There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.

AppleAVD AVC_RBSP::parseSliceHeader ref_pic_list_modification Overflow

Categories: Exploits and vulnerabilities
Categories: News
CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date!



(Read more...)




The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.

On Thursday, CISA (the US Cybersecurity and Infrastructure Security Agency) updated its catalog of actively exploited vulnerabilities by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch the weaknesses by September 8, 2022.

CVE-2022-22536, an SAP flaw with the highest risk score of 10, is one of the seven. We wrote about it in February, and thankfully, SAP addressed the issue fairly quickly, too, by issuing a patch. CISA even mentioned that if customers fail to patch CVE-2022-22536, they could be exposed to ransomware attacks, data theft, financial fraud, and other business disruptions that'd cost them millions.

**CVE-2022-32893** and **CVE-2022-32894**, the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to headline as of this writing. These are serious flaws that, if left unpatched, could allow anyone to take control of vulnerable Apple systems. Apple already released fixes for these from the following support pages:

*   About the security content of iOS 15.6.1 and iPadOS 15.6.1
*   About the security content of macOS Monterey 12.5.1
*   About the security content of Safari 15.6.1

The Google Chrome flaw with high severity, **CVE-2022-2856**, is also confirmed to be targeted by hackers. As with other zero-days, technical details about it are light, but the advisory states that the flaw is an "insufficient validation of untrusted input in Intents." The Intents technology works in the background and is involved in processing user input or handling a system event. If this flaw is exploited, anyone could create a malicious input that Chrome may validate incorrectly, leading to arbitrary code execution or system takeover.

Google already patched this. While Chrome should've updated automatically, it is recommended to force an update check to ensure the patch is applied.

Microsoft also has patches available for **CVE-2022-21971** and **CVE-2022-26923** in February and May, respectively. The former was given an "exploitation less likely" probability, but that has already changed—a proof-of-concept (PoC) has been available since March. PoC exploits were also made public for the latter Microsoft flaw. However, these were released after Microsoft had already pushed out a patch.

Palo Alto Networks's is the oldest among the new vulnerabilities added to the catalog. Discovered in 2017, **CVE-2017-15944** has a severity rating of 9.8 (Critical). Once exploited, attackers could perform remote code execution on affected systems. You can read more about this flaw on Palo Alto's advisory page.

Malwarebytes advises readers to apply patches to these flaws if they use products of the companies we mentioned. You don't have to wait for the due date before you act.

CISA wants you to patch these actively exploited vulnerabilities before September 8

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.

Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions -

*   SAP Web Dispatcher (Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
*   SAP Content Server (Version - 7.53)
*   SAP NetWeaver and ABAP Platform (Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)

"An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches," CISA said in an alert.

"A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation," Onapsis, which discovered the flaw, notes. "Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload)."

Additionally, the agency has added new flaws disclosed by Apple (CVE-2022-32893, and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as previously documented Microsoft-related bugs (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944, CVSS score: 9.8) that was disclosed in 2017.

CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.

"An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System," Microsoft describes in its advisory for CVE-2022-26923.

The CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities to avoid threat actors taking further advantage of them.

To mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog

The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.

Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.

The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.

**Remote Code Execution Flaws**

One of the zero-days (CVE-2022-32893) exists in WebKit, Apple's browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in one of its typically terse vulnerability disclosures this week. "Apple is aware of a report that this issue may have been actively exploited," the company noted.

The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.

Apple said it had implemented "improved bounds checking" in iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 to address both issues.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple's technologies puts both businesses and consumers at risk from the vulnerabilities. "While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors," she says.

**WebKit Flaw Has Wider Impact**

In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up "booby-trapped" Web pages that can trick Macs, iPhones, and iPads into running untrusted software. "Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page," the security vendor said.

The flaw has widespread impact because WebKit powers all Web rendering software on Apple's mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.

"The WebKit component is particularly problematic, as it is the browser engine across all Apple software," says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "Apple users should patch now. These updates need to be applied as soon as possible."

**Both Consumers & Organizations at Risk**

Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.

"Apple is light on the technical details of this week's two zero-day vulnerabilities," he says. "However, it is never reassuring to see the phrase 'execute arbitrary code with kernel privileges'," as Apple's disclosure reads.

Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees' lives and provide patching instructions, including how to enable automatic updates.

Mike Parkin, senior technical engineer at Vulcan Cyber, says there's not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it's hard to say who'll be more at risk.

"Organizations should deploy the appropriate controls to minimize the risk to their environments," Parkin advocates. "The ones that allow BYOD devices will face some additional challenges, as they'll need to address systems that they don't directly control."

Patch Now: 2 Apple Zero-Days Exploited in Wild

Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-18-1 Safari 15.6.1

Safari 15.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213414.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Safari 15.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL+gHUACgkQ4RjMIDke  
Nxm9eg/8CZFhmd5zgsQlwjn4R9kWVnIHCIzkhmjQGMzQ3C1FCiMwt+aDN2C1aYxN  
DiElfQy6ieI+4RNTxuNakhAQ0lS7F+TStHW9meblHkIA/qFfhBVxyaWZr+Hl0Bsw  
2K+0D9twK6xqh88hlvdm/GGEkEv8pKXKtzWaDoOdutXtasG6apc2nAMcqcWyN3SE  
hw+/PXhnxY5TNDQsz4wYsriichEPHIPJh3tCEgV2EvfsYx3GrX8Yga3T34GHwSj7  
H04Q3P1vNkdDDziFV7gZuWVXqKrpQxnReIKtZzffO0cW2x7lsSKw3H70yHlh2JLL  
yUDP28jJXOFGHD3izx+YHmFB4Q4dcHSVsil39Mq150s5iyJSkO2YDgWCyZBQ1tuB  
/dLIGuuQQtA3CqzBPSKneeeb0Cf5I6dnjh93R/aXLNiy+1AvizxJFOJ+EAlDCOxt  
o85iZxjWaGaQxng3qeA5nex5QWUvXRPyXoxyxnkfEeswv7PX6XLQXTASIo/Ug3E8  
KcIbtnkPatuwHt44eprrW6afaWhiY2IhiLKRFQeDm5vtYOr0FDAWGKl9bW203Frt  
2o6TVP9uXxZRIfMUmxBjdvNFScez49vlU6v+cIjj8UON/lWKZLkLDEFxfCWxlAWK  
eTc6a0tIAP5EMyd7EZdVhvxJSMxcCrXiO2iiS5TccIFZ5VvgZwA=t1cZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-18-1

Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-17-1 iOS 15.6.1 and iPadOS 15.6.1iOS 15.6.1 and iPadOS 15.6.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213412.KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privileges. Apple is aware of a report that this issue mayhave been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32894: an anonymous researcherWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6.1 and iPadOS 15.6.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiMACgkQ4RjMIDkeNxkiuw/+IhqxvCCS9q8hQMHDpFvVVmFdfO+7ukTVSpd12Cp5r0VGVP/zJOCecXR1cnFHIPx8zVZXzQzsa+lCSWhT+20qOiuCjpqWNVY9pCovCPds3r1hhL2/1H0KejGK2Ms910r+yxvEmhzz0MPk95d5+k+LaBPC1sfuNVTn9eUXImPDuLzLIyd8nW5khjNWspOIlS82VNBAcw8VQMxjgsiD6lhSsqvdkBPNhbI4/mMeIEXOOb+fRtHUOtorGLF2R1DzU1zmPLytcPGE+hxVXnR5F1z/+ea1DEWumvzSNfwja9HI2xPfmm9E8Pomq9lkSEW8cxlqAdKY2/cQ2B2I7ihJ3REfJjSnhXqTsuad1jVn9k1t8ZmKBWh6bgOQKQQg9BfIhcCeL398fmRUZQG1h6zo33MukUMMjfTgRjrjxhETLYCZQybjFAC4s98j2S0oyUpKaBUHc+tL/uupW01LwzP53SR2e4rBQhi+ACqiCEoJKAHYfJaj6YeblILiM6SaQdfbsiCzSIqM6nJLl5ZIYn6rXEEKGyGpKMAYXvc7FsR691DTQxMiQ8KcraoCwAerLzviWOF2tVNmDYkv5EFnXhSB4+uYzViSQhPKM8s2DRhP/WhxdVF3woRhIyHLq60SqKoFKvQwTVTugIFIR4cGfsfAbV7zCBhqH7+fKBGfLeTOBCH7ULE=SLRt-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-1

Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-17-2 macOS Monterey 12.5.1

macOS Monterey 12.5.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213413.

Kernel  
Available for: macOS Monterey  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

macOS Monterey 12.5.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiYACgkQ4RjMIDke  
NxkMiQ/+JkF0Octgd1/I72UFVdhIbUrvL+BkQdTWXfzrfGpFl3EOSUkvn+F3qmt4  
pAxtbKeg4T5VyJqGz+bQDOZ+VXGsO4w/9n0WWjEGA/P+BHkP2gUZLlhZQRq1XY5c  
gW8EBiUEA20qtz9s0AUFOtS8l6J1QStOhA5W6OWS4xJp4GTwFKSbZHDrHjACBoi1  
5XpFM0H5sbFG66C9Fb+p55BLWMBoyxbi8YiQIDmcZ7/+kNGSsBkfHtvSmoFaSVr1  
vP/2o2zEUburmKy9C9nUrXruJB6oqjWrkKfe2bbHOa9Zpf9zPcDyYXFbpJLYyAov  
R2h8pTppfxdPpuFKVht+MUpc9VnW8oZsuk0bWiI/D9dAOX1otoLE1599SXy/rXSU  
2SLeM+Uv4iiJGiNSfDuvcCCqhzCCUf2/pS8VTcnDZczsOGPLWROswzQ46yVWHIxO  
iCNH8iHliDo5UNzem+yza5hRgjDbArEjoP10zzx2AxFioQuJXWWEWIbcb966MKzs  
gL+DB2BqVhF+OScf+jC66BefgSndsGBfkKgulrZ1HOmJ2E/BwOCYKYrDQhtNEJbr  
dFjv8+cMO1vuqKb33p5rjzNIqucBYEuoLtIaXz1yJ5aF/3M5HVaqBgBFioQHUvKj  
zc/QF2P6Ue3AMhUkmkMkZVJRMYI966fFD9NMKjGz9H/gCm+8iN0JBQ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-2

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Apple is urging macOS, iPhone and iPad users immediately to install respective updates this week that includes fixes for two zero-days under active attack. The patches are for vulnerabilities that allow attackers to execute arbitrary code and ultimately take over devices.

Patches are available for effected devices running iOS 15.6.1 and macOS Monterey 12.5.1. Patches address two flaws, which basically impact any Apple device that can run either iOS 15 or the Monterey version of its desktop OS, according to security updates released by Apple Wednesday.

One of the flaws is a kernel bug (CVE-2022-32894), which is present both in iOS and macOS. According to Apple it is an “out-of-bounds write issue \[that\] was addressed with improved bounds checking.”

The vulnerability allows an application to execute arbitrary code with kernel privileges, according to Apple, which, in usual vague fashion, said there is a report that it “may have been actively exploited.”

The second flaw is identified as a WebKit bug (tracked as CVE-2022-32893), which is an out-of-bounds write issue that Apple addressed with improved bounds checking. The flaw allows for processing maliciously crafted web content that can lead to code execution, and also has been reported to be under active exploit, according to Apple. WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS.

**Pegasus-Like Scenario**

The discovery of both flaws, about which little more beyond Apple’s disclosure are known, was credited to an anonymous researcher.

One expert expressed worry that the latest Apple flaws “could effectively give attackers full access to device,” they might create a Pegasus-like scenario similar to the one in which nation-state APTs barraged targets with spyware made by Israeli NSO Group by exploiting an iPhone vulnerability.

“For most folks: update software by end of day,” tweeted Rachel Tobac, the CEO of SocialProof Security, regarding the zero-days. “If threat model is elevated (journalist, activist, targeted by nation states, etc): update now,” Tobac warned.

**Zero-Days Abound**

The flaws were unveiled alongside other news from Google this week that it was patching its fifth zero-day so far this year for its Chrome browser, an arbitrary code execution bug under active attack.

The news of yet more vulnerabilities from top tech vendors being barraged by threat actors demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle, noted Andrew Whaley, senior technical director at Promon, a Norwegian app security company.

The flaws in iOS are especially worrying, given the ubiquity of iPhones and users’ utter reliance on mobile devices for their daily lives, he said. However, the onus is not only on vendors to protect these devices but also for users to be more aware of existing threats, Whaley observed.

“While we all rely on our mobile devices, they are not invulnerable, and as users we need to maintain our guard just like we do on desktop operating systems,” he said in an email to Threatpost.

At the same time, developers of apps for iPhones and other mobile devices also should add an extra layer of security controls in their technology so they are less reliant on OS security for protection, given the flaws that frequently crop up, Whaley observed.

“Our experience shows that this is not happening enough, potentially leaving banking and other customers vulnerable,” he said.

iPhone Users Urged to Update to Patch 2 Zero-Days

A security researcher claims that Apple mobile devices keep connections open if they are created before a VPN is activated.

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years.

Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. "VPNs on iOS are broken," he says.

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be reestablished inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz's post, ProtonVPN's blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn't happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple's push notification service, can last for hours.

The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they're connecting to can be seen by ISPs and other parties. "Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," ProtonVPN wrote at the time. That might not be a pressing concern for typical VPN users, but it's notable.

ProtonVPN confirmed that the VPN bypass persisted in three subsequent updates to iOS 13. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality as added did not appear to make a difference in Horowitz's results.

Horowitz tested ProtonVPN's app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple's push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz.

Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN, running the WireGuard protocol). His iPad continued to make requests to both Apple services and to Amazon Web Services.

ProtonVPN had suggested a workaround that was "almost as effective" as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. "Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%," ProtonVPN wrote. Horowitz suggests that iOS's Airplane Mode functions are so confusing as to make this a non-answer.

Ars Technica reached out to both Apple and OpenVPN for comment and will update this article with any responses.

Horowitz's post doesn't offer specifics on how iOS might fix the issue. He also doesn't address VPNs that offer "split tunneling," focusing instead on the promise of a VPN capturing all network traffic. For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.

VPNs, especially commercial offerings, continue to be a complicated piece of internet security and privacy. Picking a "best VPN" has long been a challenge. VPNs can be brought down by vulnerabilities, unencrypted servers, greedy data brokers, or by being owned by Facebook.

_This story originally appeared on_ _Ars Technica__._

iOS Can Stop VPNs From Working as Expected—and Expose Your Data

Categories: News
Categories: Privacy
Tags: Krause

Tags:  inappbrowser.com

Tags:  Meta

Tags:  Facebook

Tags:  Instagram

Tags:  TikTok

A developer and privacy expert created a platform that allows iOS users to see injected JavaScript in their in-app browsers



(Read more...)




The post Spying on the spies. See what JavaScript commands get injected by in-app browsers appeared first on Malwarebytes Labs.

Developer and privacy expert Felix Krause aka KrauseFx announced this week that he had introduced a simple tool to list the JavaScript commands executed by iOS apps when they deployed an in-app web browser to render webpages. He already shared some eye-opening results on his Twitter feed.

By opening Krause's tool—new website inappbrowser.com—in a designated app, the website checks for one of many hundreds of attack vectors, which is JavaScript injection from the app itself. Disclaimer: a green checkmark is no guarantee that there is no JavaScript injection going on.

**The reason**

According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.

Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online. 

**How to use**

If you would like to check on some of the apps you are using, here’s how. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands. Below you can find some results for apps that Krause tested.

**Meta**

Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.

One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.

**TikTok**

This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” said spokesperson Maureen Shanahan in a statement offered to Forbes.

**Legitimate reasons**

There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.

**Incomplete**

The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.

*   With iOS 14.3 (December of 2020), Apple introduced the support of running JavaScript code in the context of a specified frame and content world. JavaScript commands executed using this approach can still fully access the third party website, but can’t be detected by the website itself, like InAppBrowser.com.
*   The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.

The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.

Tag

#apple