Categories: Threat Intelligence
Tags: malvertising

Tags:  Aurora stealer

Tags:  loader

Tags:  Amadey

Not all system updates mean well, and some will even trick you into installing malware.



(Read more...)




The post Fake system update drops Aurora stealer via Invalid Printer loader appeared first on Malwarebytes Labs.

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to 'patch' this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

**A convincing "system update"**

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

_Figure 1: A fake system update hijacks the screen_

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

Figure 2: The 'Chrome update' downloaded from the web browser

**Fully Undetectable (FUD) malware**

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1\_enc\_s.exe).

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn't until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec's blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service's built-in OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page

**Patching the loader**

Invalid Printer performs a check on the computer's graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138\[.\]218) as one mentioned in Morphisec's blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

**Campaign stats**

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

Figure 9: Panel showing browser visits and downloads

Figure 10: Browser user-agents, IP addresses and geolocation

**War and Russia references**

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn't help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.

**Protection**

Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

Special thanks to Roberto Santos for help with the sample and binary patching.

**Indicators of Compromise**

**Malvertising gate**

qqtube\[.\]ru194.58.112\[.\]173

**Fake system update page**

activessd\[.\]ru  
chistauyavoda\[.\]ru  
xxxxxxxxxxxxxxx\[.\]ru  
activehdd\[.\]ru  
oled8kultra\[.\]ru  
xhamster-18\[.\]ru  
oled8kultra\[.\]site  
activessd6\[.\]ru  
activedebian\[.\]ru  
shluhapizdec\[.\]ru  
04042023\[.\]ru  
clickaineasdfer\[.\]ru  
moskovpizda\[.\]ru  
pochelvpizdy\[.\]ru  
evatds\[.\]ru  
click7adilla\[.\]ru  
grhfgetraeg6yrt\[.\]site  
92.53.96\[.\]119

**Invalid Printer samples**

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590  
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c  
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4  
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062  
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061  
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434  
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc  
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7  
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

**Aurora Stealer C2**

103.195.103\[.\]54:443  
94.142.138\[.\]218:4561

**Amadey Stealer panel**

193.233.20\[.\]29/games/category/Login.php

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fake system update drops Aurora stealer via Invalid Printer loader

By Deeba Ahmed
The first-ever browser security survey of CISOs’ security practices reveals CISOs' struggles, displeasure with current security solutions and cloud concerns.
This is a post from HackRead.com Read the original post: LayerX’s Browser Security Survey Reveals: 87% of SaaS Adopters Exposed to Browser-borne Attacks in the Past Year

While the massive shift to SaaS apps has begun more than a decade ago, CISOs are still struggling to address the security debt they incurred. Threats like phishing and account takeover pose alarming risks, with most organizations having been attacked in the past year. Yet, existing network-based solutions like firewalls, proxies and  CASBs, fail to deliver the protection the SaaS environment requires. 

Critical gaps in existing solutions’ capabilities, security architecture that doesn’t recognize the browser as a prominent, standalone attack surface, as well as low resilience to web-borne threats, are among the findings of a new global survey just released by LayerX.

150 CISOs across multiple geographies and verticals were polled about their security practices across various disciplines that ultimately come down to securing users, data, and applications within the browser: secure SaaS access, SaaS security and data protection, BYOD, phishing protection, and browser security posture. 

Respondents’ answers were classified according to their architecture: all-SaaS, hybrid, and mostly on-prem, showing how the relative importance of the browser increases with respect to the level of the organization’s SaaS adoption.   

The main findings include:

*   **Organizations in the cloud are exposed to web-borne attacks.** 87% of all-SaaS adopters and 79% of CISOs in a hybrid environment experienced a web-borne security threat in the past 12 months.
*   **Account takeover is a top concern.** 48% list credential phishing as the riskiest browser threat. Followed by malicious browser extensions (37%), malware download (9%), and browser vulnerabilities (6%).
*   **Unsanctioned apps and shadow identities are perceived as unaddressed security gaps.** 95% of organizations have a coverage level of 50% or less for unsanctioned apps.
*   **Most organizations employ at least two security measures to combat phishing attacks.** 79% employ network security tools, like firewalls and SWGs.
*   **Both all-SaaS and hybrid organizations use network solutions to block phishing, but realize this is not an efficient strategy.** 80% have a coverage level of 50% or less.

  
Incidentally, browser security controls are not perceived as efficient enough, with more than half rating them as efficient to “Some extent”. Luckily, there is a healthy trend towards investing in a browser security solution. Most are leaning towards a browser security solution that can be deployed with commercial browsers that are already in use.

“This is the first time such an all-encompassing survey has been conducted about browser security,” said Or Eshed, CEO of LayerX. “With the browser being the key work interface in the modern environment, our hope is that these survey results help CISOs address web-borne threats and mitigate SaaS-related risks.”

Download the full browser security survey here.

****About LayerX****

LayerX Browser Security Platform was purpose-built to monitor, analyze, and protect against web-borne cyber threats and data risks. Delivered as an enterprise browser extension, LayerX natively integrates with any browser, transforming it into the most secure and manageable workspace – while maintaining a top user experience.

Using LayerX, organizations gain comprehensive protection against all browsing risks and threats that either target the browser directly or attempt to utilize it as a bridge to the organization’s devices, apps, and data.

Led by seasoned veterans of IDF cyber units and the cybersecurity industry, LayerX is reshaping the way cybersecurity is practised and managed by making the browser a key pillar in enterprise cybersecurity. To learn more about LayerX, visit: https://layerxsecurity.com/ 

1.  Vivaldi Integrates Mastodon Into its Web Browser
2.  New Crypto Stealer Hits Chromium-Based Browsers
3.  Mullvad VPN and Tor Project Release Mullvad Browser
4.  ProtonVPN extensions for Chrome and Firefox browsers
5.  Trust Wallet Launches Browser Extension Wallet for Desktop

LayerX’s Browser Security Survey Reveals: 87% of SaaS Adopters Exposed to Browser-borne Attacks in the Past Year

Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.

2 changes: 1 addition & 1 deletion packages/browser-client/package.json

Expand Up

@@ -32,7 +32,7 @@

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@rollup/plugin-commonjs": "21.0.0",

"@rollup/plugin-node-resolve": "13.0.5",

Expand Down

2 changes: 1 addition & 1 deletion packages/compile/package.json

Expand Up

@@ -39,7 +39,7 @@

},

"devDependencies": {

"@jsreport/jsreport-cli": "3.2.3",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"fs-extra": "2.1.2",

"mocha": "3.2.0",

"should": "11.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-assets/package.json

Expand Up

@@ -41,7 +41,7 @@

"strip-bom-buf": "2.0.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-authentication/package.json

Expand Up

@@ -41,7 +41,7 @@

"password-hash": "1.2.2"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/studio-dev": "3.2.1",

"express": "4.18.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-authorization/package.json

Expand Up

@@ -34,7 +34,7 @@

},

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-azure-storage/package.json

Expand Up

@@ -25,7 +25,7 @@

"@azure/storage-blob": "12.5.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": "16.0.4"

Expand All

@@ -39,4 +39,4 @@

"node": true

}

}

}

}

2 changes: 1 addition & 1 deletion packages/jsreport-base/package.json

Expand Up

@@ -26,7 +26,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "5.1.1",

"should": "13.2.1",

"standard": "16.0.4"

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-browser-client/package.json

Expand Up

@@ -33,7 +33,7 @@

},

"devDependencies": {

"@jsreport/studio-dev": "3.2.1",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-handlebars": "3.2.1",

"mocha": "9.1.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-child-templates/package.json

Expand Up

@@ -30,7 +30,7 @@

"node.extend.without.arrays": "1.1.6"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-chrome-pdf/package.json

Expand Up

@@ -31,7 +31,7 @@

"lodash.get": "4.4.2"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-cli/package.json

Expand Up

@@ -71,7 +71,7 @@

},

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-components/package.json

Expand Up

@@ -35,7 +35,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/studio-dev": "3.2.1",

Expand Down

11 changes: 11 additions & 0 deletions packages/jsreport-core/README.md

  

Expand Up

@@ -282,6 +282,17 @@ jsreport.documentStore.collection('templates')

\## Changelog

\### 3.11.4

\- update unset-value to fix security issue

\### 3.11.3

\- update vm2 to fix security issue

\- automatically disable full profiling after some time to avoid performance degradation

\- improvements to full profile serialization (prevent blocking)

\- fix profiles cleaning and calculate timeout in beforeRender

\### 3.11.2

\- add \`options.onReqReady\` to be able to receive the parsed req values

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-core/package.json

@@ -1,6 +1,6 @@

{

"name": "@jsreport/jsreport-core",

"version": "3.11.2",

"version": "3.11.4",

"description": "javascript based business reporting",

"keywords": \[

"report",

Expand Down Expand Up

@@ -69,7 +69,7 @@

"serializator": "1.0.2",

"stack-trace": "0.0.10",

"triple-beam": "1.3.0",

"unset-value": "1.0.0",

"unset-value": "2.0.1",

"uuid": "8.3.2",

"vm2": "3.9.17",

"winston": "3.8.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-data/package.json

Expand Up

@@ -29,7 +29,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-docker-workers/package.json

Expand Up

@@ -29,7 +29,7 @@

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

4 changes: 4 additions & 0 deletions packages/jsreport-docx/README.md

  

Expand Up

@@ -7,6 +7,10 @@ See the documentation https://jsreport.net/learn/docx

  

## Changelog

  

### 3.7.1

  

\- fix docx rendering with handlebars partials

  

### 3.7.0

  

\- fix \`template.docx.templateAsset\` from payload not overwriting the \`template.docx.templateAssetShortid\`

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-docx/package.json

@@ -1,6 +1,6 @@

{

"name": "@jsreport/jsreport-docx",

"version": "3.7.0",

"version": "3.7.1",

"description": "jsreport recipe rendering docx files",

"keywords": \[

"jsreport",

Expand Down Expand Up

@@ -51,7 +51,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-docxtemplater/package.json

Expand Up

@@ -38,7 +38,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "6.1.4",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-ejs/package.json

Expand Up

@@ -34,7 +34,7 @@

"node.extend.without.arrays": "1.1.6"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-electron-pdf/package.json

Expand Up

@@ -32,7 +32,7 @@

"stream-to-array": "2.3.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"in-publish": "2.0.1",

"mocha": "8.3.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-express/package.json

Expand Up

@@ -40,7 +40,7 @@

"yauzl": "2.10.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/jsreport-scripts": "3.4.1",

"@jsreport/studio-dev": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-freeze/package.json

Expand Up

@@ -28,7 +28,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.0.5",

"should": "13.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-fs-store/package.json

Expand Up

@@ -41,7 +41,7 @@

"socket.io": "4.5.4"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/studio-dev": "3.2.1",

"del": "6.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-handlebars/package.json

Expand Up

@@ -24,7 +24,7 @@

"test": "mocha test --timeout=5000 && standard"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

"mocha": "5.0.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-embedded-in-docx/package.json

Expand Up

@@ -30,7 +30,7 @@

"node.extend.without.arrays": "1.1.6"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "6.1.4",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-to-text/package.json

Expand Up

@@ -34,7 +34,7 @@

"node.extend.without.arrays": "1.1.6"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "8.2.1",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-to-xlsx/package.json

Expand Up

@@ -43,7 +43,7 @@

"phantom-page-eval": "2.0.1"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-import-export/package.json

Expand Up

@@ -44,7 +44,7 @@

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-authorization": "3.3.0",

"@jsreport/jsreport-cli": "3.2.3",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-data": "3.1.0",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-jsrender/package.json

Expand Up

@@ -25,7 +25,7 @@

"jsrender": "1.0.11"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "5.0.1",

"should": "13.2.1",

"standard": "16.0.4"

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-licensing/package.json

Expand Up

@@ -29,7 +29,7 @@

"axios": "0.23.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "7.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-localization/package.json

Expand Up

@@ -34,7 +34,7 @@

"devDependencies": {

"handlebars": "4.7.7",

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-components": "3.3.0",

"@jsreport/jsreport-child-templates": "3.1.0",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-mongodb-store/package.json

Expand Up

@@ -26,7 +26,7 @@

"mongodb": "5.1.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"cross-env": "6.0.3",

"mocha": "5.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-mssql-store/package.json

Expand Up

@@ -23,7 +23,7 @@

"semaphore-async-await": "1.5.1"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": "16.0.4"

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-npm/package.json

Expand Up

@@ -27,7 +27,7 @@

"enhanced-resolve": "5.8.3"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"mocha": "9.0.3",

"moment": "2.29.4",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-office-password/package.json

Expand Up

@@ -40,7 +40,7 @@

"xlsx-populate": "1.21.0"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-html-to-xlsx": "3.3.1",

"@jsreport/studio-dev": "3.2.1",

"mocha": "7.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-oracle-store/package.json

Expand Up

@@ -21,7 +21,7 @@

"@jsreport/sql-store": "3.1.1"

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": "16.0.4"

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-pdf-utils/package.json

Expand Up

@@ -45,7 +45,7 @@

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-child-templates": "3.1.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/jsreport-scripts": "3.4.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-phantom-image/package.json

Expand Up

@@ -35,7 +35,7 @@

},

"author": "Jan Blaha",

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.0.5",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-phantom-pdf/package.json

Expand Up

@@ -25,7 +25,7 @@

},

"author": "Jan Blaha",

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

"phantomjs-exact-2-1-1": "0.1.0",

Expand Down

CVE-2023-2583: release extensions 3.11.3 · jsreport/jsreport@afaff38

Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php.

**1\. 该问题的重现步骤是什么？**

Typecho latest version url jump vulnerability after login  
code:

    admin > Login.php
    public function action()
    {
        // protect
        $this->security->protect();
    
        /** 如果已经登录 */
        if ($this->user->hasLogin()) {
            /** 直接返回 */
            $this->response->redirect($this->options->index);
    

Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.  
typecho首先判断用户是否已经登录，如果已经登录，则直接调用redirect()函数重定向至首页，这个跳转主要用于判断用户的状态。

    admin > Login.php
    if (NULL != $this->request->referer) {
        $this->response->redirect($this->request->referer);
    } else if (!$this->user->pass('contributor', true)) {
        /** 不允许普通用户直接跳转后台 */
        $this->response->redirect($this->options->profileUrl);
    } else {
        $this->response->redirect($this->options->adminUrl);
    }
    

If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled  
如果没有登录，则首先校验用户的身份是否正确，如果referer的地址不为空，则调用redirect()函数通过referer的参数进行重定向，referer参数可控

Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect  
跟进：redirect()函数，该函数定义了两个参数，其中默认不为永久重定向

    // Response.php 
     public function redirect($location, $isPermanently = false)
    {
        /** Typecho_Common */
        $location = Typecho_Common::safeUrl($location);
    
        if ($isPermanently) {
            header('Location: ' . $location, false, 301);
            exit;
        } else {
            header('Location: ' . $location, false, 302);
            exit;
        }
    }
    

After the referer's address is passed to the redirect () function, it will first call Typecho\_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently  
referer的地址传递到redirect()函数中以后，首先会调用Typecho\_Common > 静态方法safeUrl()对url进行检查，最后根据isPermanently的状态，判断使用永久重定向还是临时重定向

Follow up: /var/Typecho/Common.php  
跟进：/var/Typecho/Common.php

    public static function safeUrl($url)
    {
        //~ 针对location的xss过滤, 因为其特殊性无法使用removeXSS函数
        //~ fix issue 66
        $params = parse_url(str_replace(array("\r", "\n", "\t", ' '), '', $url));
    
        /** 禁止非法的协议跳转 */
        if (isset($params['scheme'])) {
            if (!in_array($params['scheme'], array('http', 'https'))) {
                return '/';
            }
        }
    
        /** 过滤解析串 */
        $params = array_map(array('Typecho_Common', '__removeUrlXss'), $params);
        return self::buildUrl($params);
    }
    

Use safe\_rl to replace string in str\_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse\_url () function: scheme, host, port, path, etc Array to $ params variable  
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly  
safeUrl内使用str\_replace()进行字符串替换，将array()列表中的所有字符替换为空字符串，然后通过调用parse\_url()函数对referer的地址进行解析：scheme，host，port，path等返回一个数组到$params变量  
接着判断，协议名称是否为空，如果来源地址不是http协议与https协议的url则直接返回 “/”路径

    /**
     * 根据parse_url的结果重新组合url
     *
     * @access public
     * @param array $params 解析后的参数
     * @return string
     */
    public static function buildUrl($params)
    {
        return (isset($params['scheme']) ? $params['scheme'] . '://' : NULL)  // 如果已经设置了协议名称，则默认在协议后面拼接''://'，否则为空
        . (isset($params['user']) ? $params['user'] . (isset($params['pass']) ? ':' . $params['pass'] : NULL) . '@' : NULL)
        . (isset($params['host']) ? $params['host'] : NULL) // 如果已经设置了主机名，则使用host参数
        . (isset($params['port']) ? ':' . $params['port'] : NULL) // 如果已经设置了端口，则默认在端口后面拼接":"，否则为空
        . (isset($params['path']) ? $params['path'] : NULL) // 如果已经设置了路径，则使用path参数
        . (isset($params['query']) ? '?' . $params['query'] : NULL) // 如果已经设置了查询，则默认在query前拼接'？' 
        . (isset($params['fragment']) ? '#' . $params['fragment'] : NULL); 如果已经设置了分段，则默认在分段前拼接''#' 
    }
    

The formatted URLs are recombined and finally returned  
格式化以后的url进行重新组合，最后返回

    /**
     * 将url中的非法xss去掉时的数组回调过滤函数
     *
     * @access private
     * @param string $string 需要过滤的字符串
     * @return string
     */
    public static function __removeUrlXss($string)
    {
        $string = str_replace(array('%0d', '%0a'), '', strip_tags($string)); // 使用strip_tags()函数，强制过滤html代码，然后使用str_replace()函数将%0d,%0a（回车，换行）字符替换为空
        return preg_replace(array(
            "/$\s*(\"|')/i",           //函数开头
            "/(\"|')\s*$/i",           //函数结尾
        ), '', $string);
    }
    

poc:

    http://127.0.0.1/admin/login.php?referer=http://www.baidu.com
    

登录前：  
  
登录后跳转：  

response：

    HTTP/1.1 302 Found
    Date: Wed, 29 Apr 2020 07:37:06 GMT
    Server: Apache/2.4.41 (Debian)
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_uid=1; path=/
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_authCode=%24T%24VThLGyoLF07ae80963105613a00721934cce56d0a; path=/
    Location: http://www.baidu.com
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

**2\. 你期待的结果是什么？实际看到的又是什么？**

1.typecho首先判断用户登录状态  
2.如果已经登录则返回主页  
3.如果没有登录则先判断用户帐号密码是否正确，然后判断referer的来源是否为空  
4.如果不为空则调用redirect()函数进行重定向，location参数可控，即用户的referer的请求来源，恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度，只需要将注册好的域名安装typecho，将用户重定向至自己本域的登录地址，然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。  
5.rediect() > Typecho\_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https  
6.rediect() > self::buildUrl()函数根据parse\_url的结果重新组合url  
7.redirect()根据isPermanently参数进行301/302跳转

修复方案：  
1.校验用户登录以后的referer地址为本域  
2.并且只允许本域内进行跳转

**3\. 问题出现的环境**

*   操作系统版本：Linux kali 5.3.0-kali2-amd64 70,能整一个 todolist 么？ #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86\_64 GNU/Linux
*   Apache/NGINX 版本：Server version: Apache/2.4.41 (Debian)，Server built: 2019-08-14T04:42:29
*   数据库版本：mariadb Ver 15.1 Distrib 10.3.20-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
*   PHP 版本：PHP 7.3.10-1+b1 (cli) (built: Oct 13 2019 23:50:57) ( NTS )  
    Copyright (c) 1997-2018 The PHP Group  
    Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies  
    with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
*   Typecho 版本：1.1-17.10.30-release
*   浏览器版本：Chromium 81.0.4044.92 built on Debian bullseye/sid, running on Debian kali-rolling  
    \[//\]: # (如有图片请附上截图)

CVE-2020-21038: typecho登录后的url重定向漏洞 | Typecho latest version url jump vulnerability after login · Issue #952 · typecho/typecho

A  few simple tools can help filter out most Twitter Blue users (but still see the ones you like).

I'm not here to judge anyone who pays for Twitter Blue. However, I'm not a fan of pay-to-win mechanics. At this point, Twitter is a game where players compete for the most attention; Twitter Blue is overpowered DLC. If you buy a subscription, your tweets are shown at the top of comment threads and prioritized in other contexts, including the “For You” page. This makes Blue the social media equivalent of paying for unlimited ammo or improved body armor, regardless of who you are or whether what you have to say is worth promoting.

It also makes Twitter really annoying to use. No one wants to play with the people who are paying to win. That's why there's so much mockery of, and desire to avoid, Twitter Blue users.

Granted, there are plenty of reasons why longtime Twitter power users—in particular, public figures or people who historically have trouble with impersonators—might pay for Twitter Blue. No one wants to lose an audience they worked hard to build, and Twitter has the right to monetize itself however it likes. You also have the right to consume (or not consume) the social media you choose.

All the same, it can't be denied that a lot of really annoying posts from Twitter Blue users with low follower counts show up in all kinds of contexts. If you don't want to see those posts, I don't blame you, and here's how you can filter them all out:

Blue Lite Blocker

Twitter via Justin Pot

BlueLiteBlocker is a free, open-source browser extension for Chrome and Firefox that can filter comments from Twitter Blue subscribers out of your Twitter timeline. You can install the extension and then use Twitter the way you normally do. All comments from Twitter Blue users will be obscured—you can click “View” if you are absolutely certain you want to see them.

Unlike some extensions (BluesBlocker, for example, or Twitter Blue Blocker), Blue Lite Blocker doesn't affect anyone that you actively follow, meaning it won't accidentally filter out your friends. The extension also allows you to still see the tweets from Twitter Blue users that have a certain number of followers—the default threshold is 100,000, but you can set it to whatever you want.

Twitter via Justin Pot

These two features make Blue Lite Blocker the perfect compromise. It filters out the annoying Twitter Blue users while not affecting the people you care about and the public figures whose posts you might want to see. If there's a Twitter Blue user with a lot of followers who you don't want to see, you can block or mute them manually.

Other Workarounds to Clean Up Twitter

Blue Lite Blocker isn't a perfect solution. It requires a browser extension, which not everyone is going to like, and it doesn’t help on mobile (not that there’s much help on mobile anyway). There are a few alternatives, though.

Twitter via Justin Pot

The first is to make sure you're using the Following tab instead of For You. This tab is just tweets from the people you follow, so it doesn't artificially favor Twitter Blue subscribers. You could also try blocking all retweets if you want to clean things up a little more.

If that's not enough, you could try TweetDeck, the power user's version of Twitter. This tool doesn't have a For You page or any algorithmic sorting, meaning Twitter Blue users aren't artificially boosted on it. TweetDeck is the one part of Twitter that's completely untouched by the recent changes there, and I hope this doesn't change. (So please, no one tell Elon Musk that TweetDeck still exists.)

Another cool extension, if you miss seeing legacy checkmarks, is Eight Dollars. Right now blue checkmarks only show up if someone is paying for Blue, meaning most people who had a checkmark prior to April 20, 2023 no longer have one. Eight Dollars can show you which users were verified before legacy verified checkmarks were removed, which is useful if you trusted the old system.

There's a cat and mouse element to all of this, of course. Twitter's current regime really, really wants to turn Blue checkmarks into sellable status symbols and any tool that diminishes the visibility of Blue subscribers cuts against that goal. They're going to try to find a way to break this, and all similar, tools. For now, though, they work—use them while you can. 

Or you could just abandon your Twitter account, set up a public archive of your tweets, and learn how to get started on Mastodon or Bluesky. Up to you.

Your Twitter Feed Sucks Now. These Free Add-Ons Can Help

Categories: News
Tags: Chrome

Tags:  Windows

Tags:  Edge

Tags:  browser

Tags:  update

Tags:  Microsoft

Tags:  default

Tags:  install

We take a look at trouble brewing in browser land after a controversial Windows update leaves Chrome fans without a useful feature.



(Read more...)




The post Microsoft vs Google spat sees users rolling back security updates to fix browser issues appeared first on Malwarebytes Labs.

We like to imagine we’re in total control of our desktop experience, carefully curated to look and work the way we want it to. However, every so often a story comes along which reminds us how little control we have when the big players notice one another's existence. A recent Windows update really wants you to use Edge instead of rival browsers, to the extent that some features in those rival browsers are breaking.

A lot of people will only ever use Microsoft's default Edge browser to download another browser they'd rather use. Last year, Chrome made some changes to how you go about making it your default browser, after you've downloaded it with Edge. One "Default" button to press, and boom…your default browser is set to Chrome without having to dig around in your system settings.

This is how things should work, and for a while they did! As Gizmodo notes, this was not to be the case for long.

Microsoft released update KB5025221 last month, and users of Chrome quickly began to flag peculiar experiences. From a Reddit user:

> If Chrome is set as the default browser, clicking on the link shortcut will open the link in chrome, but also open the Windows settings on the default apps. Anyone know where this behaviour comes from? It doesn't happen if we change the default browser to Edge.

Elsewhere, we have a thread about how someone’s 600 business devices all exhibit the same behaviour:

> Opening chrome causes default app settings to open each and every time. After today's cumulative update for Windows 10 and 11, 2023-04, every time I open Chrome the default app settings of windows will open. I've tried many ways to resolve this without luck. This is happening to all 600 systems with the update. Removing the update makes the issue go away. Anyone else having this issue? This does not occur when opening edge or brave browser, only Chrome for us.

A quick glance at the replies illustrates that Todd isn’t the only one impacted, as well as presenting the solution:

> Good morning Todd, We're having the same issue through our organization as well. We're on Windows 10 machines and pushed updates the last couple days. Many machines here seeing the issue. We may have just found a fix. Remove the Security Update KB5025221 and restart, this removes the problem. Looks to have fixed several machines just these last few minutes. May need to block KB5025221 until it's reissued.

Yes, to prevent this behaviour you had to make a decision on removing cumulative security updates. What did KB5025221 offer users? That would be fixes for no fewer than “ten issues that could lead to crashes, compatibility problems, and bugs in the operating system”. Would people really want to gamble by removing such a thing in order to prevent the aggravating system popups when opening Chrome?

It seems not, looking at the various replies to threads on this posted to Reddit and elsewhere. Informing users of the reason for the popups was the more sensible course of action on display. Even so, the mere possibility of people considering removing security updates to fix browser wars (intentional or otherwise) is a terrible position to find yourself in. Even without having to decide what to keep or remove because competing programs on your desktop may be having a fist fight, there are other aspects at play.

Way back in 2004, adware giants Direct Revenue went head to head in a court of law with ad company Avenue Media. The spectacularly named article “Adware cannibals feast on each other” describes how adware vendors thirsty for profit battled for desktop supremacy. The infamous Direct Revenue was accused of detecting the presence of rivals and attempting to uninstall them from PCs. This involved killing a competitor’s program and deleting registry entries to prevent it coming back to life. Indeed, from the Direct Revenue user agreement:

> You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer.

Considering just one Direct Revenue product like Aurora could make a system keel over, the last thing you’d want is half a dozen competing products all playing whack-a-mole with registry entries and who knows what else.

This is, of course, an extreme example from a very extreme time. Aggravating system popups and browser frustrations are not on the same level. Pondering update rollbacks, however, could direct us to such a place by means of another route. It’s to everyone’s benefit if these battles _don’t_ spark the digital touch paper.

For now, Chrome’s default button has been removed as a result of this most recent Windows update. All this, on top of aggravating pop up messages, space hogging adverts, and overly complicated user actions being required just to make a decision. We’ll have to wait and see what happens next in the battle of the browsers. It’s not quite at the “whoever wins, we lose” stage but it’s hard to argue a case where any of this benefits the people using these products.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft vs Google spat sees users rolling back security updates to fix browser issues

An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.
"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher

Advanced Persistent Threat

An advanced persistent threat (APT) actor known as **Dragon Breath** has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.

"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said.

"The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload."

Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram.

A subsequent campaign detailed by the Chinese cybersecurity company in May 2022 highlighted the continued use of Telegram installers as a lure to deploy additional payloads such as gh0st RAT.

Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a "Chinese-speaking" entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.

The double-dip DLL side-loading strategy, per Sophos, has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. These attempted intrusions were ultimately unsuccessful.

The initial vector is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut that's designed to load malicious components behind the scenes upon launch, while also displaying to the victim the Telegram app user interface.

What's more, the adversary is believed to have created multiple variations of the scheme in which tampered installers for other apps, such as LetsVPN and WhatsApp, are used to initiate the attack chain.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.

The payload functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.

"DLL sideloading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors," Szappanos said.

"This double-clean-app technique employed by the Dragon Breath group, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2023-29354

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-29350

Debian Linux Security Advisory 5398-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5398-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 04, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2459 CVE-2023-2460 CVE-2023-2461 CVE-2023-2462                  CVE-2023-2463 CVE-2023-2464 CVE-2023-2465 CVE-2023-2466                  CVE-2023-2467 CVE-2023-2468Debian Bug     : 992178 1031352Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 113.0.5672.63-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRUCKIACgkQEMKTtsN8TjbOCg/7BvJxNQVuHLPhC7gcECOh0c9kCZf8bXzsLubVAsoA5t7dj/v8s9KYvXbwYzopwZcIshx5r4B0S59bfTGNEq60mjdaPDMc4seUh9Tb7ubE6CZxPCqNyuOKE72LZFpLxymyknSS/E6yxUh4CeM5jcf5F9fmtnrPXM+WiXRwMU2KiPVBuyleGEL1Om1b3tD6u67fFBoffP+VdvLdxo42GOBSiaqAVenS00wygli1qisU6i7mifQX5uc1qnImDhQ1LLajrNCdvIL3ILYpuimYzfWTqWz+UIVvTotaCk8FuxP9/LjAS2Rdk40PL8rhxS09eSpMb49WSi3rPzfGkkzwjPk/7rkCX/zB2n3gxn6m4fnOP9tjmQxSQmIot0xW1HjLT+0GIg2lHNrsRemuArLfqqgw3b3Widv6k8nC+2JN05yFEgNDnhZes9YXESMm6yGkbQXQZv6cCY6VKxPeQpXh2IWdK1K32R1I+faJmvL+mj1GAqCFzSGn0QH/vYinQ5nmvK1oh7SZuHWw2uIyqBwHVIz+D7PNjjd73kxXew8nt5WmPvziD0hsFBxsv3q/rn26QRSlcCqMkT6vdQAlI3vvYyd27njQqbkuKnIpiU1DqWkvqoaQ4dvqhf4QN1nteH75B6w+Mln1NDll/aCb4DvglNq1t7vwLrwF/1V7cvDmmTLd0zA==Mdwu-----END PGP SIGNATURE-----

Tag

#chrome