678.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Calendar  
Available for: Apple Watch Series 4 and later  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

CoreCapture  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-28181: Tingting Yin of Tsinghua University

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

FontParser  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz  
Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27933: sqrtpwn

Podcasts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-27942: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions  
checks.  
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies and  
Wenchao Li and Xiaolong Bai of Alibaba Group

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2023-27931: Mickey Jin (@patch1t)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

ImageIO  
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their  
assistance.

Mail  
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster  
University of Applied Sciences, Damian Poddebniak of FH Münster  
University of Applied Sciences, Tobias Kappert of Münster University  
of Applied Sciences, Christoph Saatjohann of Münster University of  
Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz  
Center for Information Security for their assistance.

Safari Downloads  
We would like to acknowledge Andrew Gonzalez for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn4ACgkQ4RjMIDke  
NxlR6A/+IfL/Ox8qSL2VCsB8vlkddkF4dX5NK6hHzLqZIBq0LmLS8/iEK21+MKP3  
F3OwkeM/dgPJwTrXyLiMqDrn/Qh9HPUD1j2iNbPIYCZRBd7O4iHgbwhlT7UAZyMu  
JzAMFRokr4tRDJJvDjXHL5dPtk/YliTZSynjeJNqEGG5+rNUW6jjPoqEp5w+aPYG  
HwsxZCvySyaOxdB9mWIKJMPUf+uz/HtAn60CA59UeIxliHbco5yZZdqVwTjEwcz4  
EJockj5dnK7dDa6yIHnGGlv8Owx2wvtUU3bRMSQ712Zqek+qYxS7Bcp3ywwf5OQM  
mIIdLFDaDktNFXMMxsB9IgTuyAziUnjWuJ18NaYPy1lJRBZW/SHblPUoGObRrfoe  
JFa33R8lsW9G9ItvLGdXVB73FyfeKnFI1WkeBTPNk4bhkAbTYzPK7IOdHQ6GYSPi  
DpVJvZqiD6tgIpngqrMjkOVXoM9OhJVct3G81CrqZdSkUrVeBqHrmw7D8FE08xkF  
eqZAnuEDF/muUP49n2RiaIAfw9wFX8wVYbWEziC+DZU5QHqpogHPzn3RJF2yZ3cl  
jhLaY3BEibgE/ISyzQ08JysDWeGHwpyRwhr6FVTlEOuHqMCWfGQ/+WSKF0GigXMD  
itrkUpyaSJdLn+oc2N3hmDGdyPKwWMmRP9Qa4/nAFaPV+CJedbA=  
=KG/z  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-7

Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-6 tvOS 16.4

tvOS 16.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213674.

AppleMobileFileIntegrity  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Core Bluetooth  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted Bluetooth packet may result  
in disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability  
Research Institute

CoreCapture  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-28181: Tingting Yin of Tsinghua University

FontParser  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz  
Innovation Lab and  jzhu working with Trend Micro Zero Day Initiative

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27933: sqrtpwn

Podcasts  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-27942: Mickey Jin (@patch1t)

TCC  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2023-27931: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

ImageIO  
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their  
assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn0ACgkQ4RjMIDke  
Nxlyyg//ePQb9FK6kVxRCnemA/ohDVERRj4NgAV7wlwaD5S/JiB2J1udvO6PJtMK  
WR70cDcxOyEWwS45ejP/QhkzpEMRQr0Xhgr9E/BRFm8cltHmPbrVLqBXkIYYDYOT  
GfLTgzEPHkHnByJySHr8DfNHxDib7oABRaNWHN5Jlr9c7+acpZokOPk7EXcnwojd  
yZjxkbiSkOmfizS+hIQvrSXQl+squ1Lva8v4KyygWqnCqbnq+9SVKVAFchWTnXqD  
LvODlXEb5a8TwCapcWLQKtrn3oK84tzI9iIDVrY0qhg5Y3Igu0ZrKF6pIcAk2jiA  
MFS6rrgRzOk3nEGCYAIhVY8pt989oE5euC9OK/pT1gOUBzXPAiN3/MmvRqRNkNmJ  
waNaVw/ITLVWbAN7HlwOZCft1qv+jCdtI7w5U/GwTXWR/ZcFeTFq93RNRw3pbhqZ  
dXhJAEbqAxFIgkobmAX7jTnXThs8WJUPIhs3aPFLRrpmVpR+s3XanvGxyXK4gj6/  
9ziqm2HQCCYxz654R65Dh97bRhZRD5vtf9ygtuAbQwQnP61df4MDN3hsQAUyhriT  
vu0TYdd7yg1oG3mqJxybx9eMQOLB8PBGAR3/pXcD+gLiLATRyH6i4QP43uoQCExE  
1hCVqZBIMG/vq8M0XEKT+85/RdaLBdlDKES3N4QLq4UztsWT4bY=  
=P2oh  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-6

After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

A vulnerability in a commonly used file transfer service called GoAnywhere has allowed the Clop ransomware group to breach about 130 organizations. Weeks later, details are still emerging about the sprawling attack.

Up until now, those details weren't coming from GoAnywhere parent company Fortra. It's been the victim organization making headlines with public data breach disclosures. GoAnywhere customers which have disclosed that they were breached through the GoAnywhere MFT remote code execution vulnerability, tracked under CVE-2023-0669, so far include Community Health Systems, Hatch Bank, cybersecurity company Rubrik, Hitachi Energy, and the City of Toronto, which, when totaled up, represent the exposure of millions of people's private data to the worst cybercriminal elements.

Clop cybercriminals were eager to provide details of their campaign, claiming on their leak site they used the exploit over the course of 10 days to breach more than 130 companies, according to reports.

For its part, Forta has remained publicly quiet about the steady stream of disclosures. But today, it gave Dark Reading a statement with reassurances that it's committed to helping its customers navigate what is evolving into a communications, as well as a cybersecurity, crisis for the company.

"On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution," Fortra says in a statement issued to Dark Reading. "We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch."

Fortra added that it remains committed to supporting its affected users.

"We are working diligently to notify customers who may have been impacted and we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue," Fortra's spokesperson's statement adds. "We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue."

**Fortra's Communications Under Fire**

First reports of the GoAnywhere zero-day were shared on Feb. 2 by cybersecurity news site KrebsOnSecurity, which, after finding the advisory stuffed behind a login page, simply pasted the information for the public to see. Days later a patch was issued by Fortra. Betting on patch lagging, in the ensuing days, the Clop ransomware threat actors were able to take advantage. On Feb. 10, the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities catalog. 

Nonetheless, companies have continued to get caught up in the ongoing campaign. And despite Fortra's assurances, cybersecurity analysts, experts, and watchers are widely critical of the company's lack of communication and slow response in offering guidance to victims and targets. The attack surface is broad, too, it should be noted: According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. And according to data from Enlyft, most of those are large organizations — with at least 1,000 and often more than 10,000 employees — mostly based in the United States.

"This one wasn't communicated well, challenging even the best security teams to respond," Heath Renfrow, co-founder of Fenix24 tells Dark Reading in response to the freshly issued statement from Fortra. "This is a good example of how it is necessary for security professionals to have multiple sources of threat intelligence — beyond just their providers — to cover every base. That said, it has been communicated now and anyone using the solution should patch immediately."

Slow communication can be especially detrimental in a software supply chain attack scenario, Dirk Schrader, vice president of security research at Netwrix said.

"To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened," he noted via email. "It helps other links in this chain to be prepared for an upcoming threat and minimizes possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner."

Dark Reading asked Fortra for a response to the criticism of its handling of the cybersecurity incident but has not received a response. Meanwhile, Forta's customer, the City of Toronto, when asked about its communications with Fortra regarding the breach, gave a simple response by email: "Fortra has been communicating with the City and continues to do so."

This isn't the first time users of Clop ransomware have pulled off a mass breach like this. Russian-based FIN11 used Clop ransomware in December 2020 to jump on a similar Accellion zero-day flaw.

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.

**Commit 0ba6d8c3** authored Jan 25, 2023 by 

Browse files

**Xi: fix potential use-after-free in DeepCopyPointerClasses**

CVE-2023-0494, ZDI-CAN-19596

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net\>

Pipeline #802019 passed with stages

in 1 minute and 43 seconds

*   Changes 1
*   Pipelines 1

...

...

@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)

memcpy(to\->button\->xkb\_acts, from\->button\->xkb\_acts,

sizeof(XkbAction));

}

else

else {

free(to\->button\->xkb\_acts);

to\->button\->xkb\_acts \= NULL;

}

memcpy(to\->button\->labels, from\->button\->labels,

from\->button\->numButtons \* sizeof(Atom));

...

...

*   mentioned in issue #1437
    
    mentioned in issue #1437

CVE-2023-0494: Xi: fix potential use-after-free in DeepCopyPointerClasses (0ba6d8c3) · Commits · xorg / xserver · GitLab

By Deeba Ahmed
This year's Pwn2Own 2023 was held in Vancouver between March 22nd and 24th, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits.

**Pwn2Own**, as we know it, is an annual computer hacking contest that offers various advantages to the cybersecurity industry. At this year’s Pwn2Own 2023 held in Vancouver between 22 and 24 March 2023, around 19 entries were part of the event, aiming to target nine different platforms, including Tesla cars.

This time, participants were awarded a full bounty (more than $1,000,000) in every round for successful exploits.

During the three-day event, contestants revealed 27 unique zero days and won $1,035,000 cumulatively and a Tesla. Team Synacktiv won the most points (53 points) and was declared the Masters of Pwn. They took home $530,000, a $25,000 bonus, Platinum status in 2024 Pwn2Own, and a Tesla Model 3. Here are the highlights of vulnerabilities disclosed each day.

**Day 1 Highlights:**

**On day 1**, Haboon SA’s AbdulAziz Hariri (@abdhariri) used a 6-bug logic chain to attack Adobe Reader and successfully exploited multiple failed patches that evaded the sandbox and bypassed a banned API list. For this attempt, Hariri warned $50,000 and five Master of Pwn points.

STAR Labs successfully executed a 2-bug chain targeting Microsoft SharePoint and earned $100,000 with ten Master of Pwn points. Team STAR Labs also successfully executed an attack against Ubuntu Desktop. However, this was a known exploit for which they earned $15,000 and 1.5 points.

Qrious Security’s Bien Pham (@bienpnn) successfully exploited Oracle VirtualBox using an OOB Read with a stacked-based buffer overflow and earned $40,000 with 4 Master of Pwn points.

Synacktiv (@Synacktiv) successfully executed a TOCTOU attack against Tesla – Gateway and earned ten Master of Pwn points, a Tesla Model 3, and $100,000.

Marcin Wiązowski managed to get elevated privileges on Windows 11 using an improper input validation bug and received a $30,000 bounty with 3 Master of Pwn points.

**Day 2 Highlights:**

**On day 2**, Synacktiv team’s Thomas Imbert and Thomas Bouzerar successfully demonstrated a 3-bug chain targeting Oracle VirtualBox with a Host EoP. However, since the bug was previously known, they earned $80,000 and eight Master of Pwn points.

Another successful exploit came from Team Synacktiv’s David Berard and Vincent Dehors; they exploited Tesla- Infotainment Unconfined Root through a heap overflow and an OOB write.

The duo qualified for 25 Master of Pwn points, a Tier 2 award, and a $250,000 bounty. Another achievement of Team Synacktiv came from Tanguy Dubroca for acquiring privilege escalation on Ubuntu Desktop using an incorrect pointer scaling. The team earned $30,000 and 3 Master of Pwn points.

On the second day, Team Viettel used a 2-bug chain to target Microsoft Teams and earned eight Master of Pwn points with a $75,000 award. Team Viettel also successfully exploited Oracle VirtualBox using an uninitialized variable with a UAF bug and was awarded $40,000 with four Master of Pwn points.

**Day 3 Highlights:**

**On day 3**, ASU SEFCOM’s Kyle Zeng exploited Ubuntu Desktop using a double-free bug and earned $30,000 with three Master of Pwn points.

Synacktiv’s Thomas Imbert exploited Microsoft Windows 11 using a UAF. Imbert earned three Master of Pwn points and $30,000. Theori’s Mingi Cho also used a UAF to target Ubuntu Desktop. Chio earned a $30,000 bounty and three Master of Pwn points.

Lastly, STAR Labs targeted VMWare Workstation using an uninitialized variable and UAF. They earned eight Master of Pwn points and $80,000.

**Pwn2Own – Good for Cybersecurity**

An initiative like Pwn2Own provides a platform for security researchers to showcase their skills and identify vulnerabilities in widely used software and operating systems. By doing so, the contest helps identify weaknesses that may not have been discovered previously, allowing vendors to develop fixes and improve their products’ security.

Another advantage of Pwn2Own is that it incentivizes researchers to find and report vulnerabilities in a responsible manner, rather than selling them on the black market or using them maliciously. The contest rewards researchers for successfully exploiting vulnerabilities, encouraging them to disclose their findings to the relevant vendors, who can then address the issues and improve the security of their products.

Finally, Pwn2Own helps raise awareness about the importance of cybersecurity and the need for continuous improvement in the security of software and systems. By highlighting the risks and **potential consequences of cyber attacks**, the contest encourages individuals and organizations to take security seriously and invest in measures to protect themselves from potential threats.

1.  Hack DHS and get a $5,000 Bug Bounty
2.  6 of the Best Crypto Bug Bounty Programs
3.  Hack the Pentagon 3.0: Bug Bounty Program
4.  Bug bounty: Hack Tesla Model 3 to win Model 3
5.  Hacker at DefCon Jaikbreaks Tractor to Play Doom

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

In two days, ethical researchers from 10 countries have unearthed more than 22 zero-day bugs in a wide range of technologies at the annual hacking contest.

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle's safety and other components.

One of the exploits involved executing what is known as a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla's Gateway energy management system. They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.

The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities that researchers from 10 countries uncovered during the first two days of the three-day Pwn2Own contest this week.

**Gaining Deep Access to Tesla Subsystems**

In the second hack, Synacktiv researchers exploited a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset to break into Tesla's infotainment system and, from there, gain root access to other subsystems. The exploit garnered the researchers an even bigger $250,000 bounty and Pwn2Own's first ever Tier 2 award — a designation the contest organizer reserves for particularly impactful vulnerabilities and exploits.

"The biggest vulnerability demonstrated this year was definitely the Tesla exploit," says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which organizes the annual contest. "They went from what's essentially an external component, the Bluetooth chipset, to systems deep within the vehicle."

Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. Tesla head units are the control unit of the car's infotainment system and provide access to navigation and other features.

**A Slew of Zero-Day Bugs**

Some of the other significant discoveries included a two-bug exploit chain in Microsoft SharePoint that fetched Singapore-based Star Labs $100,000 in rewards, a three-bug exploit chain against Oracle Virtual Box with a Host EoP that earned Synacktiv researchers $80,000, and a two-bug chain in Microsoft Teams for which researchers at Team Viette received $75,000.

The bug discoveries have fetched the researchers a total of $850,000 in winnings. ZDI expects that payouts for vulnerability disclosures will hit the $1 million mark by the end of the contest — or about the same threshold as last year. "We're heading towards another million-dollar event, which is similar to what we did last year and slightly larger than what we did at our consumer event last fall," Childs says.

Since launching in 2007 as a hacking contest largely focused on browser vulnerabilities, the Pwn2Own event has evolved to cover a much broader range of targets and technologies including automotive systems, mobile ecosystems, and virtualization software.

At this year's event, researchers, for example, had an opportunity to take a crack at finding vulnerabilities in virtualization technologies such VMware and Oracle Virtual Box, browsers such as Chrome, enterprise applications like Adobe Reader and Microsoft Office 365 Pro Plus, and server technologies such as Microsoft Windows RDP/RDS, Microsoft Exchange, Microsoft DNS, and Microsoft SharePoint.

**A Wide Range of Hacking Targets**

The available awards in each of these categories varied. Eligible exploits and vulnerabilities in Windows RDP/RDS and Exchange for example qualified for rewards of up to $200,000. Similarly, VMware ESXi bugs fetched $150,000, Zoom vulnerabilities qualified for $75,000, and Microsoft Windows 11 bugs earned $30,000.

Vulnerabilities in the automotive category — unsurprisingly — offered the highest rewards, with a total of $500,000 available for grabs to researchers who unearthed bugs in Tesla's systems, including its infotainment system, gateway, and autopilot subsystems. Researchers had an opportunity to try their hand against the Model 3 and Tesla S. Those who found ways to maintain root persistence on the car's infotainment system, autopilot system, or CAN bus system had the opportunity to earn an additional $100,000. The total offered payout of $600,000 is the largest amount for a single target in Pwn2Own history.

Ironically, the browser category, which is what Pwn2Own was all about in its early years, drew no researcher interest this year. "We're seeing about the same level of participation as in years past with the exception of the browser category," Childs says. "No one registered for that, and we can only speculate on why that is."

So far, in the 16 years that the event has been around, researchers have discovered a total of 530 critical vulnerabilities across a range of technologies and received some $11.2 million for their contribution.

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Open source software continues to pose a challenge for companies. With the proper security practices, you can reduce your open source risk and manage it.

Across all industry sectors, open source software continues to pose a challenge for software security. We're all aware that vulnerabilities in commercial and open source software, applications, and operating systems can result in software supply chain breaches, but now we're seeing attackers who are targeting Web applications, API servers, mobile devices, and the software components required to build them.

The latest edition of Synopsys' annual study on open source security has just been released. The "Open Source Security and Risk Analysis" (OSSRA) study from Synopsys looks at the findings of more than 1,700 commercial codebase audits,.

Of the 1,703 codebases that Synopsys audited in 2022, 96% of them contained open source. Aerospace, Aviation, Automotive, Transportation, and Logistics; EdTech; and Internet of Things were three of the 17 industry sectors included in the 2023 OSSRA report that had open source in 100% of their audited codebases. In the remaining verticals, over 92% of the codebases contained open source.

**High-Risk Vulnerabilities Persist in Code**

Since 2019, high-risk vulnerabilities have increased by at least 42% across all 17 OSSRA businesses, with surges soaring to +557% in the retail and e-commerce sectors and +317% in the computer hardware and semiconductors sector.

A five-year retrospective, new to the OSSRA report this year, gives a more comprehensive picture of open source and security trends. Despite variations by industry, the overall open source content of audited codebases grew across the board. Several industries also showed alarming increases in the number of vulnerabilities found in their codebases, indicating a concerning lack of vulnerability mitigation.

One significant area that continues to be a challenge is patch management. Of the 1,703 codebases audited, 89% contained open source that was more than four years out of date (a 5% increase from 2022's report). And 91% used components that were not the latest available version. That is, an update or patch was available but not applied. Along with patch management, license conflicts continue to pose security problems. This year, 54% of audited codebases contained codebases with license conflicts, up 2% from last year.

There are valid reasons for not updating software, but a significant portion of the 91% figure is probably attributable to development teams not being aware that a newer version of an open source component is available. If a company doesn't maintain a precise and current inventory of the open source utilized in its code, a component may go unnoticed until it is exposed to a high-risk exploit.

That's exactly what happened with Log4j, and it's still an issue more than a year later. Despite the public attention it garnered and the many steps businesses may take to verify and fix Log4j's presence in their codebase, it persists in 5% of all codebases and 11% of audited Java codebases.

**Establish Open Source Best Practices for Security**

Establishing software governance best practices can help you launch an open source software management program to protect your resources and data from zero-day vulnerabilities.

**1\. Define your policy.**

Building an open source policy for your organization minimizes your legal, technical, and business risks. You want to identify your key stakeholders, then define your organization's open source software goals, existing utilization, and target usage. The policy should cover open source patches and licenses as well as identifying who will be responsible for maintaining them.

**2\. Create an approval process.**

Establish an approval process to assess if a software package fulfills your organization's needs and quality standards. Consider code quality, support, project maturity, contributor reputation, and vulnerability patterns. An approval process that considers these criteria will prevent teams from having multiple versions of the same software package in your organization's code, some of which may not have been patched or upgraded.

**3\. Audit for open source software.**

Audits reveal your open source software and ensure compliance with company regulations. This can help you locate components for open source license compliance and vulnerability disclosure. You should perform open source scans throughout the software development life cycle (SDLC), but you should ensure that a final scan is done every time an application is built into a release candidate that utilizes open source software, especially if you rely on components from third parties.

**4\. Build an SBOM**

A software bill of materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks. Automating this operation eliminates manual, inaccurate open source inventories.

By putting in place the proper security practices, you can stay on top of your open source vulnerability risk and build a robust system for managing it.

**About the Author**

    

Charlotte Freeman has been writing about tech and security for over 20 years. She's currently a senior security writer for the Synopsys Software Integrity Group.

Open Source Vulnerabilities Still Pose a Big Challenge for Security Teams

Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.

Thursday, March 23, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

After asking ChatGPT to write the newsletter for me two weeks ago, I was tempted to have Google’s Bard do the same, but I resisted making this the newsletter’s new gimmick.

Instead, I wanted to write about another tech giant — Meta.

The company recently doubled down on a threat to remove news links and sharing from its Facebook and Instagram platforms if Canada passes its proposed Online News Act, or bill C-18. The proposed legislation would compel companies like Meta and Google to sign agreements with Canadian news organizations that would pay them each time a user clicks on a news link through one of their platforms (i.e., via a shared link on Facebook or a Google search result).

But as the great Tobey Maguire once said in the cinematic classic “Spider-Man:” “I fail to see how that’s my problem.”

If Facebook stops users from sharing news links on their pages, it could be a net positive. Facebook users are notoriously the biggest offenders for sharing fake news and misinformation. A May 2020 study published in Nature Human Behavior found that Facebook pointed users to fake news websites during the 2016 presidential election at a higher rate than any other social media platform.

A separate study from Harvard found that during the first few months of 2020, the rate of user engagement with fake news to mainstream news stories was 1:3.5, and the International Communications Association found via a study of social media users that, “sharing countermedia content on Facebook is positively associated with ideological extremity and negatively associated with trust in the mainstream news media.”

If Instagram, Facebook and other social media sites were to follow along with this with Canada (Google already started quietly removing news links from its search engine last month in protest of the Online News Act), I think it could go a long way toward fighting disinformation. If users can’t get their news through social media, they may be forced to seek out information independently rather than blindly clicking “share” on Great Aunt Betty’s post, which is just a bad parody from the Babylon Bee.

I also would be remiss to not discuss the benefits this legislation would possibly have on newsrooms in Canada. As a former journalist, and someone who was worried about being laid off 24/7 in my previous jobs, it’s a financial struggle out there right now for legitimate news organizations. Online advertising isn’t what it once was, so many outlets are being forced to pivot to hard paywalls or rely on clickbait articles that don’t deliver any news. If this presents a new way to fund legitimate journalism, especially if the only financial burden falls on the richest companies in the world, it could go a long way to sustaining newsrooms.

Just because something becomes legal in Canada doesn’t mean other countries are going to be adopting the same rules any time soon. But if news sharing does suddenly go away on Facebook in Canada, maybe it will force all of us to think about where we’re really consuming our news from and how we consumed news even just 15 years ago.

**The one big thing**

We’re still reminding people to update their Microsoft Outlook clients as soon as possible after the disclosure of CVE-2023-23397. Attackers have reportedly been exploiting this vulnerability since last year, though a fix is available now through Microsoft. Adversaries could manipulate a targeted system into supplying the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Why do I care?**

Multiple sources, including Microsoft itself, have confirmed that this vulnerability is being used in the wild. Plus, users don’t even have to open the email or any malicious attachments to trigger this vulnerability, the specially crafted email just has to hit the target’s Outlook inbox. This is a high-severity, low-complexity vulnerability everyone should be patching for if they haven’t already.

**So now what?**

Microsoft has released a patch that should be applied, but Talos also has several layers of detection and protection available. If, for some reason, your organization cannot apply this patch, Microsoft also provided a few mitigation options, including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network.

**Top security headlines of the week**

The **popular dark web site BreachForums shut down this week** after the FBI arrested its main admin. This is the latest in a string of law enforcement wins against cybercrime groups, who also brought down the Hive ransomware gang in January and RaidForums, BreachForums’ predecessor, last year. The site’s administrator, who goes by the username “Pompompurin,” also claimed responsibility for a data breach of the FBI’s email system in November 2021. Cyber criminals commonly used BreachForums to buy and sell stolen databases of information and had been at the center of recent high-profile data breaches, including this month's attack on DC Health Link that led to the theft of sensitive information belonging to several Congressional representatives. (Krebs on Security, Axios)

Google’s security research team **discovered several zero-day vulnerabilities in certain Samsung chips** that leave many Google smartphones and other wearable devices vulnerable. There are four critical flaws that could compromise affected devices “silently and remotely” over the cellular network, according to Google Project Zero’s blog post on the matter. An attacker could exploit those vulnerabilities to “remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number.” Google says it was forced to disclose the vulnerabilities without a patch for many of the affected devices because Samsung did not adhere to its 90-day deadline to issue a fix. (TechCrunch, Google Project Zero)

TikTok’s CEO was scheduled to **appear before a U.S. Congressional committee Thursday** to discuss the popular app’s data security and privacy policies as there are renewed calls among the federal government to block the app. Prepared statements from CEO Shou Zi Chew showed that he would tout TikTok’s $1.5 billion investment in storing U.S. users’ information on Oracle servers and allow outside monitors to inspect the company’s source code. U.S. regulators have reportedly threatened to ban TikTok unless the company’s Chinese owners sell their stake, though the actual mechanics of blocking and de-listing the app are more complicated than they seem on the surface. (ABC News, New York Times)

**Can’t get enough Talos?**

*   New threat actor wages espionage campaigns across Central Asia and Eastern Europe
*   Threat Roundup for March 10 - 17
*   Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution
*   Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities
*   Talos Takes Ep. #131: Why does the Prometei botnet keep growing?

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 280c8c4f08700f0fea08f0e3ca6e96eadccf49c414c56b6a855c945769678e66  
**MD5:** cd1f364e46c6367dd96f8469eb226981  
**Typical Filename:** cd1f364e46c6367dd96f8469eb226981.scr  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Upatre::dk

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Tag

#zero_day