ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.

Software

*   ENGLISH   |  العربية

*   Home
*   Products
    *   Body Temperature and Mask Detection
    *   Visible Light Product
        *   Android
        *   Linux
    *   Time Attendance
        *   Biometric T&A Device
            *   Fingerprint Device
            *   Multi-Biometric Device
        *   Portable Device
        *   Software
    *   Access Control
        *   Standalone Device
            *   Fingerprint
            *   Multi-Biometric
            *   RFID
        *   Control Panel
            *   Access Control Panel
            *   Elevator Control Panel
        *   Reader
            *   Fingerprint Reader
            *   ID Reader
        *   Accessories
        *   Software
    *   Entrance Control
        *   Turnstile
        *   Vehicle Inspection
        *   Vehicle Security
        *   Software
    *   Security Inspection
        *   Metal Detector
        *   X-Ray Luggage Inspection
    *   Video Surveillance
        *   Network Camera
        *   Network Video Recorder
        *   Software
    *   Smart Lock
        *   Fingerprint Lock
        *   Glass Door Lock
        *   Face Lock
        *   Hotel Lock
        *   Card Lock
        *   Bluetooth Lock
        *   Software
    *   Biometrics
        *   Biometric Readers
        *   Embedded Module
        *   Hybrid Biometrics Tablet
    *   POS System
        *   POS Terminal
        *   POS Peripherals
        *   POS Software
*   Solutions
    *   Time Management
    *   People Counting Solution
    *   Access Control Management
    *   Visitor Management System
    *   Elevator Control
    *   Parking Management
    *   Hotel Management
*   Press
    *   News
    *   Events
    *   Newsletter
*   Support
    *   Online Support
    *   Download
        *   Software
        *   Data Sheet
        *   User Manual
        *   Installation Guide
        *   Quick Start Guide
    *   FAQ
    *   Training
*   About Us
    *   Company
    *   Contact Us
    *   Enquiry

CVE-2022-30515: Time Attendance Software

In MMU_UnmapPages of the PowerVR kernel driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-243825200

_Published November 7, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-11-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-11-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-11-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-2209

A-235601882

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20441

A-238605611

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20446

A-229793943

EoP

High

10, 11

CVE-2022-20448

A-237540408

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20450

A-210065877

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20452

A-240138318

EoP

High

13

CVE-2022-20457

A-243924784

EoP

High

13

**Multiple components**

The vulnerability in this section could lead to local denial of service with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20426

A-236263294

DoS

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20451

A-235098883

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20454

A-242096164

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20462

A-230356196

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20463

A-231985227

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20465

A-218500036

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20445

A-225876506

ID

High

10, 11, 12, 12L, 13

CVE-2022-20447

A-233604485

ID

High

13

CVE-2022-20414

A-234441463

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20453

A-240685104

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

Media Framework components

CVE-2022-2209

WiFi

CVE-2022-20463

**2022-11-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-11-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-1050

A-243825200 \*

High

PowerVR-GPU

CVE-2021-39661

A-246824784 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2022-32601

A-234038598  
M-ALPS07319132 \*

High

telephony

CVE-2022-32602

A-245050053  
M-ALPS07388790 \*

High

keyinstall

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-2984

A-244673210  
U-1901978 \*

High

Kernel

CVE-2022-2985

A-244657985  
U-1882490 \*

High

Android

CVE-2022-38669

A-244666286  
U-1883755 \*

High

Android

CVE-2022-38670

A-244674480  
U-1883755 \*

High

Android

CVE-2022-39105

A-245210875  
U-1830881 \*

High

Kernel

CVE-2022-38672

A-244684957  
U-1957128 \*

High

Kernel

CVE-2022-38673

A-246482122  
U-1957128 \*

High

Kernel

CVE-2022-38676

A-244683429  
U-1908118 \*

High

Kernel

CVE-2022-38690

A-244109033  
U-1914157 \*

High

Kernel

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-25724

A-238106223  
QC-CR#3090325 \[2\] \[3\]

High

Display

CVE-2022-25741

A-240972788  
QC-CR#3147273

High

WLAN

CVE-2022-25743

A-240973083  
QC-CR#3153406

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2021-35122

A-213239915 \*

Critical

Closed-source component

CVE-2021-35108

A-209469945 \*

High

Closed-source component

CVE-2021-35109

A-209469824 \*

High

Closed-source component

CVE-2021-35132

A-213240063 \*

High

Closed-source component

CVE-2021-35135

A-213239949 \*

High

Closed-source component

CVE-2022-25671

A-231156429 \*

High

Closed-source component

CVE-2022-33234

A-240971780 \*

High

Closed-source component

CVE-2022-33236

A-240973180 \*

High

Closed-source component

CVE-2022-33237

A-240972236 \*

High

Closed-source component

CVE-2022-33239

A-240982982 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-11-01 or later address all issues associated with the 2022-11-01 security patch level.
*   Security patch levels of 2022-11-05 or later address all issues associated with the 2022-11-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-11-01\]
*   \[ro.build.version.security\_patch\]:\[2022-11-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-11-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-11-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-11-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

November 7, 2022

Bulletin Published

CVE-2021-1050: Android Security Bulletin—November 2022  |  Android Open Source Project

In typec, there is a possible out of bounds write due to an incorrect calculation of buffer size. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07262454; Issue ID: ALPS07262454.

**November 2022 Product Security Bulletin**

Published 2022-11-07

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform and OTT chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-32601, CVE-2022-32602

Medium

CVE-2022-26446, CVE-2022-21778, CVE-2022-32603, CVE-2022-32605, CVE-2022-32607, CVE-2022-32608, CVE-2022-32609, CVE-2022-32610, CVE-2022-32611, CVE-2022-32612, CVE-2022-32613, CVE-2022-32614, CVE-2022-32615, CVE-2022-32616, CVE-2022-32617, CVE-2022-32618

****Details****

CVE

**CVE-2022-32601**

Title

Deserialization of untrusted data in telephony

Severity

High

Vulnerability Type

EoP

CWE

CWE-502 Deserialization of Untrusted Data

Description

In telephony, there is a possible permission bypass due to a parcel format mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8321, MT8385, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8795T, MT8797, MT8798

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-32602**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6883, MT6983, MT8183, MT8185, MT8321, MT8385, MT8675, MT8765, MT8766, MT8768, MT8786, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26446**

Title

Reachable assertion in Modem 4G RRC

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-617 Reachable Assertion

Description

In Modem 4G RRC, there is a possible system crash due to improper input validation. This could lead to remote denial of service, when concatenating improper SIB12 (CMAS message), with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2731, MT2735, MT6297, MT6725, MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6789, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Modem LR12A, LR13, NR15, NR16

CVE

**CVE-2022-21778**

Title

Improper input validation in vpu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In vpu, there is a possible information disclosure due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6785, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6891, MT6893, MT8168, MT8175, MT8183, MT8365, MT8385, MT8788

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-32603**

Title

Improper input validation in gpu drm

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gpu drm, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6893, MT6895, MT6985, MT8795T, MT8798

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32605**

Title

Improper input validation in isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In isp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32607**

Title

Improper input validation in aee

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In aee, there is a possible use after free due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6762, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8696, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791, MT8791T, MT8795T, MT8797, MT8871, MT8891

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-32608**

Title

Time-of-check time-of-use (toctou) race condition in jpeg

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Description

In jpeg, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6893, MT6895

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32609**

Title

Improper synchronization in vcu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Improper Synchronization

Description

In vcu, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8168, MT8185, MT8365, MT8696, MT8768, MT8786, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2022-32610**

Title

Improper synchronization in vcu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Improper Synchronization

Description

In vcu, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8168, MT8185, MT8365, MT8696, MT8768, MT8786, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2022-32611**

Title

Improper input validation in isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-32612**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in vcu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In vcu, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8168, MT8185, MT8365, MT8696, MT8768, MT8786, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2022-32613**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in vcu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In vcu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8168, MT8185, MT8365, MT8696, MT8768, MT8786, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2022-32614**

Title

Double free in audio

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-415 Double Free

Description

In audio, there is a possible memory corruption due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6855, MT6879, MT6893, MT6983, MT8168, MT8365, MT8797, MT8798

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32615**

Title

Improper input validation in ccd

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ccd, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6983, MT8871, MT8891

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32616**

Title

Improper input validation in isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In isp, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6983, MT8871, MT8891

Affected Software Versions

Android 12.0

CVE

**CVE-2022-32617**

Title

Incorrect calculation of buffer size in typec

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-131 Incorrect Calculation of Buffer Size

Description

In typec, there is a possible out of bounds write due to an incorrect calculation of buffer size. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6855, MT6895, MT6983, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2022-32618**

Title

Incorrect calculation of buffer size in typec

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-131 Incorrect Calculation of Buffer Size

Description

In typec, there is a possible out of bounds write due to an incorrect calculation of buffer size. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6873, MT6893, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

November 7, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-32618: November 2022

Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the October 2022 Android security bulletin:

Critical: CVE-2022-25720

High: CVE-2022-20412, CVE-2022-20413, CVE-2022-20422, CVE-2022-20421, CVE-2021-0696, CVE-2021-0699, CVE-2021-0951, CVE-2022-20423

Medium: CVE-2021-39758, CVE-2022-20415, CVE-2022-25664, CVE-2022-25666, CVE-2022-20253, CVE-2022-20257, CVE-2022-20269, CVE-2022-20273, CVE-2022-20278, CVE-2022-20290, CVE-2022-20313, CVE-2022-20314, CVE-2022-20333, CVE-2022-20334

Low: none

Already included in previous updates: CVE-2022-20247, CVE-2022-20271, CVE-2022-20272, CVE-2022-20292, CVE-2022-20297, CVE-2022-20302, CVE-2022-20399, CVE-2021-0986

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-46851: Vulnerability of unstrict verification of the memory's security attribute in the DRM module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability by attackers may cause the video playback to be abnormal.

CVE-2021-46852: Logic bypass vulnerability in the memory management module

Severity: Medium

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44546: Vulnerability that the kernel module automatically frees the memory but does not clear the mapping

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2022-44547: UAF vulnerability in the Display Service module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause Display Service to reset and restart.

CVE-2022-44548: Vulnerability of unstrict permission verification during Bluetooth pairing

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause the dialog box for confirming the pairing not to be displayed during Bluetooth pairing.

CVE-2022-44549: Geofencing API access vulnerability in the LBS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause third-party apps to access the geofencing API without authorization, affecting user confidentiality.

CVE-2022-44550: UAF vulnerability when traversing layers in the graphics display module

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44551: Thread security vulnerability in the iaware module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality, integrity, and availability.

CVE-2022-44552: Vulnerability of defects being introduced in the design process in the lock screen module

Severity: Medium

Affected versions: EMUI11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44553: Vulnerability of not filtering third-party apps out when the HiView module traverses to invoke the system provider

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause third-party apps to be activated periodically.

CVE-2022-44554: Unstrict permission verification vulnerability in the power module

Severity: Medium

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause the status of a module to be abnormal.

CVE-2022-44555: Service hijacking vulnerability in the DDMP/ODMF module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause service unavailability.

CVE-2022-44556: Missing parameter type validation in the DRM module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44557: Vulnerability of obtaining the read and write permissions on arbitrary system files in the SmartTrimProcessEvent module

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44558: Mismatch between serialization and deserialization in the AMS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44559: Mismatch between serialization and deserialization in the AMS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44560: Intent redirection vulnerability in the launcher module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause launcher module data to be modified.

CVE-2022-44561: Permission verification vulnerability in the preset launcher module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability allows unauthorized apps to add arbitrary widgets and shortcuts without interaction.

CVE-2022-44562: Mismatch between serialization and deserialization at the system framework layer

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44563: Race condition vulnerability in SD upgrade mode

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44556: November

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVE-2020-35473: ACM CCS 2022

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Microsoft's Certificate-Based Authentication Enables Phishing-Resistant MFA

An analysis by RSA Conference's security operations center found 20% of data over its network was unencrypted and more than 55,000 passwords were sent in the clear.

Even cybersecurity professionals need to improve their security posture.

That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

"As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a 'best-case' level of security awareness," she says. "Somewhat shockingly, unencrypted email is still being used in 2022."

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

**User Credentials at Risk**

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

"Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear," the report stated.

Yet the situation isn't as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

"This is not necessarily a high-fidelity threat," the report stated. "\[H\]owever, it does leak information about the device as well as the organization it's trying to communicate with."

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

**CISO Mistake**

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. "It is difficult to send email in cleartext these days, and analyzing these incidents found similarities," the report stated. "Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses."

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

"The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol," the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

"We've found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks," Cisco Secure's Oppenheimer says. "Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal."

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Unencrypted Traffic Still Undermining Wi-Fi Security

Investment round led by 11.2 Capital, Okta Ventures, and Mango Capital.

**LONDON and SAN FRANCISCO, Nov. 7, 2022 /PRNewswire/** — The newly available SURF zero-trust, identity-first enterprise browser reinforces organizational security by providing the critical visibility necessary to prevent attacks while simultaneously ensuring every user's privacy. The platform streamlines collaboration and delivers easy, secure access to applications and data for managed and unmanaged (BYOD) devices.

"The browser has become the main productivity tool for employees, which has turned it into the largest attack surface as well," said Pramod Gosavi, 11.2 Capital. "We invested because SURF directly addresses companies' security needs without compromising on the productivity and privacy of the end users."

The platform leverages identity first and already has deep integration with Okta's market-leading identity platform and access management (IDP) technology.

"The secure enterprise browser is one of the fastest growing markets," said Austin Arensberg, Senior Director, Okta Ventures. "We wanted to make sure we backed the most comprehensive solution - SURF, which simultaneously delivers on companies' critical priorities of identity, security, and privacy."

Founders Moty Jacob and Ziv Yankowitz spent five years working together as CISO and CTO at London-based ICAP-NEX Group, which was acquired by CME Group (the world's leading derivatives marketplace) for $5.4 billion. They built Chromium-based applications to strengthen security and ease management of financial transactions.

SURF Security was established to allow global enterprises to close security gaps – without affecting productivity -- by collapsing the security stack into one single powerful control point: the enterprise browser.

"Ziv and I have taken a pragmatic approach to building the browser, completely eliminating the trade-off between strengthening security at the expense of agility and productivity. We wanted to be business enablers," says Moty. "After many years of trying to stay one step ahead of threat actors with too many niche tools, we decided to integrate many security tools into a single solution, reinforced with zero trust and identity - while making everything easy for administrators and users."

Led by 11.2 Capital, Mango Capital, Okta Ventures, and security-focused Angel investors, the Seed round, combined with the already expanding customer base, allows the company the resources and support to grow significantly over the coming years.

"SURF has completely rethought browser endpoint security by natively designing the solution around Chromium and CDN/edge platforms, such as Cloudflare and Fastly," said Robin Vasan, Founder and Partner at Mango Capital. "They are also providing tight integration with key identity platforms like Okta and HashiCorp in user and machine identity security respectively, strengthening their market position."

The SURF browser observes every interaction between users and applications to discover policy breaches while enabling complete administrative visibility and control – without collecting individual personal data.

After quick and easy provisioning, enterprises can enforce security controls like DLP, content disarming and reconstruction, phishing prevention, session killswitch, on-the-fly file encryption, browser extension management, device posture checks, transactional MFA, watermarking, and more.

SURF replaces existing tools like VDI, VPN, RBI, DaaS, etc. Instead of adding overhead layers of virtualization, cost, and complexity and fracturing the user experience, the security and access controls are built directly within the browser. Users get full native experiences and streamlined performance, without any middle tiers, as if they were using the consumer version of any browser.

The platform delivers a complete end-to-end zero-trust experience for both on-prem and cloud applications, all built inside the browser. The comprehensive solution eliminates shadow IT, data leakage, social engineering, credential stuffing, unwanted extensions, browser-based attacks, and many other threats. Enterprises can streamline access to all software development tools and processes as well.

The SURF browser is available for Windows, Android, Apple, and Linux.

_Visit SURF at Oktane22 Nov. 8-10 at Moscone West in San Francisco._

**SOURCE:** SURF

Out of Stealth: New SURF Zero-Trust Enterprise Browser

By Habiba Rashid
The apps reported by Malwarebytes contain Android trojan yet the developer is still active on Google Play, continuing their scam.
This is a post from HackRead.com Read the original post: Google Fails To Remove “App Developer” Behind Malware Scam

  
One can never be too sure about an **app’s legitimacy** even if it is found to have approving ratings on the Google Play store. On 1st November 2022, Malwarebytes Labs analyst Nathan Collier reported on a family of malicious apps developed by Mobile apps Group that are currently available on Google’s app store even at the time of writing.

Before proceeding to discuss the details of the malware’s workings, we advise our readers to watch out for the following apps and delete them from their devices immediately:  

*   Bluetooth Auto Connect
*   Bluetooth App Sender
*   Driver: Bluetooth, Wi-Fi, USB
*   Mobile transfer: smart switch

All four apps are infected with the hidden ads trojan and the developer seems to be familiar with common tactics used to **evade detection of malware** because they have created a self-delaying schedule for the displaying of these ads.

If you have any of these apps on your Android device remove them now

The Bluetooth Auto Connect app, for example, takes approximately four days from the time it is installed to display its first ad in Chrome. This is followed by further timed delays which are always succeeded by a sequence of new ads.

The **phishing sites** opened in Chrome vary and range from harmless sites used to produce pay-per-click to more dangerous sites that attempt to trick unwary users by stating that their device has been infected and needs to be updated.

This activity continues in the background even while the mobile device is locked which means that upon unlocking their phones, users will be faced with numerous phishing website tabs in Chrome that they will have to close each time. 

In their must-read **blog post**, the analysts at Malwarebytes have compiled a list that shows the long history of the variants of HiddenAds that have infected this particular app. This behavior, it seems, is also common for the other apps from the Mobile apps Group.

What’s shocking is that previous versions of these apps have been found to contain varying versions of Android/Trojan.HiddenAds, the developer is still active on Google Play, distributing more HiddenAds malware. 

Although it’s unclear why the company’s built-in malware defense program, **Google Play Protect**, is unable to detect these apps, it turns out that this is not the first time such an issue has been brought to light.

A recent **report from Bitdefender,** a cybersecurity company, showed that there were up to 35 malicious apps being listed on Play Store that have over 2 million downloads combined. They also noted that these apps rename themselves and change their app icon after being installed in order to confuse users and remain undetected. 

At times like this where users cannot even rely on the good ratings that an app presumably has to verify its authenticity (three of the malicious apps listed above have favorable ratings themselves), it is difficult to conclude how well one can guard its device against threats such as adware.

Moreover, with this one example of malware that has still not been removed, we can only imagine the other threats that go **undetected on the Google Play Store** and continue to infect the devices of those who install them. 

1.  **Android app with 1b users fails to fix flaws; expose to malware**
2.  **Play Store Apps Caught Spreading Android Malware to Millions**
3.  **BRATA Android malware factory resets phones after stealing funds**
4.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
5.  **Scylla Ad Fraud Attack on iOS, Android Users Halted by Apple and Google**

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Google Fails To Remove “App Developer” Behind Malware Scam

Authentication idea advanced but not yet fulfilled

Authentication idea advanced but not yet fulfilled

ANALYSIS Advances in technology over the last decade have enabled academics to make progress in creating so-called one-time programs.

One-time programs (OTPs) – originally presented at the Crypto ‘08 conference – describe a type of cryptographically obfuscated computer program that can be run only once, a special property that makes them useful for several applications and use cases.

OTPs were first proposed by researchers Goldwasser, Kalai, and Rothblum.

The general idea is that ‘Alice’ can send ‘Bob’ a computer program that is encrypted in such a way that:

1.  Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2.  Bob can learn nothing about the secret program by running it.

The run-only-once requirement runs into trouble because it would be trivial to install a run-once-only program on multiple virtual machines, trying each one with different inputs. This would violate the whole premise of the technology.

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.

No such tokens were ever made, so the whole idea has lain dormant for more than a decade.

**OTP revived**

But now a team of computer scientists from Johns Hopkins University and NTT Research have laid the groundwork for how it might be possible to build one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.

More specifically they have hacked ‘counter lockbox’ technology and applied its use to an unintended purpose. Counter lockboxes protect an encryption key under a user-specified password, enforcing a limited number of incorrect password guesses (typically 10) before the protected information is erased.

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to cheat the system – the focus of the research.

**Garbled circuits**

The researchers’ work shows how multiple counter lockboxes might be chained together to form so-called ‘garbled circuits’, a construction that might be used to build one-time programs.

A paper describing this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography conference (TCC 2022).

The clearest application for OTPs is preventing brute-force attacks, says one researcher

  
**Hardware-route discounted**

One alternative means of constructing one-time programs, considered by the paper, is using tamper-proof hardware. But tamper-proof hardware would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Matthew Green, a professor at Johns Hopkins University and one of the co-authors of the paper.

“This would be costly and worse, \[and\] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” Green explains.

RELATED Post-quantum cryptography hits standardization milestone

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.

In practical terms, someone could realize this technology by creating multiple iCloud or Google accounts and then using Apple’s iCloud Key Vault \[pdf\] or Google’s Titan Backup service to store a ‘backup key’ for each of them. This is anything but elegant and the computer scientists at John Hopkins are inviting other researchers to progressing their research by coming up with neater schemes.

**A bastion against brute-force attacks**

Harry Eldridge from Johns Hopkins University, who is lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords,” Eldridge explained. “For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.

“However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords \[such as a four-digit PIN\] can actually be pretty secure,” Eldridge added.

More generally this could be applied to other forms of authentication – for example if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.

**‘Autonomous’ ransomware risk**

One danger posed by the approach is that bad guys might use the technique to develop ‘autonomous’ ransomware.

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”

Read more of the latest encryption security news

The feedback on the work so far has been “generally positive”, according to Eldridge.

“\[Most agree\] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”

Professor Alan Woodward, a computer scientist at the University of Surrey, welcomed the research.

“It’s a nice paper and it doesn’t claim to be the ultimate answer: it gives a solution in the hope that others may find better ways of doing the same thing,” Prof. Woodward told The Daily Swig.

“If achievable it means one-time programs become viable, and that opens up an interesting array of applications where you want someone to be able to run your program but not to be able to undertake differential analysis to learn about how the program functions.”

RECOMMENDED Matrix address flaws that break message encryption assurances

Tag

#android