### Impact

There is a vulnerability in [Go when parsing the HTTP headers](https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ), which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

### References

- [CVE-2023-24534](https://www.cve.org/CVERecord?id=CVE-2023-24534)

### Patches
- https://github.com/traefik/traefik/releases/tag/v2.9.10
- https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

### Workarounds

No workaround.

### For more information

If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).


**Traefik HTTP header parsing could cause a denial of service**

High severity GitHub Reviewed Published Apr 11, 2023 in traefik/traefik • Updated Apr 11, 2023

GHSA-7hj9-rv74-5g92: Traefik HTTP header parsing could cause a denial of service 

Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

Title: Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)  
Advisory ID: ZSL-2023-5770  
Type: Local  
Impact: DoS  
Risk: (3/5)  
Release Date: 11.04.2023

**Summary**

Google Chrome browser is a free web browser used for accessing the internet and running web-based applications. The Google Chrome browser is based on the open source Chromium web browser project. Google released Chrome in 2008 and issues several updates a year.

**Description**

Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS.

**Vendor**

Google LLC - https://www.google.com

**Affected Version**

111.0.5563.64 (Official Build) (x86\_64)  
110.0.5481.100 (Official Build) (x86\_64)  
108.0.5359.124 (Official Build) (x86\_64)  
108.0.5359.98 (Official Build) (x86\_64)

**Tested On**

macOS 12.6.1 (Monterey)  
macOS 13.3.1 (Ventura)

**Vendor Status**

\[08.12.2022\] Vulnerability discovered.  
\[13.12.2022\] Contact with the vendor, ticket 1400682 created.  
\[13.12.2022\] Vendor begins investigation.  
\[10.04.2023\] Vendor releases version 112.0.5615.49 to address this issue.  
\[11.04.2023\] Public security advisory released.

**PoC**

google\_chrome\_oom.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://bugs.chromium.org/p/chromium/issues/detail?id=1400682  
\[2\] https://chromium-review.googlesource.com/c/chromium/src/+/3861171

**Changelog**

\[11.04.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

The campaign shrouds the commodity infostealer in OpenAI files in a play that aims to take advantage of the growing public interest in AI-based chatbots.

Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages, which promise free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, users download the well-known, info-stealing malware called RedLine Stealer, the researchers have found.

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment-card details, as well as taking a system inventory to assess the attack surface for performing further attacks. It also can perform other malicious functions besides just info stealing, such as uploading and downloading files, and executing commands. This gives attackers, even with limited sophistication, various options for performing a range of cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the growing popularity of emerging AI platforms, according to a report published April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files," Veriti researchers wrote in the report. "However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user's device."

The commodity malware is an inspired choice for the campaign considering it costs only $100 to $150 to buy it on the Dark Web, which gives attackers a significant return on investment (ROI) for their cybercriminal activity, the researchers said.

"In addition, by exploiting Facebook business accounts and their exposed passwords, the attackers were able to target a vast number of users and potentially gain access to sensitive information at a relatively low cost," the Veriti research team tells Dark Reading.

**Dangers of Trojanized AI Apps **

Soon after the AI-based chatbot ChatGPT came on the scene in November, the chatter began about the various ways attackers can exploit it for malicious purposes. While some believe that this threat is being overhyped, the RedLine campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots themselves, the attackers here take advantage of recent developments in the ability to package the AI in various forms, opening the door for creating trojanized downloads. 

"One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source), which creates the perfect excuse for malicious actors to trick naïve downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard downloadable file, leading unsuspecting users to download the malware instead of the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal confidential data, compromise financial accounts, or even disrupt critical infrastructure," they wrote in the report. "Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been hijacked for the purpose of distributing RedLine Stealer through the malicious posts, the researchers said. Greece is the country where attackers reach the highest number of Facebook users, followed by India, the US, Mexico, and Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where 77% of them occurred, according to the report. The country with the next-highest percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India (4%), and Portugal (2%).

**Protecting the Enterprise From Malicious Downloads**

Veriti recommends a "comprehensive approach to cybersecurity" that includes educating employees on the risk of downloading and opening files from unknown sources, alongside "robust security configurations" to help avoid compromising enterprise systems if users inadvertently install an infostealer, such as Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before it is downloaded, the researchers said. "This can significantly reduce the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies around files downloaded from the Internet "should complement an organization's existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks."

Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

Apple Security Advisory 2023-04-10-3 - macOS Big Sur 11.7.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6macOS Big Sur 11.7.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213725.IOSurfaceAcceleratorAvailable for: macOS Big SurImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Big Sur 11.7.6 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkW2Q//bj0ZmcXsCzpQmhCc5hZ+P4cnesy9Kc4DRLofsYBtPVlR450wIjxiGqlUkpbLBWpBXaXn4EeBoqxxXB9FKXANvZVkdS+xpTLdHpdPnRMntJf3S4WiYyDr/G3coHVtHbNMbj/K/MbsRGBefVtGAueLpwwHFN5GsyvuMrp5xEl9wgQ3aMfi+x8hHXuFzxHIHyNf6OU5cBSf6R80FQcV55eOjPe9gX1B59n4ffZtaao3QqT+z++wA64eyVCVk9hSWXYsMKBNgcoyh108DHb6aYfr0G6SvcvzX2zR2zJtL0JFDNckHx/nvAws/Sd5O39oHzvS46gNcYZIHujHbemh/DsFJjgKbOd4O9oLyJeAcVjv0c5i61Qa+odERpvX2bJR8xWLlDGYIV5XmGYzxL8lksDim9hD2IOGf6P7ReARUcpahe9jaAIoj+BoFkKUMvr8iORx0752+3h+dMej1nu/1RhjmeWYawbUsH+yECu0L2GkQc0I9gFg0Dq21OFlHEfB46D+XRTWYWkM6l9KPMNcH1PX74d86ZkuqqMzlKmsRdJz0ESepIj6RzQ3Zy5SvZ63C78RJvWGPeg/8rQFIBQE9WktUoPz5+6bU/E1nq8ExbrTXxJKvt/VseIwBTi08UfQ2oYnyyAirIkTRi9PH5pviXBu9r/AiBYSj9J88QBzrV8QXHw==Lq+b-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-3

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213723.IOSurfaceAcceleratorAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.5 and iPadOS 15.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJEACgkQ4RjMIDkeNxnSrA/9GfJGP3rEWjtK1bSWO5XgjPZIN8xZcYAT2zQCHNM/CREylHDWSoamyMsxsUFkc25u0ok7Ucoj5k+44WXT7bhRqK52H5PDP6b0n3KsUnhJo+up6+AlKgqgomWntzQyjYTe36nArMvHkMAy9car/kj0l6OBAFF2pVXSTU24ubQfYOtAppQp3JNU9UnqhJ/VrQCANwvjHIsdy+EximByL3+tdCTzRi1v5SC4ZntHP0vB66YwFgrkaxmWLa/EXrA9tgJr8YX6k7LUc0MMUJSkcMg7ydojFBeVgHCVdH2rJpL8w6eVrpW7MQ5wcp6XrDm23T1lckVT8WL+LL4414gBjkfOyjjntdllGiH5For84t76bUGYDs6pb69Ztv2uAMRRP8nJAgNpsP++EnEaI0U3jMoEbq0xCv64y/EenkZm3kuTwOeo7l5Q5WzTDJTsdqZMnP+tR7nhCu41UIKN8eOelp/BqRT/4wcT8fvTNLgg/oY6TUPHYydQO48+ZjiBaryn7oXcv+EaDdggkySniijiLI4Dol20J0SHUr6LHOM6AiiMWhz5ZeIawaLcLfw/oP5+U1tio3dPeeTCwjr9hY8BB/a2rPq6UkAuReAS3ZU+b1N5swaVRYaZb41bfW5rfI571XS42mjoCCGJP8TdXk8mWeZgdvAKdLCYbIW2taTPVRhtGwE==DG1t-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-2 - macOS Monterey 12.6.5 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5macOS Monterey 12.6.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213724.IOSurfaceAcceleratorAvailable for: macOS MontereyImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Monterey 12.6.5 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkpjhAAwMSbbqdMyODDeaYJhALWUoFTVp90hcduPLHYeYEZISeQg6taWYCrbFs6XVmtw65pEjCUOUfw7yIqkWGXy4XVwo4DhBBqxUwUNZyIv16uNEgCl9bqfQKKXyii4269rCBWhlhXyen1zv/1OSMEF5dlVVf4C55cmdx2ta+th/0jCXsd9Oe4aVgDOucDg2cItZ0Aht+2AStmeBi7wKoP0XgqLVtJcHofls7O/G0DW9YVkroxyfTizf1Fd4J+O4AjYYvA0P6Jrkm7jAI+64IlHrMukxkSiD43KNCG/PhVdHO6YLXhIm9a1ziEjSaA7EGw/bYQGI2HCmbu/gSMuXlHe4Uc8OnGdRMGceV4JHD9qjQUS9/Sh/58+oa609mLvWW+VBMJXQlWOYH4hrTlGiNSfCkQa2yqkCtpk4nfTkd51y8V1x3XvlFE8092Z2XnaEz0KzebfS5dgZiLKK0Tc0Kg8tJJi7KDRnjslCnu6Ove6aYW8Jm/Mh5NPWh6b9ZAkaynZ5kyEoLzutCa10riKH1uEQCLXLWMkiswz8vbEq8uyLKRBEuZOXxstoPEQBwgwh7nahcbCBjKH89CAj+Q541x00OHIYJNL1xmfT2bhb33Bm/U5aNhLuJqkYC9LrI6Xz+lPe9T8crHtIL//NsevkOIkWEyqMk0fbJJ6KHDkq4Aj5c7jWM==Iilf-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-2

Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-3 Safari 16.4.1Safari 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213722.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDkeNxmEoQ/+OXkd6XLV13F3cbrkCvFEvHndBySG93Q5o5ys0ClKqEc94Nvt5YPWalwJugUlFAXBevTCHAND7pNNbrmYPFZY+8qrMyIU/fnhsVaCfH/o/raULxZwiE9ndskrkjToHzEdMPrdtuC08gDHmYtr2thCb3M0Fv1rRqgIZ2ES9UBrrQJgFisTgZMgkylP02gN+1Ifa9JEBe7QMyRDhoC2uUvrBZI+jZJItVdysi3O1zYkMd+5D1icpwIotP0PlCLsFUAaccNXNDtcMr/XdHAuF5dcdDj0Kylmg79zC1mz79VUch3TerWb6HunBUTONFVlzbQwqNx+Csf6bDSSx0nHuqGz6pEfR65bTbzSh01+Yqjd+uht0aZVbNlptus7LKyrusRBN7QxlvoBY5JR+/CbGy3Tunj0YJk8SLG/QFCEDugjucT9O9myohlKWf7Af+1j/M2f/YKmQCyvhfREFBee8jzWj8FLLV/a6tIfVWe/IcrLGZDP13Q3nl7Ky55YndfXpNvN4ElAbSOyop3KkrfN1TgCGjeWhP+M5dK4RS9KsC+LF3AsejnUzLcQt2qW0e3dRCiyrhAAB9nKTFYtaJGoD6+jaQiCq4qGlC9fL8QNC6NvvvBrko+jE7Ws38vzdog2MVasAb+2vENqBo7ZKrgS0W/bRHV2x/NRo0lrQfKYma1koc0==JOpa-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-3

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213721.

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.3.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDke  
Nxlhmw/9GYfPKf/wprkK1e3/sflihNqz+/qJioE7p9oNHSvPx1b5VT2ovKMOGtsD  
8AG9qzF9DsWbFFybg7gIPAjQdb8tAiipm1xJYvyqLUpD1bJFlMIB+mRqs2OFUSgF  
0p9huSBVOGasGjcHRq9g2016OJQBr/oAA3w86Re/6Q5ST2AQCc7Y3lPcebJ+2JTp  
jSU2zfnNWg3+mRL0VMleh/ZnY2+yGce7r+uaoYzDz7MULGN8/j9nYoFUbDEbgf/y  
CnCAlJdMFuW98z3Iv7U+oUP5iF2PCzIR5nfaHcoXVaZUd0H52RLyrVKvm0iV4viq  
16SNGc7hl+Si9HDsRFN+XVvQoT4r+k5yzT78Ss3iLXYyR5XOf3Xi8sZdK0eXkDmk  
Ynrv5Y+st1M550EPlAOhsO8GAAWTsHWHOxmw76DX6kbUBaEOyYMRrKhG/AYP5Djg  
ZJlIIHsdNw99wEMUVBHCXtnWEY0aO7zaHpEl5tIr6r5xJep/idO8DjD6KpxmLDT8  
ftqB/fUloaVhTht6WMYaupXn4sG/U0228v8inculiFAKWeJ9vxyWF1doEGQNErFj  
xEUSsV10u1BjXf52Wle777lbS0ro31nv2pRWVfaT8j3dpTCZvDvUVclK5AAUPlKR  
tffpSuN9DHiPEynRftyBmi431MfXLI1CgYAC0w/rRYQ/pzc9NeI=  
=nsPp  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213720.IOSurfaceAcceleratorAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.4.1 and iPadOS 16.4.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYroACgkQ4RjMIDkeNxk/Iw/9GD1PXcIq1OFLv/N8t8bEqTUhuDqbFdQ3NLcbzmSO+XnoueqvlYvXtJr/w0wv0yAo6lxkLODuI+kVX9hjbqHZzUezCkugzvz4TXWgmQI6V7+TKXC9KA7jGxH6ZUMf1a+u+0jkFRUEUsaUHxOvScSVAmw2hlJvIlnYyK/E6O5ZJrua1cBQ2pQX2hlDIYUJaNZy3E9MlSKzZclDIszckvO1yVkfEzOkdh8laZoHQ3zN+QfKXvb9IoMmO715gaNYHoO141d0RqL5nyegu4e5lYb951o0DGph2usCrCrpFD0sSquAKNriwV5tJ/DPlrStMnktYX8iogCBT/T2/AevAmrdPOil7A/2rX5pSNRifnYdAnku8FdF2zxqKdMRt10fwI4YOl2IADKz/khPtig5fcYIwcpkXgavQ0N738hg4ugF9K18S5IdY2RSTN1SQtfRjWKus6I7MgGtdIp7MW1koB/j0bF6b5Xw9GefweUzSNvn+EZT2jVLHfiD/ILkKph/QXeiQfe3VGHOs89mHY750QmuAiAT9v24IkCfni5uvrRmApJiBB8w8Hnhq1aJa+09fxiVfPwVTrKqauI5cL2p0D9iWcjlWC8W1rJR5gO2Ge8twfgbMVCXfXmD9WhEb5Z6vSNlpJLy7xXSJTn4fnJNNgJ46lmKeU+G5I2/8xP8VWrsPks==83T6-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-1

Password managers aren't foolproof, but they do help mitigate risks from weak credentials and password reuse. Following best practices can contribute to a company's defenses.

Over the past few months, several leading password managers have been victims of hacking and data breaches. For instance, LastPass, which experienced a massive breach last year, recently announced again that the company's password vault has been stolen. And thanks to the bad practice of reusing passwords too often, Norton LifeLock also reported compromises to its password manager.

Why are password managers so attractive to cybercriminals? It's simple. Password managers hold the "keys to the castle." If a password manager gets compromised, attackers gain access to all stored passwords at once, which means they can walk into any secured environment or impersonate any user, circumventing all cybersecurity defenses. The market for password managers is growing rapidly, and attackers will target anything that can get more bang for their buck.

**Attractive Targets**

Some of the most common ways password managers are being hacked include:

**1\. Malware-Targeting Password Managers**

Malware programs have been targeting password managers for the last several years. In 2014, malware called Citadel, designed to target password managers, became notorious for having compromised one in 500 PCs worldwide. However, back then, only a small number of users used a password manager. Today, the average person needs to remember upward of 100 passwords, which is why the market for password managers and the malware market for targeting them are both growing.

For example, the attack on the Solana blockchain last year that resulted in a $7 million heist was caused by malware that targeted crypto wallets and password managers called Luca Stealer; another Trojan, dubbed StealC, specifically targets browser extensions and authenticators by password managers; password stealers targeting Web browsers have also been around for decades.

**2\. Phishing Attacks Against Password Managers**

Phishing attacks targeting password managers are on the rise. For example, in January 2023, researchers came across Google Ads that were redirecting victims to fake Bitwarden and 1Password pages, trying to steal their master credentials. What's more, customers of password managers such as LastPass, who have already had their credentials exposed in an earlier data leak, are at an increased risk of scams and phishing attacks. Attackers know their email addresses, phone numbers, and the online services they use, and therefore they can be easily targeted using a variety of phishing techniques.

**3\. Software Vulnerabilities in Password Managers**

Just like all other forms of software, password managers are prone to vulnerabilities. Recently, researchers reported a vulnerability in KeePass that could allow attackers to export all usernames and passwords in clear text. Earlier this year, Google discovered that popular password managers such as Dashlane, Bitwarden, and Apple's Safari browser password manager can all be manipulated into auto-filling passwords on untrusted pages.

**4\. Credential-Stuffing Attacks Using Leaked Credentials**

Credential-stuffing attacks are becoming increasingly common. This is a type of attack where threat actors leverage previously leaked credentials (nearly 25 billion of these are for sale on underground marketplaces) to gain unauthorized access into websites, applications, and networks. Most password managers have a "master password" to access all credentials, and since 65% of users reuse their passwords across different websites, it's possible that attackers use brute-force techniques or make educated guesses on the possible password combinations. Late last year, LastPass confirmed a credential-stuffing attack against some of its users.

**Do Password Managers Make Sense in 2023?**

The benefits of having a password manager far outweigh the risks. Password managers help mitigate two of the biggest risks for users and businesses — weak credentials and password reuse. Yes, attacks on password managers are on the rise, but the probability of a business being attacked due to poor credentials or password reuse is much higher than the likelihood of a password manager getting hacked.

There are a number of things organizations can do to mitigate the risks of password managers:

*   **Security-train employees:** Most password-stealing malware gets installed when users get phished or social engineered — users download, click, or open something they shouldn't have. This is why it is extremely important for organizations to instill secure behavior in employees (alertness, strong passwords, safe browsing, responsible use of social media, not trusting anything at face value, etc.) so they don't fall victim to a phishing attack.
*   **Patch regularly:** Make sure you patch all your software and systems regularly. Unpatched software is the second-biggest reason password-stealing Trojans get installed on computers. Ensure you check and install all critical patches, especially the ones that are featured on CISA's Known Exploited Vulnerability Catalog.
*   **Use phishing-resistant multifactor authentication:** Use phishing-resistant MFA or passwordless options wherever you can. Not just to protect the master password on your password manager, but also on all of your critical websites, applications, and services.
*   **Check password-dump websites for leaked credentials:** Check online leaked-password websites (such as haveibeenpwned.com) or take breach password tests to ascertain if any of your credentials are floating around in online databases.
*   **Use a good password manager:** Use password managers that deploy strong encryption; that follow secure development life cycle (SDLC) programming; are responsive, transparent, and responsible to their customers; and that promote security features such as MFA, passwordless options, contextual features (user gets locked out if it's an unknown device or location), and phishing-detection capabilities.

Are password managers foolproof? Nope. But nothing is these days. The operating systems we use, the devices and applications we use — everything is hackable. Password managers come with some great benefits — they can tell you if your password is strong or not, they prevent you from reusing your password, some can stop you from entering credentials into bogus URLs, and some will even alert you when a website gets compromised.

As long as organizations follow the above tips and best practices, password managers can prove to be a vital tool in the defense arsenal of any organization.

Tag

#google