A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, Safari 16.5, tvOS 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.5.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.5**

Released May 18, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 18, 2023

CVE-2023-32373: About the security content of Safari 16.5

This issue was addressed by restricting options offered on a locked device. This issue is fixed in watchOS 9.5. An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features

Released May 18, 2023

**Accessibility**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: Apple Watch Series 4 and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**Face Gallery**

Available for: Apple Watch Series 4 and later

Impact: An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-32417: Zitong Wu (吴梓桐) from Zhuhai No.1 High School (珠海市第一中学)

**GeoServices**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple Watch Series 4 and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple Watch Series 4 and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: Apple Watch Series 4 and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple Watch Series 4 and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Photos**

Available for: Apple Watch Series 4 and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Shortcuts**

Available for: Apple Watch Series 4 and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: Apple Watch Series 4 and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple Watch Series 4 and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32417: About the security content of watchOS 9.5

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app may be able to execute arbitrary code with kernel privileges

Released May 18, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Metal**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Sandbox**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Siri**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-27930: About the security content of tvOS 16.5

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges

This document describes the security content of iTunes 12.12.9 for Windows.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iTunes 12.12.9 for Windows**

Released May 23, 2023

**iTunes**

Available for: Windows 10 and later

Impact: An app may be able to elevate privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32353: Zeeshan Shaikh (@bugzzzhunter) – Synopsys Cybersecurity Research Center (CyRC)

**iTunes**

Available for: Windows 10 and later

Impact: An app may be able to gain elevated privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32351: ycdxsb of VARAS@IIE

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 23, 2023

CVE-2023-32353: About the security content of iTunes 12.12.9 for Windows

An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 5E133. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones.

This document describes the security content of AirPods and Beats firmware updates.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Beats Firmware Update 5B66**

Released May 2, 2023

**Bluetooth**

Available for: Powerbeats Pro, Beats Fit Pro

Impact: When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones.

Description: An authentication issue was addressed with improved state management.

CVE-2023-27964: Yun-hao Chung and Archie Pusaka of Google ChromeOS

If you paired your Beats wireless headphones with your iPhone, iPad, or Mac, your Beats will update automatically. Learn more about firmware updates for Beats. 

You can check the firmware version of your wireless headphones in Bluetooth settings on your device. 

1.  On your iPhone or iPad, go to Settings > Bluetooth. On your Mac, go to System Settings > Bluetooth. 
2.  Tap on the info button  next to your headphones.

**AirPods Firmware Update 5E133**

Released April 11, 2023

**Bluetooth**

Available for: AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max

Impact: When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones.

Description: An authentication issue was addressed with improved state management.

CVE-2023-27964: Yun-hao Chung and Archie Pusaka of Google ChromeOS

Firmware updates are automatically delivered while your AirPods are charging and in Bluetooth range of your iPhone, iPad, or Mac. Learn more about firmware updates for AirPods.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 04, 2023

CVE-2023-27964: About the security content of AirPods and Beats firmware updates

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

**Description**

user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case.

**Proof of Concept**

1 user1 send admin a greeting card1

2 user2 send admin a greeting card2

3 user1 delete his message related to greeting card1, using burpsuite hijack the request.

    POST /adm_program/modules/messages/messages.php?msg_uuid=7cd5f4ed-dedc-46c6-b4ec-3567246583ef HTTP/1.1
    Host: localhost:8080
    Content-Length: 49
    sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: http://localhost:8080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8080/adm_program/modules/messages/messages.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; BBLANG=en_US; ADMIDIO_admidio_adm_SESSION_ID=beedb93711a4307d7d676817daeefd7b
    Connection: close
    
    admidio-csrf-token=6amCNCtp5js7GH8g2UwyHOU88PKm2M
    

4 changing the messges uuid as the message related to card2

5 result shows success

IDORs with unpredictable IDs are valid vulnerabilities see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html

as the uuid is hard to predicate, we mark Attack Complexity as high

**Impact**

Impact of the Vulnerability:

This vulnerability allows a user to delete messages of other users, which can result in a loss of important communication data. This can also lead to unauthorized editing or deleting of messages, causing potential security issues for the impacted users. Additionally, an attacker may use this vulnerability to tamper with the message history and cover up their tracks, making it difficult to trace any malicious activity.

CVE-2023-3304: IDOR in message  deletion in admidio

Under construction: The world's leading ransomware gang is workshopping ransomware for less obvious systems beyond Windows environments. Experts weigh in on how worried we should be.

The LockBit gang is building ransomware for new architectures, forgoing Windows and potentially posing entirely new problems for their victims along the way.

In a blog published June 22, researchers from Kaspersky describe having "stumbled on" a .ZIP file with a trove of LockBit malware samples inside. The samples appear to have derived from LockBit's previous encryptor variations targeting VMWare ESXi hypervisors.

The samples targeted FreeBSD and Linux — a growing trend among ransomware actors — plus various embedded technologies, including instruction set architecture (ISA) firmware for CPUs, like ARM, MIPS, ESA/390, and PowerPC, as well as Apple M1, an ARM-based system-on-chip (SoC) used in Mac and iPad devices.

The samples were clearly a work in progress, Kaspersky noted, since "for instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one-byte XOR."

Should they eventually make it to the wild, however, these new ransomware variants could prove useful to LockBit as it tries to stay relevant, says Jason Baker, threat intelligence analyst at GuidePoint Security. "In an increasingly crowded RaaS marketplace competing for talent and targets, this kind of differentiating behavior may ultimately benefit LockBit despite the additional costs and lower volume of targets."

**Can LockBit Deliver Embedded Ransomware?**

Especially after the breakup of Conti, LockBit arguably took up the mantle as the world's premier ransomware gang. Last month brought a notable decline in its activity, however. While the ransomware industry rose as a whole, LockBit claimed 30% fewer victims than the month prior.

Perhaps, in retrospect, it was dedicating extra time and resources to developing its new malware. Or, perhaps, the new malware is a response to its decline.

Either way, its new direction is a cause for concern for defenders. Security analysts already raised the alarm on Android SoCs in 2021, Apple M1 in 2022, and multiple vulnerabilities in popular AMI SoCs were revealed earlier this year.

"We're seeing increased reporting lately related to embedded devices being used for persistence," reports Adam Pennington, project leader for MITRE, though major attacks have not yet been demonstrated in the wild.

LockBit will face hurdles in breaking through this glass ceiling, explains Callie Guenther, cyber threat research senior manager at Critical Start. "Unlike traditional operating systems, embedded systems and IoT devices often have resource constraints, limited processing power, and specific hardware configurations. Ransomware designed for SoCs needs to be tailored to these limitations and adapted to the specialized environment," she points out.

"Furthermore," she continues, "SoCs often run specialized firmware or customized operating systems, which may require a different approach in terms of payload delivery, execution, and evasion techniques. Ransomware targeting SoCs may need to exploit specific vulnerabilities or weaknesses within the firmware or system architecture to gain control over the device and encrypt its data."

Baker speculates that the challenge may be part of the appeal for LockBit. "The most likely reason to target SoCs that are not being targeted by other groups, such as Apple silicon, is for the sake of brand strength and prestige. Larger, more advanced groups such as LockBit have the in-house expertise and resources to throw at this problem set, and developing a unique capability not available elsewhere would continue to highlight the group as a pioneer in the ransomware-as-a-service (RaaS) ecosystem," he says.

**Why Embedded Malware Is Difficult to Excise**

The reason to worry about ransomware for embedded technologies, Pennington explains, isn't merely that it's new and uncharted. It's also that these technologies are easier to overlook and sometimes harder to protect.

"Most enterprises heavily focus their security efforts on Windows, despite various other server and embedded operating systems occupying the exact same networks. Among other reasons, targeting these alternate platforms can be a really effective way to evade existing defenses," Pennington assesses.

He poses a scenario where "a ransomware or other actor infects a network, defenders clean up the type of systems where they have visibility and tools to see and manage systems, and then they discover months later that an implant has been left behind on something like a Linux-based security camera running on one of these other architectures."

To prevent attackers gaining this upper hand, Pennington says, "organizations need to consider a diverse set of operating systems and architectures when they secure themselves, and not just their Windows systems."

"Nearly everyone is running some number of systems with these types of OSs and chips," he emphasizes, "even if they don't realize it."

LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems

Award-winning XEM platform introduces advanced SBOM capabilities, expanded ARM support, and additional Risk & Compliance improvements.

Tanium, the industry’s only provider of converged endpoint management (XEM), today released major enhancements to the Tanium Software Bill of Materials (SBOM) that now include Common Vulnerability and Exposures (CVE) information. Tanium's SBOM identifies software components on endpoints, including open-source software embedded in libraries within native and third-party software, enabling organizations to prioritize and remediate software supply chain risks with unmatched speed and scale. In addition to several new Risk & Compliance features, Tanium also announced the expansion of support for ARM-Based endpoints to help IT teams minimize blind spots and drastically reduce the need for separate endpoint tools. 

Software supply chain attacks continue to spike due in part to the increasing reliance of organizations on numerous third-party suppliers and service providers. To keep a firm pulse on the threats facing today's most vulnerable and highly targeted organizations, Tanium has added SBOM to its Vulnerability Management solution to find, prioritize, and remediate emerging and zero-day vulnerabilities in the software components of applications, including open-source software embedded within application libraries, across all endpoints. 

"Over ninety-two percent of applications contain open-source libraries that may contain hidden vulnerabilities like Log4j, OpenSSL, or Struts, which are exploited by attackers," said Nic Surpatanu, chief product officer, Tanium. "Federal agencies, cyber insurance providers, and other organizations are increasingly requiring an SBOM for all utilized software. Tanium SBOM is the only solution on the market that allows organizations to identify and remediate software supply chain vulnerabilities in production. This empowers DevOps and SecOps to identify and mitigate risks across development, staging, and production environments."

In addition to confronting threats introduced by reliance on open-source software, today’s organizations also grapple with continually evolving processor architecture. In fact, the use of ARM-based servers grew sevenfold between 2019 and 2022 and ARM-based computers are expected to make up thirty percent of all personal computers by 2026. In 2022, Tanium rolled out support for endpoints running ARM-based processors from Apple and Amazon. With an eye towards futureproofing, Tanium has expanded its support to additional ARM-based endpoints running Oracle Linux, RedHat, and Windows 11. 

"We expect the use of ARM-based processors to continue to grow for the foreseeable future due to its better performance and lower energy usage compared to x86-based processors," said Vivek Bhandari, VP, product marketing at Tanium. "With these enhancements, Tanium continues to empower customers to find and bring missing endpoints under management and move away from point solutions towards a single, unified platform."

Today's announcement also coincides with a host of new Risk & Compliance enhancements that will amplify the efficiency and efficacy of vulnerability and risk management programs, while also reducing the need for disparate point solutions. These include:  

*   ESXi Support: New compliance and vulnerability assessments of ESX and ESXi hypervisors via vCenter APIs empower security teams to view and perform risk assessments on all virtual servers efficiently 
*   CISA Known Exploits and Vulnerabilities (KEV): Tanium’s vulnerability assessments now include CISA KEV information on the most dangerous and active exploits, eliminating the need for manual analysis, instantly prioritizing high-risk CVEs for remediation with its integrated remediation options.  
*   Exception Management: Tanium’s Risk and Compliance solution offers the ability to create exceptions for compliance and vulnerability findings with valid reason or expiration date, enabling organizations to focus on areas that need immediate attention.  
*   Benchmark Enhancements: A new page within Tanium Benchmark allows customers to quickly visualize the health of their key operations and security metrics.  

As organizations continue to embrace digital transformation, comprehensive endpoint visibility, control, and remediation at scale and in real-time are crucial to mitigate risks from cyber threats of today – and tomorrow. To learn more about these enhancements, join the Tanium Innovation and Technology Update Wednesday, June 28, 2023, 11:00 – 11:30 am PT. Register today.

Tanium Platform Advances Threat Identification Capabilities and Enhances Endpoint Reach

The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. "smishing") messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn't be shipped unless the customer paid an added delivery fee.

The **United Parcel Service** (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.

In a snail mail letter sent this month to Canadian customers, **UPS Canada Ltd.** said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

The recent letter from UPS about SMS phishers harvesting shipment details and phone numbers from its website.

“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”

The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”

As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.

In March, 2023, a reader named **Dylan** from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to **mydeliveryfee-ups\[.\]info** and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.

“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”

Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.

“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”

Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia \[91.215.85-166\] with nearly two dozen other smishing related domains, including **upsdelivery\[.\]info**, **legodelivery\[.\]info**, **adidascanadaltd\[.\]com**, **crocscanadafee\[.\]info**, **refw0234apple\[.\]info,** **vista-printcanada\[.\]info** and **telus-ca\[.\]info**.

The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.

Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.

A smishing website targeting Canadians who recently purchased from Adidas online. The site would only load in a mobile browser.

In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of **Airpods** directly from Apple’s website.

What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.

“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”

Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.

Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.

“It wasn’t like I put the order through \[on Apple.ca\] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if \[the phishers\] were being notified the order existed.”

The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based **UPS** \[NYSE:UPS\] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.

“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from **Brian Hughes**, director of financial and strategy communications at UPS.

“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”

SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool

The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.

Apple has released emergency patches for two new zero-day vulnerabilities in its software that an advanced persistent threat (APT) actor has been using to deploy malware in an ongoing iOS spying campaign dubbed "Operation Triangulation."

Meanwhile on Wednesday, Kaspersky released a new report that provided additional details on the TriangleDB spyware implant used in the campaign, which it flagged as containing a number of oddities, such as disabled features that could be deployed at a future time. 

According to the company, its analysis showed that for now, the malware supports 24 functional commands that serve various purposes such as creating, modifying, removing and stealing files, listing and terminating processes, gathering credentials from the victim's keychain and monitoring their location.

"Features that we found especially significant are the abilities to read any file on the infected device, extract passwords from the victim's keychain and track the device geolocation," says Georgy Kucherin, one of the security researchers at Kaspersky who discovered the zero-day bugs that Apple disclosed this week.

**A Trio of Zero-Days**

One of the newly addressed security vulnerabilities (CVE-2023-32434) affects multiple iOS versions and gives attackers a way to execute arbitrary code with kernel level privileges on iPhones and iPads. The other vulnerability (CVE-2023-32439) exists in Apple's WebKit browser and enables arbitrary code execution via maliciously crafted web content. Apple on June 21, 2023, issued updates addressing both vulnerabilities. 

The two bugs are part of a set of three Apple zero-days that researchers at Kaspersky have discovered so far while investigating Operation Triangulation. The investigation began about seven months ago when the security firm spotted several dozen iOS devices on its corporate Wi-Fi network behaving in a suspicious manner.

The company released a report on its initial analysis of the malicious activity, in early June. At the time, Kaspersky described the attackers as likely exploiting multiple vulnerabilities in Apple software to deliver the TriangleDB spyware implant on iOS devices belonging to targeted iOS users. Researchers at the company identified the first of the flaws as CVE-2022-46690, an out-of-bounds issue that allowed an application to execute arbitrary code at the kernel level. Kaspersky described the malware itself as running with root privileges, capable of executing arbitrary code on affected devices and implementing a set of commands for collecting system and user information.

Reading files on the infected device allows attackers to get access to sensitive information such as photos, videos, emails, as well as databases containing conversations from messenger apps, Kucherin says. TriangleDBs' keychain dumping features allow the attackers to harvest the victim's passwords, and then further use them to access various accounts owned by the victim.

**TriangeDB Shows Curious Spyware Behavior**

Somewhat curiously, the implant requests multiple privileges from the operating system (on infected devices) without any obvious ways to use the information, Kucherin says. Examples of privileges that the malware requests—but doesn’t presently use—include access to the microphone, camera and the address book. 

"These features may be implemented in auxiliary modules that can be loaded by the implant," at some future time, he notes.

Another significant discovery that Kaspersky made when analyzing TriangleDB is the fact that the attackers behind the malware have an eye on targeted macOS users as well. "Perhaps the most interesting finding is the 'populateWithFieldsMacOSOnly' method that we found in the implant," Kucherin says. "Its existence means that similar implants can be used to target not just iOS devices, but also Mac computers."

Kaspersky has assessed it was the victim of a targeted attack, but likely not the only one. Russia's Federal Security Service (FSB) intelligence outfit has alleged—without providing any proof—that the US National Security Agency (NSA), likely in cahoots with Apple, is behind the malware and the spying operation. The agency has accused the two of installing the spyware on thousands of iOS devices belonging to Russian diplomats and Russia-affiliated individuals of supposed interest to the US government. In a tone reminiscent of US accusations against Russia and China, Russia's foreign ministry described the iOS spyware campaign as part of a decades long effort to collect "large-scale data of Internet users" without their permission or knowledge.

Both the NSA and Apple have rejected those allegations.

Kaspersky has released a utility called ‘triangle\_check’ that organizations can use to search for signs of the spyware implant on their iOS devices.

Tag

#apple