Apple Security Advisory 10-25-2023-7 - tvOS 17.1 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-7 tvOS 17.1

tvOS 17.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213987.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

mDNSResponder  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A device may be passively tracked by its Wi-Fi MAC address  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_co

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

Additional recognition

VoiceOver  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal India for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y9wACgkQX+5d1TXa  
IvrRTRAAz4nWc26PQyQXR++/ZQLQ2CsbuuS5fFu9kVdYC3sLzyNeVVffl23ur0g3  
XIh7TFVUEp6tDIp9hCuHREsSKbvdL3TobPo4YW4jm6x4eM2Q3y1VsYHyyL7rECkU  
2SromQVh3s5oOzMG4tcDqYJOtmO47woxMKzF466sPOrrORQxYWBab2kjYJz5SXyJ  
0EHlgCzE9JWjsLp4gFREn+NQpb4xkLSOKE5YnIehU3oVPymBKMWhG/C4y8LsUgF6  
MzzO8LK1XoijrCtlsBUPNqtqqs3lp6RRjH88ELp5OkMCwu/EvlLIRT8n84Xjvlbq  
BzRuE0rtxkBwBQiKtNToo70wEdoDdXF/v/aRezYEUcAnXtgEUbh5uFytvOWqDyXd  
3GEdsmApdQO5guwn/YGNoBTh2HNjXGeq/3qldBTmwqSqLwceWfmBvoC/whXORWne  
HV2CvuGpTvsSWP24XLbzUtlf0t2biJv6GGjGULOhG05i0ONX8ni5uormFwwrsZMO  
n4S/DR9QRwYRXej7Lg40dpwpOHMSwB4yaGaO8DiRX7a35GmNZGu+WRTSDlL+cOGg  
I413GkCEbxdOa9Fc0LrEmLWOd9ziJCSz/S51YXNRUGgE7SbaVC1xb1s0R0M4SEca  
popvjyWamuVVjfzL3RQJQEdXiUkKqlBJK5MQDJTAi8vMjr2sTCo=  
=b+on  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-7

Apple Security Advisory 10-25-2023-6 - macOS Monterey 12.7.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-6 macOS Monterey 12.7.1

macOS Monterey 12.7.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213983.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Monterey  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

Kernel  
Available for: macOS Monterey  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

Model I/O  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Sandbox  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to access private  
information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40425: Csaba Fitzl (@theevilbit) of Offensive Security

talagent  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WindowServer  
Available for: macOS Monterey  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Monterey 12.7.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y5oACgkQX+5d1TXa  
Ivqb6BAAieI+tJLfoXDjA0sTp609OWejWuxdN1SYm8DCRu6P5Qdt3YMa8pn00HhO  
qEzCi8UdZ39itc7duw8iQa5SbMdXaMahFOV/LBCaMeYLtQbIHhMPJLe8sV3MPLgt  
keAs21DKhlAVKfxG3Y3v6aIxf2RUbv19fFC2k+cqNvieHj8S5WxMLC0LSIfekHJ2  
uewaIpTrUHxjnJkStF/e+9QquJB4FXWX6Vx3vWY6UjclO380u8lilOQ13JW8kWNU  
Hhxz/CnH4u0H92RnVOY5vOHt4bY+uh7JOj/PZNIhPAv3MrvPWzFcqQvfQPjRa5zZ  
AAcWReslUWwnEVlCkdTAyitqTsbxKaMn9h60jy03HE5ydcSjsBIGhX4TWETv9r2m  
LqMHpsvQanPJZz2zi9LsptDOtVOiDji/5EVwZd5IG4z8fauLgbJ5VGgSj9RE8q01  
FGzYSmuMY4BNf+bu2w9SexbBsVvCtAvMuedFy8Z4Gdi4nz2OauVjAXVo/AdKKeQk  
aN2PnXOmTJLigJziwCbyTUbYEy4pjL9mJwAkbYDm5fUbU5FYhrBJ+XuhIIz/MkIN  
foFk82DGzre1yORU+zPXlT0Y/khO5ZvFvQUDyG9FClrw0GrBGBMBtUriTTm46n0b  
RF2rs8ucMPOfM0fFpWZIeiulY2tekAFOLOK5j425pjjfRN2+XJw=zXmL  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-6

Apple Security Advisory 10-25-2023-3 - iOS 15.8 and iPadOS 15.8 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-25-2023-3 iOS 15.8 and iPadOS 15.8iOS 15.8 and iPadOS 15.8 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213990.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS released before iOS 15.7.Description: An integer overflow was addressed with improved inputvalidation.CVE-2023-32434: Félix Poulin-Bélanger, Georgy Kucherin (@kucher1n),Leonid Bezvershenko (@bzvr_), Boris Larin (@oct0xor), and ValentinPashkov of KasperskyThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.8 and iPadOS 15.8".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YzUACgkQX+5d1TXaIvpmvxAApiw8TypIquob7TaOaS3F0K/Ny/GCw8JRXM6NQMEKftYhxcDbVXZo1OyE2Wvk9uVJv1Jkm7YLY4kfKrsbPxOKhS/3zSBpc+IGpyELEG8KIMUnh0FlYoHwFAJzxKcg0PyH0RBfwa63+H05TG/aGBx/eeCsfjcAsyDNj9rxFUGmoI4JhscZ7RbXYrMkbt3EaC43GQ0T8ah3kDtT+KirvU41m5m9yuzizfKNJQZRdd5oD7ad5zkS/VHK+mZjpCy2NvXI+Z6md6KEDiUBY4GRlr+xGwCapKv7iZ8jMHkwHy18TszaP1yR7+TLmh4QFySj0xuwvSq+4fkXql+1ap/x3u6WcoEoetMswyfg1UXGh2WreqLnMPcIRe5MVPQEjBvzk0a5OZUH2G3EF1WwFhrdDeS54H3Q0KGunm4/1WECcKbbI09Le348UhcZpdAm+2mEjs+F73U0J71TasNEsPZhXmijxQIOd2V/gvrCpW/6587wX3kmVs63iJ86FWhgFglSmWPfuNCrarWASAbx1DeT+rbYvL+VzB17vTpZWO+4AHhtj3tpwEWzoWezAXAXe4Zq1T8CF6qZ26D8Aez5EoFyBC9bh+hZX1pvZsllTzHcs656WVpopXw+J/klqM0JvgnlbBBWN9qUZIYcNd9Pycr+IiTBBny6pTub6yQExvj4R2RKvg8==m+Ng-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-3

Apple Security Advisory 10-25-2023-1 - iOS 17.1 and iPadOS 17.1 addresses bypass, code execution, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-25-2023-1 iOS 17.1 and iPadOS 17.1iOS 17.1 and iPadOS 17.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213982.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ContactsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) andCsaba Fitzl (@theevilbit) of Offensive SecurityCVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)CoreAnimationAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to cause a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0wFind MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling of caches.CVE-2023-40413: Adam M.ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may result in disclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2023-40416: JZIOTextEncryptionFamilyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-40423: an anonymous researcherKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)Mail DraftsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Hide My Email may be deactivated unexpectedlyDescription: An inconsistent user interface issue was addressed withimproved state management.CVE-2023-40408: Grzegorz RiegelmDNSResponderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may be passively tracked by its Wi-Fi MAC addressDescription: This issue was addressed by removing the vulnerable code.CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_coPasskeysAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to access passkeys withoutauthenticationDescription: A logic issue was addressed with improved checks.CVE-2023-42847: an anonymous researcherPhotosAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Photos in the Hidden Photos Album may be viewed withoutauthenticationDescription: An authentication issue was addressed with improved statemanagement.CVE-2023-42845: Bistrit DahlaPro ResAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of360 Vulnerability Research InstituteSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: This issue was addressed by restricting options offered ona locked device.CVE-2023-41982: Bistrit DahlaCVE-2023-41997: Bistrit DahlaCVE-2023-41988: Bistrit DahlaStatus BarAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may persistently fail to lockDescription: The issue was addressed with improved UI handling.CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymousresearcher, Lorenzo Cavallaro, and Harry LewandowskiWeatherAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School ofComputer Science, RomaniaWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259836CVE-2023-40447: 이준성(Junsung Lee) of Cross RepublicWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A use-after-free issue was addressed with improved memorymanagement.WebKit Bugzilla: 259890CVE-2023-41976: 이준성(Junsung Lee)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A logic issue was addressed with improved checks.WebKit Bugzilla: 260173CVE-2023-42852: an anonymous researcherWebKit Process ModelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 260757CVE-2023-41983: 이준성(Junsung Lee)Additional recognitionlibarchiveWe would like to acknowledge Bahaa Naamneh for their assistance.libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Power ManagerWe would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University ofCalifornia, San Diego for their assistance.VoiceOverWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College Of Technology Bhopal India for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.1 and iPadOS 17.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YlsACgkQX+5d1TXaIvo6xBAAz5wnchUVfj3YbZf3KoadrXFmkWVjtU6sme4ZgN2+gsX+oF1Cunxvx3N2lGG1dldfG+gmJ3nmtp9/hBCIMvBt5Bus3NdD2nuJ7IbLbP2YuUOrMX3FDPNB8UPE84d6wZ7B3VVKVxeUsaZzuDlMCvGySyaVelBTxEdDx6RjsHlOe0LWwqoQJ4rrUOO9wdBogsDpD4JNt++6UarA1f2+OC1mePdiI9e1t6OI+q92IOZu3/cGDda/rFoL/TpY+iC1n9qkyyEOj3anfFi6fjybQQK/XPYccv4iWdP2xi5nqKDQ95nYlnf2LmI6gMOWJutciLyLzqSI3eHY4cL99/NLpMI7UkgBRNHsNwH9d0mJlVyjIBtevJbWKDJl9iSH3LeZmeMV1x3WQ9JshGmDYvXWJ9cyppKHRsu5BLeMpzis6dmv3FD+sBbI7Or9REKahyYP0N8YfTGBcFoTa4r0tx1r51+Dy7uUbuMHDxRbXkTLRReEzmyXyxMC+HcEzLUAq0YWuGwR3kZ9x+mlBKBxj+/4dltzKWg8lxOTC733RR78/vsgbf1M3cFpibsubH0LhC9k7RXnV9AYexsEoasFtHuIQQPErTVJqWYYKi6knM34fn64reitK8224Cy6SXybo55ZsTVV+XRmuzppiOjMFXupcTUTozdmcyXwMaMKSJYAbkOXtLQ==iliY-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-1

Zatik takes a fractional approach to AppSec leadership to help small firms access the expertise they need to build secure-by-design software.

One of the fundamental principles of secure-by-design software development is that organizations need to account for security concerns right out of the gate. It's built into the way the applications are designed, architected, and coded. The trouble for small companies that build software is that it can be really hard for them to access and pay for the kind of application security expertise necessary to fold that kind of accountability into the engineering or DevOps process. And so small companies build and ship their software — oftentimes innovative applications upon which their whole business model is based — without much consideration for security.

By the time a startup has "grown up" and built its business big enough to feasibly hire some application security professionals, secure-by-design has already gone out the window. The software stack has already accumulated a ton of security technical debt. That new AppSec team is behind the eight ball before they even start. And without expensive refactoring, oftentimes all they can do is bolt on security controls or apply Band-Aids to security problems that may run very deep.

It's an age-old problem, and one that's simply not practical to get all preachy about to small business owners or small dev teams.

"Experienced application security people are in short supply, and they're getting hoovered up by the big companies, by the Microsofts, Amazons, Apples, and Googles of the world, and if you are a smaller company, you're just not competing on that playing field," explains Kymberlee Price, who has led product security and AppSec teams, worked as a security researcher, and run red team and incident response operations for the likes of Microsoft, Amazon, and Bugcrowd.

Price has been around the block enough to recognize that not only are best-in-class product security pros and security-aware developers still the "unicorns" of the software engineering market, but also that most small businesses aren't big enough to even have enough work to keep one of them busy for very long.

"They don't need a unicorn full time. They need a unicorn maybe for a quarter to set some strategy, and then they need 10% of a unicorn for the rest of the year," she says.

**Sharing the Unicorns**

This is the underlying problem Price hopes to alleviate with her new consulting firm, Zatik. Together with co-founder Jon Callas, another security luminary known for founding PGP and Silent Circle, Price hopes to level the software security playing field for startups and small businesses. Zatik is a fractional security consulting firm that helps companies tap into that small percentage of unicorn-level AppSec expertise that they need to get a security program up and running. It's built in the same mold as a virtual CISO (vCISOs), with a slightly different focus.

"We love virtual CISOs. But they're frequently enterprise-focused and compliance-focused. And we're more looking at, how do you build your product securely by design, the DevOps pipeline, CI/CD, security controls, and things like that," Price explains. "So it's a really nice complement to that fractional model."

For some companies, if they're early enough in their arc, they may need the full package of building out an entire cybersecurity program — something she and Callas are equipped to help them navigate.

"Our sweet spot really is securing the developer experience, but we can help them look at their tech stack, make some recommendations, and make some introductions to other partners," says Price.

She says that she and Callas currently run the company themselves, but they plan on adding more staff as Zatik scales and also leaning on a network of partners to provide additional expertise in areas as necessary for their clients.

"I mean, I can't help you secure your product if you have no employee access control," Price says. "So we wouldn't turn our nose up at other areas."

Ultimately, the goal is to help smaller companies develop that security-by-design ethos from the outset. Price sees that not only as a great business opportunity, but a way to move the needle on security across the tech world.

"One of the things I love about the kind of small companies we're talking to is we're getting in early in their maturity cycle," she says. "So as they're growing, they're growing with a secure-by-design platform where the engineers they're hiring and managing understand that this is 'just how we do it.' Of course we have branch protection, of course we do these things because it was there from day one, versus the security team showing up later and demanding that they have to change things."

Do Small Companies Need Fractional AppSec Teams Akin to Virtual CISOs?

An EU government body is pushing a proposal to combat child sexual abuse material that has significant privacy implications. Its lead advocate is making things even messier.

Danny Mekić, an Amsterdam-based PhD researcher, was studying a proposed European law meant to combat child sexual abuse when he came across a rather odd discovery. All of a sudden, he started seeing ads on X, formerly Twitter, that featured young girls and sinister-looking men against a dark background, set to an eerie soundtrack. The advertisements, which displayed stats from a survey about child sexual abuse and online privacy, were paid for by the European Commission.

Mekić thought the videos were unusual for a governmental organization and decided to delve deeper. The survey findings highlighted in the videos suggested that a majority of EU citizens would support the scanning of all their digital communications. Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants, he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn’t be drawn from the survey, and the findings clashed with those of independent polls.

The micro-targeting ad campaign categorized recipients based on religious beliefs and political orientation criteria—all considered sensitive information under EU data protection laws—and also appeared to violate X’s terms of service. Mekić found that the ads were meant to be seen by select targets, such as top ministry officials, while they were concealed from people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and “anti-Christians.”

Mekić then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.

At first, Mekić could not figure out the country selection, he tells WIRED, until he realized that neither the timing nor the purpose of the campaign was accidental. The Commission’s campaign was launched a day after the EU Council met without securing sufficient support for the proposed legislation Mekić had been studying, and the targeted counties were those that did not support the draft.

The legislation in question is a controversial proposal by the EU Commission known as Chat Control or CSA Regulation (CSAR) that would obligate digital platforms to detect and report any trace of child sexual abuse material on their systems and in their users’ private chats, covering platforms such as Signal, WhatsApp, and other messaging apps. Digital rights activists, privacy regulators, and national governments have strongly criticized the proposal, which the European data protection supervisor (EDSR) Wojciech Wiewiorowski said would amount to “crossing the Rubicon” in terms of mass surveillance of EU citizens.

“I think it is fair to say that this was an attempt to influence public opinion in countries critical of the indiscriminate scanning of all digital communications of all EU citizens and to put pressure on the negotiators of these countries to agree to the legislation,” says Mekić. “If the European Commission, a significant institution in the EU, can engage in targeted disinformation campaigns, it sets a dangerous precedent.”

The Dutch researcher’s find adds to the controversy surrounding the Commission, which has recently come under fire due to allegations that certain AI firms and advocacy groups with significant financial backing have had a notable level of influence over the shaping of CSAR—allegations that lead Commissioner Ylva Johansson countered, asserting that she had committed no wrongdoing. Johansson’s office did not respond to WIRED’s request for comment.

“There’s an inexplicable obsession with this file \[CSAR\] in the Commission. I don’t know where that comes from,” EU lawmaker Sophie in ’t Veld told WIRED after she submitted a priority parliamentary question on the case. “Why are they doing \[the campaign\] while the legislative process is still ongoing?”

As the pressure on the Commission has been mounting, Johansson lashed out against the influential civil rights nonprofit European Digital Rights, one of the strongest critics of the legislation and a defender of end-to-end encryption. She referred to its funding from Apple, suggesting EDRi was laundering the company’s talking points. “Apple was accused of moving encryption keys to China, which critics say could endanger customer data. Yet no one asks if these are strange bedfellows, no one assumes Apple is drafting EDRI’s speaking points,” she noted in a Commission blog on October 13.

Referring to EDRi’s independence and transparent funding processes, senior policy adviser Ella Jakubowska tells WIRED: “Attempts to delegitimize civil society suggest a worrying effort to silence critical voices, in line with broader trends of shrinking civic space. When both the content and the process regarding this law are so troubling, we need to ask how the European Commission allowed it to reach this point.”

Adding to the Commission’s conspicuous ad campaign, Mekić’s discovery came on the same day the European Commission formally sent X a request for information under the Digital Services Act, the sweeping EU digital disinformation law, following indications of “spreading of illegal content and disinformation” on the platform.

“The Commission’s ability to enforce the DSA could be undermined if their own services are willing to flagrantly disregard these rules. Whilst the DSA is supposed to rein in the power of big tech, the CSA Regulation would force digital service providers to become a privatized police force in all our online chats, emails, and messages,” says Jakubowska. “It’s hard to see how these regimes can coexist or more broadly, how the EU can uphold fundamental human rights if it passes a law which could violate the essence of certain rights.”

The votes in the European Parliament and EU Council are still pending. “The Commission seems to forget its own role here: It is not a legislator. It only has the prerogative of proposing legislation,” says in ’t Veld. “It has no business interfering in the internal debate, neither in the Council nor in the European Parliament. The Commission is completely out of bounds here.”

Commenting on the negotiations, the outcome of which remains uncertain, EDRi’s Jakubowska observed that “it is reassuring to see that many lawmakers are alert to just how terrifying it would be for the EU to endorse a proposal that in essence amounts to distributed spyware on everyone’s devices.”

As far as the contested ad campaign is concerned, Wiewiorowski, the European data protection supervisor, initiated a pre-investigation requesting from the Commission “information related to the described use of microtargeted ads,” with a response due by the end of last week. Wiewiorowski’s office declined WIRED’s request to comment on the potential for a formal investigation.

Ironically, Danny Mekić now believes he’s been shadowbanned by X, alongside other journalists, scientists, and researchers who have been critical of CSAR. X did not respond to WIRED’s request for comment.

“I haven’t received any response from X,” Mekić says. “Steps are currently being taken to find out what caused this and whether it was an algorithmic or human decision or whether it was done at the request of so-called trusted flaggers—such as, for example, the European Commission itself, or one of the organizations involved in the CSAR lobby.”

A Controversial Plan to Scan Private Messages for Child Abuse Meets Fresh Scandal

The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.
The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up

The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.

The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed **Operation Triangulation**, went to conceal and cover up its tracks while clandestinely hoovering sensitive information from the compromised devices.

The sophisticated attack first came to light in June 2023, when it emerged that iOS have been targeted by a zero-click exploit weaponizing then zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) that leverages the iMessage platform to deliver a malicious attachment that can gain complete control over the device and user data.

The scale and the identity of the threat actor is presently unknown, although Kaspersky itself became one of the targets at the start of the year, prompting it to investigate the various components of what it said in a fully-featured advanced persistent threat (APT) platform.

The core of the attack framework constitutes a backdoor called TriangleDB that's deployed after the attackers obtain root privileges on the target iOS device by exploiting CVE-2023-32434, a kernel vulnerability that could be abused to execute arbitrary code.

Now, according to the Russian cybersecurity company, the deployment of the implant is preceded by two validator stages, namely JavaScript Validator and Binary Validator, that are executed to determine if the target device is not associated with a research environment.

"These validators collect various information about the victim device and send it to the C2 server," Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov said in a technical report published Monday.

"This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."

By way of background: The starting point of the attack chain is an invisible iMessage attachment that a victim receives, which triggers a zero-click exploit chain designed to stealthily open a unique URL containing obfuscated JavaScript as well as an encrypted payload.

The payload is the JavaScript validator that, besides conducting various arithmetic operations and checking for the presence of Media Source API and WebAssembly, performs a browser fingerprinting technique called canvas fingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.

The information collected following this step is transmitted to a remote server in order to receive, in return, an unknown next-stage malware. Also delivered after a series of undetermined steps is a Binary Validator, a Mach-O binary file that carries out the below operations -

*   Remove crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to erase traces of possible exploitation
*   Delete evidence of the malicious iMessage attachment sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses
*   Obtain a list of processes running on the device and the network interfaces
*   Check if the target device is jailbroken
*   Turn on personalized ad tracking
*   Gather information about the device (username, phone number, IMEI, and Apple ID), and
*   Retrieve a list of installed apps

"What is interesting about these actions is that the validator implements them both for iOS and macOS systems," the researchers said, adding the results of the aforementioned actions are encrypted and exfiltrated to a command-and-control (C2) server to fetch the TriangleDB implant.

One of the very first steps taken by the backdoor is to establish communication with the C2 server and send a heartbeat, subsequently receiving commands that delete crash log and database files to cover up the forensic trail and hamper analysis.

Also issued to the implant are instructions to periodically exfiltrate files from the /private/var/tmp directory that contain location, iCloud Keychain, SQL-related, and microphone-recorded data.

A notable feature of the microphone-recording module is its ability to suspend recording when the device screen is turned on, indicating the threat actor's intention to fly under the radar.

What's more, the location-monitoring module is orchestrated to use GSM data, such as mobile country code (MCC), mobile network code (MNC), and location area code (LAC), to triangulate the victim's location when GPS data is not available.

"The adversary behind Triangulation took great care to avoid detection," the researchers said. "The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Operation Triangulation: Experts Uncover Deeper Insights into iOS Zero-Day Attacks

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

**Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary**

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

**Bug 1**

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix', which is defined in IccTagXml.cpp at line 337.

    Error Details:
    Error Type: Stack buffer overflow.
    File: IccUtilXml.cpp
    Function: icFixXml
    Line: 330
    Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
    Memory Affected: Address 0x7ff7b129ad20
    

**PoC**

     ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    
    ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
    WRITE of size 1 at 0x7ff7b129ad20 thread T0
        #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
        #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
        #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
        #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
        #4 0x10ec6821f in main IccToXml.cpp:38
        #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
        #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
    
      This frame has 7 object(s):
        [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
        [352, 608) 'buf' (line 338)
        [672, 928) 'data' (line 339)
        [992, 1016) 'datastr' (line 340)
        [1056, 1080) 'agg.tmp'
        [1120, 1144) 'ref.tmp' (line 351)
        [1184, 1208) 'ref.tmp45' (line 360)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
    Shadow bytes around the buggy address:
      0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
    

**Expected Output**

    ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    XML successfully created
    

**Bug 2**

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

    Error Details:
    Error Type: Global buffer overflow.
    File: IccPrmg.cpp
    Function: CIccPRMG::GetChroma
    Line: 163
    Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
    Memory Affected: Address 0x000103847bf0
    

**PoC**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    =================================================================
    ==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
    READ of size 4 at 0x000103847bf0 thread T0
        #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
        #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
        #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
        #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
        #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
        #5 0x102913176 in main iccRoundTrip.cpp:177
        #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
    SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
    Shadow bytes around the buggy address:
      0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
      0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    

**Expected Output**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
    Rendering Intent: Relative Colorimetric
    Specified Gamut:  Not Specified
    
    Round Trip 1
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       1.46
    Max DeltaE:        7.05
    
    Max L, a, b:   32.481213, 7.808893, 7.558380
    
    Round Trip 2
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       0.64
    Max DeltaE:        2.81
    
    Max L, a, b:   39.559242, 7.503039, -29.157310
    
    PRMG Interoperability - Round Trip Results
    ------------------------------------------------------
    DE <= 1.0 (   25388):  12.6%
    DE <= 2.0 (   33627):  16.7%
    DE <= 3.0 (   36466):  18.1%
    DE <= 5.0 (   42342):  21.0%
    DE <=10.0 (   58679):  29.1%
    Total     (  201613)
    

**Build**

    cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
    make
    

**Testing****OS**

    ProductName:		macOS
    ProductVersion:		14.0
    BuildVersion:		23A344
    

**Platform****Data**

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC's

**Crash Reports****icFixXml(char\*, char const\*) + 410**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
    Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000
    
    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [9557]
    
    VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
    --->  GAP OF 0x5a95e000 BYTES
          unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   iccToXml                      	       0x10cadb4fa icFixXml(char*, char const*) + 410
    1   iccToXml                      	       0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
    2   ???                           	0x6161616161616161 ???
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
      rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
       r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
      r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
      rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
      
    Logical CPU:     0
    Error Code:      0x00000006 (no mapping for user data write)
    Trap Number:     14
    
    Thread 0 instruction stream:
      44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
      00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
      48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
      48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
      89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
      45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
     [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E.	<==
      e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
      48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
      7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
      f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
      eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...
    

**CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_CRASH (SIGABRT)
    Exception Codes:       0x0000000000000000, 0x0000000000000000
    
    Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
    Terminating Process:   iccRoundTrip [12888]
    
    Application Specific Information:
    abort() called
    
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   libsystem_kernel.dylib        	    0x7ff80e2357a6 __pthread_kill + 10
    1   libsystem_pthread.dylib       	    0x7ff80e26df30 pthread_kill + 262
    2   libsystem_c.dylib             	    0x7ff80e18ca4d abort + 126
    3   libclang_rt.asan_osx_dynamic.dylib	       0x103b39516 __sanitizer::Abort() + 70
    4   libclang_rt.asan_osx_dynamic.dylib	       0x103b38c74 __sanitizer::Die() + 196
    5   libclang_rt.asan_osx_dynamic.dylib	       0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    6   libclang_rt.asan_osx_dynamic.dylib	       0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    7   libclang_rt.asan_osx_dynamic.dylib	       0x103b1d448 __asan_report_load4 + 40
    8   libIccProfLib2.2.1.15.dylib   	       0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
    9   libIccProfLib2.2.1.15.dylib   	       0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
    10  libIccProfLib2.2.1.15.dylib   	       0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
    11  libIccProfLib2.2.1.15.dylib   	       0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
    12  libIccProfLib2.2.1.15.dylib   	       0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
    13  iccRoundTrip                  	       0x102913177 main + 1063 (iccRoundTrip.cpp:177)
    14  dyld                          	    0x7ff80dee53a6 start + 1942
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
      rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
       r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
      r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
      rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
      
    Logical CPU:     0
    Error Code:      0x02000148 
    Trap Number:     133
    
    
    Binary Images:
           0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
           0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
           0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
        0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
        0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
        0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
        0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
                   0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
    
    

**Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User**

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

Categories: Podcast
This week on the Lock and Code podcast, we speak with James Fair about the reluctance of some businesses to take cybersecurity seriously, even in the face of major attacks. 



(Read more...)




The post MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22 appeared first on Malwarebytes Labs.

_This week on the Lock and Code podcast..._

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media... but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex near the southern end of the Las Vegas strip—that didn't involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn't just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn't stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator's handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company's budget—and its relative ability to devote resources to cybersecurity—doesn't necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he's seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

> "How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?"

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22

Last week on Malwarebytes Labs: Stay safe! Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting...

October 30, 2023 - Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

Tag

#apple