Increasing complexity in IT continues to lead to breaches and compromises, highlighting the need for more holistic approaches to cyber protection.

**SCHAFFHAUSEN, Switzerland, Aug. 24, 2022** (GLOBE NEWSWIRE) — Today, Acronis, a global leader in cyber protection, unveiled its midyear cyber threats report, conducted by Acronis' Cyber Protection Operation Centers, to provide an in-depth review of the cyber threat trends the company's experts are tracking. The report details how ransomware continues to be the No. 1 threat to large and midsize businesses, including government organizations, and underlines how overcomplexity in IT and infrastructure leads to increased attacks. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity.

To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly 1% of all emails contain malicious links or files, and more than one-quarter (26.5%) of all emails were delivered to the user's inbox (not blocked by Microsoft365) and then were removed by Acronis email security.

Moreover, the research reveals how cybercriminals also use malware and target unpatched software vulnerabilities to extract data and hold organizations hostage. Further complicating the cybersecurity threat landscape is the proliferation of attacks on nontraditional entry avenues. Attackers have made cryptocurrencies and decentralized finance systems a priority of late. Successful breaches using these various routes have resulted in the loss of billions of dollars and terabytes of exposed data.

These attacks are able to be launched due to overcomplexity in IT, a common problem throughout businesses as many tech leaders assume more vendors and programs lead to improved security when the inverse is actually true. Increased complexity exposes more surface area and gaps to potential attackers, keeping organizations vulnerable to potentially devastating damage.

"Today's cyber threats are constantly evolving and evading traditional security measures," said Candid Wüest, Acronis VP of Cyber Protection Research. "Organizations of all sizes need a holistic approach to cybersecurity that integrates everything from anti-malware to email-security and vulnerability-assessment capabilities. Cybercriminals are becoming too sophisticated and the results of attacks too dire to leave it to single-layered approaches and point solutions."

**Critical Data Points Reveal Complex Threat Landscape**  
As reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks. Cybercriminals increased their focus on Linux operating systems and managed service providers (MSPs) and their network of SMB customers. The threat landscape is shifting, and companies must keep pace.

Ransomware is worsening, even more so than we predicted.

Ransomware gangs, like Conti and Lapsus$, are inflicting serious damage.

The Conti gang demanded $10 million in ransom from the Costa Rican government and has published much of the 672 GB of data it stole.

Lapsus$ stole 1 TB of data and leaked credentials of over 70,000 NVIDIA users. The same gang also stole 30 GB worth of T-Mobile's source code.

The U.S. Department of State is concerned, offering up to $15 million for information about the leadership and co-conspirators of Conti.

The use of phishing, malicious emails and websites, and malware continues to grow.

Six hundred malicious email campaigns made their way across the internet in the first half of 2022.

58% of the emails were phishing attempts.

Another 28% of those emails featured malware.

The business world is increasingly distributed, and in Q2 2022, an average of 8.3% of endpoints tried to access malicious URLs.

More cybercriminals are focusing on cryptocurrencies and decentralized finance (DeFi) platforms. By exploiting flaws in smart contracts or stealing recovery phrases and passwords with malware or phishing attempts, hackers have wormed their way into crypto wallets and exchanges alike.

Cyberattacks have contributed to a loss of more than $60 billion in DeFi currency since 2012.

$44 billion of that vanished during the last 12 months.

Unpatched vulnerabilities of exposed services is another common infection vector — just ask Kaseya. To that end, companies like Microsoft, Google, and Adobe have emphasized software patches and transparency around publicly submitted vulnerabilities. These patches likely helped stem the tide of 79 new exploits each month. Unpatched vulnerabilities also tie into how overcomplexity is hurting businesses more than helping, as all these vulnerabilities serve as additional potential points of failure.

**Breaches Leave Financial, SLA Distress in Their Wake**  
Cybercriminals often demand ransoms or outright steal funds from their targets. But companies do not suffer challenges only to their bottom lines. Attacks often cause downtime and other service-level breaches, impacting a company's reputation and customer experience.

In 2021 alone, the FBI attributed a total loss of $2.4 billion to business email compromise (BEC).

Cyberattacks caused more than one-third (36%) of downtime in 2021.

The current cybersecurity threat landscape requires a multilayered solution that combines anti-malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities all in one place. The integration of these various components gives companies a better chance of avoiding cyberattacks, mitigating the damage of successful attacks, and retaining data that might have been altered or stolen in the process.

You can download a copy of the full Acronis Midyear Cyberthreats Report 2022 and learn more here.

**About Acronis:**

Acronis unifies data protection and cybersecurity to deliver integrated, automated cyber protection that solves the safety, accessibility, privacy, authenticity, and security (SAPAS) challenges of the modern digital world. With flexible deployment models that fit the demands of service providers and IT professionals, Acronis provides superior cyber protection for data, applications, and systems with innovative next-generation antivirus, backup, disaster recovery, and endpoint protection management solutions powered by AI. With advanced anti-malware powered by cutting-edge machine intelligence and blockchain-based data authentication technologies, Acronis protects any environment — from cloud to hybrid to on-premises — at a low and predictable cost.

Founded in Singapore in 2003 and incorporated in Switzerland in 2008, Acronis now has more than 2,000 employees in 34 locations in 19 countries. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

Acronis' Midyear Cyberthreats Report Finds Ransomware Is the No. 1 Threat to Organizations, Projects Damages to Exceed $30 Billion by 2023

Three of the world's leading browsers were measured for phishing and malware protection, with time to block and protection over time as key metrics in test scores.

**AUSTIN, Texas – Aug. 16, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published the results of its 2022 Web Browser Security Test. Google Chrome, Microsoft Edge, and Mozilla Firefox were tested for Phishing Protection and Malware Protection running on Windows 10 and 11.

The Malware tests ran for 24 days with 96 discrete test runs. Phishing tests ran for 20 days with 80 discrete test runs. The reports include measurements of protection against fresh new attacks, consistency of protection over time, and how effective the browser protection was overall.

The ability to warn potential victims that they are about to land on a malicious website or click on a suspicious URL puts web browsers in a unique position to protect the user from an attack. Websites that trick users into downloading malware and phishing campaigns often used for criminal activity have short lifespans, so it is essential that the URL is discovered and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast to achieve high catch rates.

"Phishing attacks pose a significant risk to individuals and organizations by threatening to compromise or acquire sensitive personal and corporate information," said Vikram Phatak, CEO of CyberRatings.org. "Phishing and Ransomware attacks continue to rise year over year. Consumers should not override the warnings offered by their web browser protection but instead take advantage of the free offering."

*   Malware protection:

*   Microsoft Edge – 97.0%
*   Google Chrome – 88.4%
*   Mozilla Firefox – 84.6%

*   Phishing protection:

*   Microsoft Edge – 91.6%
*   Mozilla Firefox – 90.0%
*   Google Chrome – 89.6%

*   Average time to block a URL from malware:

*   Microsoft Edge 0:56:51
*   Google Chrome 4:46:39
*   Mozilla Firefox 5:18:40

*   Average time to block a phishing URL:

*   Microsoft Edge 0:44:07
*   Mozilla Firefox 1:23:37
*   Google Chrome 2:19:13

The Comparative Test Reports provide detailed results for each product. As a service to the community, CyberRatings.org is providing these reports for free.

**The following browsers were tested:**  

*   Google Chrome: Version 101.0.1210.53 - 102.0.5005.115
*   Microsoft Edge: Version 101.0.1210.47 - 102.0.1254.39
*   Mozilla Firefox: Version 100.0.1 - 101.0.1

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CyberRatings.org Announces New Web Browser Test Results for 2022

Categories: News
Tags: Twitter

Tags:  Zatko

Tags:  Mudge

Tags:  L0pht

Tags:  Cult of the dead cow

Tags:  Infrastructure

Tags:  bots

Tags:  Elon Musk

Tags:  FTC

Tags:  SEC

Tags:  whistleblower

Former Twitter head of security and ethical hacker Peiter Mudge Zatko has alleged some serious problems about the social media giant.



(Read more...)




The post Twitter security under scrutiny after former executive turns whistleblower appeared first on Malwarebytes Labs.

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users' personal information, to company shareholders, to national security, and to democracy.

Otherwise known as Mudge, Peiter Zatko is a network security expert, open source programmer, writer, and a hacker. His most recent position was as head of security at Twitter, reporting directly to the CEO. He was the most prominent member of the high-profile hacker think tank the L0pht, as well as the computer and culture hacking cooperative the Cult of the Dead Cow. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.

Zatko was fired by Twitter in January for what the company claims was poor performance.

> "Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance."

**Major problems**

The 2020 Twitter hack was one of the main reasons for Twitter to hire Zatko, who previously held senior roles at Google, Stripe, and the US Department of Defense. When Zatko arrived at Twitter, he said he found a company with extraordinarily poor security practices, including giving thousands of the company's employees — amounting to roughly half the company's workforce — access to some of the platform's critical controls. His disclosure describes his overall findings as "egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy."

According to Zatko, "it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment."

**Infrastructure**

Twitter's flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors. Zatko’s letter to a Twitter board member about that issue is included in the disclosure.

The disclosure also claims that Twitter lacks sufficient redundancies and procedures to restart or recover from data center crashes, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline.

**FTC**

In 2010, the Federal Trade Commission (FTC) filed a complaint against Twitter for its mishandling of users' private information and the issue of too many employees having access to Twitter's central controls. Zatko alleges that despite the company's claims to the contrary, it has never been in compliance with what the FTC demanded over ten years ago.

**Elon Musk**

After recent events, whenever Twitter is mentioned, the name of Elon Musk comes up as well. Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company,  claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company's long-term value.

According to Zatko's disclosure, Twitter’s CEO Parag Agrawal tweeted false and misleading statements about Twitter’s handling of bots on the platform. In fact, he stated, deliberate ignorance was the norm amongst the executive leadership team. The reason is simple to understand, a social platform’s value is based on the number of active users, since that is the potential audience for advertising on the platform. Twitter uses a unique metric called monetizable daily active users (mDAU’s) which it says counts all users that could be shown an advertisement on Twitter.

The company has repeatedly said that less than 5% of its mDAUs are fake or spam accounts. But Zatko's disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

**Foreign influence**

According to the disclosure, Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll.

Last year, prior to Russia's invasion of Ukraine, Agrawal — then Twitter's chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges. While Agrawal's suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

Zatko's report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

**Motivation**

By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy.

> "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission."

Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. Original, timely and credible information that leads to a successful enforcement action by the Securities and Exchange Commision (SEC) can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said.

The prospect of a reward was not a factor in Zatko's decision, he said, and in fact he claims he didn't even know about the reward program when he decided to become a lawful whistleblower.

Twitter security under scrutiny after former executive turns whistleblower

Categories: News
Tags: Microsoft

Tags:  ChromeOS

Tags:  Chrome

Tags:  Google

Tags:  audio

Tags:  bluetooth

Tags:  exploit

Tags:  vulnerability

Microsoft has released a report detailing a ChromeOS vulnerability reported to Chrome and fixed within a week.



(Read more...)




The post ChromeOS vulnerability found by Microsoft appeared first on Malwarebytes Labs.

Microsoft recently released a report about a ChromeOS remote memory corruption vulnerability. The issue has already been fixed. In fact, it was reported to Google in April. The fix was applied shortly after, and released on June 15. The resulting deep-dive from Microsoft is a fascinating look at how one technology giant addresses another’s bugs and issues.

**A critical issue**

The problem, known as CVE-2022-2587 on the Common Vulnerabilities and Exposures (CVE) list, caused big headaches for Chrome. It also racked up a Common Vulnerability Score (CVSS) of 9.8, which results in it being tagged as “Critical”. As per the description:

_Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata._

This is a memory corruption vulnerability in a ChromeOS component. As per the Microsoft report, it can be triggered remotely. Attack options are varied, ranging from denial of service attacks to remote code execution. Manipulating audio metadata and baiting potential victims with songs played in browsers or paired Bluetooth devices could be enough to set the ball rolling.

How was this possible? Let’s take a look.

**The realm of common ChromeOS problems**

Microsoft points out that ChromeOS vulnerabilities typically land in one of three categories:

1.  ChromeOS specific logic vulnerabilities.
    
2.  ChromeOS specific memory corruption vulnerabilities.
    
3.  Broad threats like browser vulnerabilities.
    

This one falls under category number 2. The problem stems from the use of something called D-Bus.org.chromium.cras, a D-Bus service related to audio which gives users a way to channel audio to new devices. These devices might take the form of headsets, speakers, anything as long as it’s audio-centric.

**The strange world of Strcpy**

While looking at the ways audio could be routed to new peripherals, Microsoft observed a handling function called SetPlayerIdentity. Where this goes wrong is one of the functions involved makes a call to something called strcpy. Sadly for strcpy, it’s been known as something potentially dangerous which should be avoided when possible for many years.

Strcpy doesn’t know how big a destination buffer is going to be. Programming accidents may result in the buffer being overrun. This could lead to otherwise innocent crashes or actual exploitation by people with bad intentions.

In this case, it resulted in a vulnerability triggered using a single command line sent-argument containing more than 128 bytes. That’s bad, but this requires developer mode. As the majority of Chrome users will never touch that mode, Microsoft researchers needed a way to make this happen without it.

**Remotely exploiting your way to a fix**

Going back to the SetPlayerIdentity handling function, researchers made their breakthrough. Changes to audio metadata could trigger the vulnerability in just the way they were looking for:

*   From the browser: The browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.
    
*   From Bluetooth: The media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.
    

It took Google less than a week to have code ready and made available to users. As a result, ChromeOS users have been happily connecting new audio devices for some time now without having a sound-related mishap of the exploitation kind.

ChromeOS vulnerability found by Microsoft

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users.
"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users.

"This campaign specifically targeted chief executives and other senior members of various organizations which use \[Google Workspace\]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AitM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a social engineering campaign designed to siphon users' Microsoft credentials and even bypass multi-factor authentication.

The low-volume Gmail AiTM phishing campaign also entails using the compromised emails of chief executives to conduct further phishing attacks by the threat actor, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take the victims to the landing page.

Attack chains involve sending password expiry emails to potential targets that contain an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to open redirect pages of Google Ads and Snapchat to load the phishing page URL.

Beside open redirect abuse, a second variant of the attacks relies on infected sites which host a Base64-encoded version of the next-stage redirector and the victim's email address in the URL. This intermediate redirector is a JavaScript code that points to a Gmail phishing page.

In one instance highlighted by Zscaler, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to take the user to a Gmail AiTM phishing page, connecting the two campaigns to the same threat actor.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

The findings are an indication that multi-factor authentication safeguards alone cannot offer protections against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and refrain from opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

Peiter “Mudge” Zatko’s claims about the company’s lax security are all bad. But one clearly captures the extent of systemic issues.

On Tuesday, both CNN and _The Washington Post_ reported on accusations from former Twitter chief security officer Peiter Zatko, often known as “Mudge,” that the company’s security practices are dangerously lacking. It’s a litany of charges that range from misleading bot counts to the employment of a known foreign government agent. But one allegation stands out among the rest.

Engineers across Twitter, according to Zatko’s disclosure, had extensive access to the social network's live, deployed software platform. Not only that, there was also minimal monitoring and logging to track who did what in this production environment. That would leave an opening for someone with unintended access or malign intentions to view user data or even make changes to the platform without raising alarms or leaving a clear trail. While all of Zatko’s claims are serious, none more clearly captures the allegation of fundamental, systemic issues within the company.

Last month, Zatko and his attorneys sent hundreds of pages of documents to the US Department of Justice, Securities and Exchange Commission, and Federal Trade Commission detailing the myriad allegations of security and privacy failures at Twitter. The claims have potentially significant implications in the dispute about whether Elon Musk must go through with his agreement to purchase the company for $44 billion. If true, they also have immediate ramifications for Twitter's hundreds of millions of users.

“Twitter is grossly negligent in several areas of information security,” Zatko wrote in a final report to the company after being fired in January. He added in his government disclosure, “It was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.”

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” Twitter said in a statement provided to WIRED by spokesperson Lindsay McCallum-Rémy. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Twitter first hired Zatko in November 2020, months after a sweeping attack resulted in the compromise of multiple high-profile accounts, including those of Apple, Kanye West, Jeff Bezos, and Elon Musk. Previously, he’d built a strong reputation over decades as part of the hacker collective L0pht and a cybersecurity expert for organizations including the Defense Advanced Research Projects Agency, Google, and Stripe.

The documents Zatko submitted describe a situation in which almost a third of employee laptops did not receive automatic software updates, and half of Twitter's data center servers had not been adequately updated and didn't support data encryption at rest. Zatko also alleges that there was no management protocol for staffers' smartphones, meaning that the company had no oversight for thousands of employee devices that connected to “core” systems. But his allegations about security issues in Twitter's “fundamental architecture” reflect the core of the problems.

Zakto further alleges that Twitter has no comprehensive development or testing environments for piloting new features and system upgrades before launching them in the live production software. As a result, Zatko describes a situation where engineers would work alongside live systems and “test directly on the commercial service, leading to regular service disruptions.” And the documents allege that half of Twitter's employees had privileged access to live production systems and user data without monitoring to be able to catch any rogue actions or trace unwanted activity. Zatko’s complaint describes Twitter as having roughly 11,000 staffers. Twitter says it has about 7,000 employees currently.

The complaints assert that these poor security practices explain Twitter's track record of security incidents, data breaches, and dangerous user account takeovers.

“We are reviewing the redacted claims that have been published," Twitter CEO Parag Agrawal wrote in a message to Twitter staff this morning. “We will pursue all paths to defend our integrity as a company and set the record straight.”

Twitter says that all employee computers are centrally managed and that its IT department can force updates or impose access restrictions if updates aren't installed. The company also said that before a computer can connect to production systems, it must pass a check to ensure its software is up-to-date, and that only employees with a “business justification” can access the production environment for “specific purposes.”

Al Sutton, cofounder and chief technology officer of Snapp Automotive, was a Twitter staff software engineer from August 2020 to February 2021. He noted in a tweet on Tuesday that Twitter never removed him from the employee GitHub group that can submit software changes to code the company manages on the development platform. Sutton had access to private repositories for 18 months after being let go from the company, and he posted evidence that Twitter uses GitHub not only for public, open source work, but for internal projects as well. Within about three hours of posting about the access, Sutton reported that it had been revoked.

“I think Twitter is being pretty casual about Mudge's claims, so I thought a verifiable example might be useful for folks,” he told WIRED. When asked whether Zatko’s accusations track with his own experience working at Twitter, Sutton added, “I think the best thing to say here is that I have no reason to doubt his claims.”

Security engineers and researchers emphasize that while there are different ways to approach production environment security, there is a conceptual problem if employees have broad access to user data and deployed code without extensive logging. Some organizations take the approach of drastically limiting access, while others use a combination of broader access and constant monitoring, but either option must be a conscious choice that a company invests heavily in. After the Chinese government breached Google in 2010, for example, the company went all in on the former approach. 

“It’s not actually that unusual for companies to have relatively liberal policies about giving engineers access to production systems, but when they do they are very, very strict about logging everything that gets done,” says Perry Metzger, managing partner of the consultancy Metzger, Dowdeswell & Company. “Mudge has a sterling reputation, but let’s say he was completely incompetent. The easy thing for them to do would be to provide technical details of the logging systems that they use for engineer access to production systems. But what Mudge is portraying is a culture where people would prefer to cover things up than to fix them, and that is the disturbing bit.”

Zatko and Whistleblower Aid, the nonprofit legal group representing him, say they stand by the documents released on Tuesday. “Twitter has an outsized influence on the lives of hundreds of millions around the world, and it has fundamental obligations to its users and the government to provide a safe and secure platform,” Libby Liu, CEO of Whistleblower Aid, said in a statement.

For now, though, the allegations raise a swath of serious concerns that seem unlikely to be quickly explained away or comprehensively resolved.

The Most Damning Allegation in the Twitter Whistleblower’s Report

A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

**pngcheck** verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.

Here's some sample output (screen shots, eh?):

    % **pngcheck -cvt ArcTriomphe-iCCP-red-blue-swap.png**
    File: **ArcTriomphe-iCCP-red-blue-swap.png** (5171 bytes)
      chunk IHDR at offset 0x0000c, length 13
        64 x 64 image, 8-bit colormap, non-interlaced
      chunk iCCP at offset 0x00025, length 461
        profile name = Swapped red & blue channel
        compression method = 0 (deflate), compressed profile = 433 bytes
      chunk PLTE at offset 0x001fe, length 759: 253 palette entries
      chunk IDAT at offset 0x00501, length 3616
        zlib: deflated, 32K window, default compression
      chunk tEXt at offset 0x0132d, length 68, keyword: Title
        PNG color-correction test image, swapped red and blue channels
      chunk tEXt at offset 0x0137d, length 143, keyword: Copyright
        Copyright 2005 Greg Roelofs. Licensed under Creative Commons
        AttributionNonCommercial, http://creativecommons.org/licenses/by-nc/2.5/
      chunk tIME at offset 0x01418, length 7: 16 Aug 2005 07:07:07 GMT
      chunk IEND at offset 0x0142b, length 0
    **No errors detected** in ArcTriomphe-iCCP-red-blue-swap.png (8 chunks, -26.2% compression).

    % **pngcheck -c \*.png**
    **OK**: 000000.png (48x48, 1-bit grayscale, non-interlaced, 71.2%).
    **OK**: 000033.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000066.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: 000099.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
     \[...\]
    **OK**: ffff66.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffff99.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffcc.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    **OK**: ffffff.png (48x48, 1-bit grayscale, non-interlaced, 70.1%).
    ataylor-bad-text-length.png  illegal (unless recently approved) unknown, public chunk xORk
    **ERROR**: ataylor-bad-text-length.png
    google-island-96x69.png  zlib: inflate error = -3 (data error)
    **ERROR**: google-island-96x69.png

    Errors were detected in 2 of the 218 files tested.
    No errors were detected in 216 of the 218 files tested.

**Vulnerability Warning**

  
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version **3.0.3**, released on 25 April 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

The current release supports all PNG, MNG and JNG chunks, including the newer **sTER** (stereo layout) and **eXIf** (EXIF metadata) chunks. It correctly reports errors in all but two of the images in Chris Nokleberg's brokensuite-20061204. Also included (since version 2.1.0) are two helper utilities:

*   **pngsplit** - break a PNG, MNG or JNG image into constituent chunks (numbered for easy reassembly)
*   **png-fix-IDAT-windowsize** - fix minor zlib-header breakage caused by libpng 1.2.6

The extra utilities are licensed under the GNU General Public License (GPL); pngcheck itself remains under its original, MIT/X11-style license.

**Security and Crash Bugs in Older Versions**

**Vulnerability Warning**

  
pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the \-s option is used). This bug is fixed in version **3.0.2**, released on 31 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the \-s option is used). Both bugs are fixed in version **3.0.1**, released on 24 January 2021. Again, while all _known_ vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

**Vulnerability Warning**

  
pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version **3.0.0** (which is the reason for the major-version bump), released on 12 December 2020. All _known_ vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

*   PNG home page
*   MNG home page

 _Last updated 22 August 2021._

Copyright © 2000-2021 Greg Roelofs.

CVE-2020-35511: pngcheck Home Page

Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

With this plugin you can exclude any page, post or whatever from the WordPress search results by checking off the corresponding checkbox on post/page edit page.  
Supports quick and bulk edit.

On the plugin settings page you can also see the list of all the items that are hidden from search.

1.  Upload search-exclude directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Go to any post/page edit page and check off the checkbox Exclude from Search Results if you don’t want the post/page to be shown in the search results

**Does this plugin affect SEO?**

No, it does not affect crawling and indexing by search engines.  
The ONLY thing it does is hiding selected post/pages from your site search page. Not altering SEO indexing.

If you want posts/pages to be hidden from search engines you may add the following snippet to your functions.php:

    function add_meta_for_search_excluded()
    {
        global $post;
        if (false !== array_search($post->ID, get_option('sep_exclude', array()))) {
            echo '<meta name="robots" content="noindex,nofollow" />', "\n";
        }
    }
    add_action('wp_head', 'add_meta_for_search_excluded');
    

Note: already indexed pages will remain indexed for quite a while. In order to remove them from Google index, you may use Google Search Console (or similar tool for other engines).

**Are there any hooks or actions available to customize plugin behaviour?**

Yes.  
There is an action searchexclude_hide_from_search.  
You can pass any post/page/custom\_post ids as an array in the first parameter.  
The second parameter specifies state of visibility in search. Pass true if you want to hide posts/pages,  
or false – if you want show them in the search results.

Example:  
Let’s say you want “Exclude from Search Results” checkbox to be checked off by default  
for newly created posts, but not pages. In this case you can add following code  
to your theme’s function.php:

    add_filter('default_content', 'excludeNewPostByDefault', 10, 2);
    function excludeNewPostByDefault($content, $post)
    {
        if ('post' === $post->post_type) {
            do_action('searchexclude_hide_from_search', array($post->ID), true);
        }
    }
    

Also there is a filter searchexclude_filter_search.  
With this filter you can turn on/off search filtering dynamically.  
Parameters:  
$exclude – current search filtering state (specifies whether to filter search or not)  
$query – current WP\_Query object

By returning true or false you can turn search filtering respectively.

Example:  
Let’s say you need to disable search filtering if searching by specific post\_type.  
In this case you could add following code to you functions.php:

    add_filter('searchexclude_filter_search', 'filterForProducts', 10, 2);
    function filterForProducts($exclude, $query)
    {
        return $exclude && 'product' !== $query->get('post_type');
    }
    

works well for me. I think this is one of those very useful plugins which makes something an expert can do quite easily accessible to novices for free ! Thank you

Super Brilliant Plugin. Helps a lot with SEO + prevents making a mess on the web. Hope you are doing ok. My heart goes out to all suffering in Ukraine. @-/---

I spent an hour trying to hide woocommerce products from my search, added a bunch of code to functions. This baby worked in 30 seconds. Wonderful, thanks!

Simple, light, useful and free. Amazing plugin!

Does the job very well, love the bulk option

Thanks so much for coming up with this. Working in quick edit mode makes it a super star!

Read all 68 reviews

“Search Exclude” is open source software. The following people have contributed to this plugin.

Contributors

**1.2.7**

*   This is a security release. All users are encouraged to upgrade.
*   Fix possible XSS vulnerability.

**1.2.6**

*   Fix compatibility with WordPress 5.5

**1.2.5**

*   Security release. More protection added.

**1.2.4**

*   Security release. All users are encouraged to update.
*   Added filter searchexclude\_filter\_permissions.

**1.2.2**

*   Added action searchexclude\_hide\_from\_search
*   Added filter searchexclude\_filter\_search
*   Fixed Bulk actions for Firefox

**1.2.1**

*   Fixed bug when unable to save post on PHP <5.5 because of boolval() usage

**1.2.0**

*   Added quick and bulk edit support
*   Tested up to WP 4.1

**1.1.0**

*   Tested up to WP 4.0
*   Do not show Plugin on some service pages in Admin
*   Fixed conflict with bbPress
*   Fixed deprecation warning when DEBUG is on

**1.0.6**

*   Fixed search filtering for AJAX requests

**1.0.5**

*   Not excluding items from search results on admin interface

**1.0.4**

*   Fixed links on settings page with list of excluded items
*   Tested up to WP 3.9

**1.0.3**

*   Added support for excluding attachments from search results
*   Tested up to WP 3.8

**1.0.2**

*   Fixed: Conflict with Yoast WordPress SEO plugin

**1.0.1**

*   Fixed: PHP 5.2 compatibility

**1.0**

*   Initial release

CVE-2022-36282: Search Exclude

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share.

**CVE-2021-20316.html:**

\===========================================================
== Subject:     Symlink race error can allow metadata read
==              and modify outside of the exported share.
==
== CVE ID#:     CVE-2021-20316
==
==
== Versions:    All versions of the Samba file server prior to
==              4.15.0
==
== Summary:     A malicious client can use a symlink race to
==              access or modify file or directory metadata
==              information outside of the exported share.
==              The user must have permissions to read or write
==              the metadata on the accessed file or directory.
===========================================================

===========
Description
===========

All versions of Samba prior to 4.15.0 are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow filesystem metadata
to be accessed in an area of the server file system not exported under
the share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
read or modify file or directory metadata on the symlink target.

The authenticated user must have permissions to read or modify the
metadata of the target of the symlink in order to perform the
operation outside of the share.

Filesystem metadata includes such attributes as timestamps, extended
attributes, permissions, and ownership.

This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.

==================
Patch Availability
==================

Prior to Samba 4.15.0 patches for this are not possible, due to the
prior design of the Samba VFS layer which used pathname-based calls
for most meta-data operations.

A two and a half year effort was undertaken to completely re-write the
Samba VFS layer to stop use of pathname-based calls in all cases
involving reading and writing of metadata returned to the client.
This work has finally been completed in Samba 4.15.0.

Pathname-based VFS calls are still used as an initial optimization to
determine if a client requested path exists, but when data is returned
to the client or written onto the underlying filesystem then the
target component is first opened as a file handle, going through
rigourous checking to ensure it is contained within the share
path. All meta-data is then refreshed from or written to the open
handle, not via pathname-based VFS calls.

As all operations are now done on an open handle we believe that any
further symlink race conditions have been completely eliminated in
Samba 4.15.0 and all future versions of Samba.

==================
CVSSv3.1 calculation
==================

CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N

base score of 5.9.

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:

unix extensions = no

to the \[global\] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.

=======
Credits
=======

Reported by Michael Hanselmann of Google.

The fix was a multi-year effort by Ralph Boehme of Sernet,
Jeremy Allison of Google and Noel Power of SuSE.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Tag

#google