Use after free in Permission Prompts in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via specific user interactions.

CVE-2022-1635

Use after free in Sharing in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-1640

Use after free in Web UI Diagnostics in Google Chrome on Chrome OS prior to 101.0.4951.64 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via specific user interaction.

CVE-2022-1641

Insufficient data validation in Trusted Types in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass trusted types policy via a crafted HTML page.

CVE-2022-1494

Heap buffer overflow in V8 Internationalization in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2022-1638: Stable Channel Update for Desktop

InMailX Outlook Plugin < 3.22.0101 is vulnerable to Cross Site Scripting (XSS). InMailX Connection names are not sanitzed in the Outlook tab, which allows a local user or network administrator to execute HTML / Javascript in the Outlook of users.

**Enterprise Email Management, Compliance and Productivity Solution**

**inMailX** is an enterprise email management, compliance and productivity solution for Microsoft Outlook and Office 365, which provides the functionality and tools users need to effectively manage their emails and attachments.  inMailX integrates seamlessly with records and document management systems, cloud and network folder structures, helping users improve their email filing compliance.

With inMailX staff can improve their emails and attachments management compliance, productivity and the quality of work, while maintaining focus and reducing operational errors.  inMailX substantially enhances existing Outlook functionality and provides users with the ability to:

 - Manage emails and attachments using a simple and efficient interface  
 - Preview attachments when composing emails to ensure they are correct  
 - Clean metadata from Word, Excel PowerPoint, PDF and Image attachments  
 - Convert attachments to PDF 'on the fly' and prompt users to convert on send  
 - Combine, bookmark and secure multiple attachments into a single PDF  
 - Password protect Word, Excel PowerPoint and PDF attachments  
 - Rename and Reorder email attachments 'on the fly'  
 - Compress and secure attachments into ZIP while composing emails  
 - Save paper by printing only the most recent email conversation threads  
 - Print email body and attachments selectively and simultaneously  
 - Schedule follow-up tasks/appointments when filing or sending emails  
 - Reduce repetitive typing and quickly compose standard emails with content manager  
 - File emails into records and document management systems, network or cloud repositories

Its user interface is simple and intuitive, and it has been designed to combine most common tasks, such as 'Send, File & Print', 'Close, File & Print' or 'Attachments Preview, Clean, PDF, Protect, Rename, Reorder', into simple one-click actions.  Digitus has developed several inMailX modules that can be purchased separately or bundled in two cost effective suites_, inMailX Standard_ and _inMailX Professional__._

> **inMailX Standard** includes the following modules**:**
> 
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   __Print Manager  
>     __
> 
> **inMailX Professional** includes the following modules**:**
> 
> *   _Email Manager  
>     _
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   _Print Manager  
>     _
> *   _Time Manager  
>     _
> *   _Brand Manager  
>     _

**inMailX scales easily to meet the needs of any organisation, and it brings teams productivity to new levels.** 

**As new users are created, they automatically receive enhanced email management functionality, efficient attachments Preview, Clean, PDF, Protect, ZIP, Rename and Reorder tools, global quick text content, personalised email signatures and standardised corporate forms, so that they can immediately become productive.** 

**Integration with third party electronic documents and records management systems**

When used with its optional connectors for document/records management and file system integration, inMailX enhances Microsoft Outlook capabilities to file emails into third party document/records management systems, such as: iManage Work/Worksite, Micro Focus/HPE Content Manager, NetDocuments, SharePoint, Worldox, WebDAV (Oracle UCM, WebDAV Repositories, etc.), Cloud Stores or Network Folders (Box, Dropbox, GoogleDrive, OneDrive, MYOB Accountants Enterprise, MYOB Insolvency, APS Folders, etc.).

By integrating directly into Microsoft Outlook, inMailX allows staff to take control over managing their emails without losing any of the existing Outlook functionality. To find out more, click here.

**Save time, Reduce costs, Increase productivity**

With inMailX, organisations will ensure that their staff are able to maintain their sent and received emails organised, that email attachments can easily be previewed, cleaned, converted to PDF, reanmed and reordered, and that paper wastage is reduced by being able to truncate email printing and selectively print attachments.

In addition, organisations will improve their email branding by being able to centrally deploy and maintain standardised corporate email forms and signatures which are integrated Exchange Global Address List and Active Directory.

Since inMailX is extremely intuitive, it allows users to take advantage of its benefits with minimal training, and without delay. This translates into saving valuable time, reduced running costs, and increased productivity.

**Any organisation, regardless of its size, using Microsoft Outlook, will benefit from inMailX' High Return on Investment.**

**Contact us for a free inMailX demonstration, and discover the power of inMailX today!**

  
inMailX, inDocX, LawConnect, DigitusNet, iDigitus, Digitus are registered trademarks of Digitus Information Systems Pty Ltd in Australia and in some other countries. All third-party trademarks are the property of their respective owners.

CVE-2022-27105: inMailX | Digitus Information Systems

Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-1364: Stable Channel Update for Desktop

Newly discovered malware linked to Vietnamese threat actors targets users through a LinkedIn phishing campaign to steal data and admin privileges for financial gain.

Newly discovered malware linked to Vietnamese threat actors targets users through a LinkedIn phishing campaign to steal data and admin privileges for financial gain.

A new malware is hijacking high-profile Meta Facebook Business and advertising platform accounts through a phishing campaign that targets LinkedIn accounts. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said.

Researchers from WithSecure, formerly F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat actors, they wrote in a report published Tuesday. The campaign itself appears to have been active since at least the second half of 2021, while the threat actors behind it may have been on the cybercriminal scene since 2018, researchers said.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote in a blog post accompanying the report.Ducktail actors have very specific targets in mind—that is, individuals within companies operating on Facebook’s Business and advertising platform that have high-level access to the account. These include people with managerial, digital marketing, digital media, and human  
resources roles in targeted companies, researchers said.

“These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar,” researchers wrote.

To infiltrate accounts, actors are targeting LinkedIn users with a phishing campaign that lures victims using keywords related to brands, products and project planning into downloading an archive file containing the malware executable alongside related images, documents and video files, researchers reported.

****Malware Components****

Researchers took a deep dive into the novel malware, which in its latest samples is written exclusively in .NET Core and compiled via its single-file feature, something “not commonly seen in malware,” they noted.

Ducktail operates using six key components once it infects a system. It first does Mutex creation and check to ensure that only a single instance of the malware is running at any given time, researchers said.

A data storage component stores and loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft.

Ducktail also has two components dedicated to stealing info from victims, one that’s more general, stealing non-Facebook related information, and another that steals info specifically related to Facebook Business and advertising accounts as well as hijacks those accounts, researchers said.

The first general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox and, for each one it finds, extracts all stored cookies, including any Facebook session cookie.

The component of Ducktail dedicated to extracting data from Facebook Business/Ads accounts directly interacts with various Facebook endpoints—either direct Facebook pages or API endpoints–from the victim’s machine using a stolen Facebook session cookie, researchers said. It also other security credentials obtained from the cookie to extract information from the victim’s Facebook account, they said.

Specific info that the malware steals from Facebook includes: security credentials, personal account identification info, business details and advertising account info.

Ducktail also allows threat actors to take full administration control over Facebook Business accounts, which can give them access to a user’s credit card or other transactional data for financial gain, researchers said.

****Telegram C&C and Other Evasion Tricks****

A final component of Ducktail exfiltrates data to a Telegram channel used as the threat actors’ command and control (C&C), researchers said. This allows the actor to evade detection by limiting the commands it sends from C&C to the victim’s machine, researchers said.

Moreover, the malware does not establish persistence on a machine, which also allows means it can get in and do its dirty work without alerting the user or flagging Facebook security, researchers said. However, different versions of Ducktail observed by threat actors performed this lack of persistence in various ways, they said.

“Older versions of the malware simply executed, did what they were designed to do, and then exited,” researchers wrote. “Newer versions run an infinite loop in the background that performs exfiltration activities periodically.”

Ducktail also has inherent features in Facebook data-stealing component that is designed to circumvent Meta security features by making any request for data to Facebook entities appear to be coming from the victim’s primary browser. This would make these actions appear benign to Meta security, researchers said.Attackers also can use information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information, to cloak and impersonate the victim, researchers said.

Novel Malware Hijacks Facebook Business Accounts

Machine learning should be considered an extension of — not a replacement for — existing security methods, systems, and teams.

Contrary to what you may have read, machine learning (ML) isn't magic pixie dust. In general, ML is good for narrowly scoped problems with huge datasets available, and where the patterns of interest are highly repeatable or predictable. Most security problems neither require nor benefit from ML. Many experts, including the folks at Google, suggest that when solving a complex problem you should exhaust all other approaches before trying ML.

ML is a broad collection of statistical techniques that allows us to train a computer to estimate an answer to a question even when we haven't explicitly coded the correct answer. A well-designed ML system applied to the right type of problem can unlock insights that would not have been attainable otherwise.

A successful ML example is natural language processing (NLP). NLP allows computers to "understand" human language, including things like idioms and metaphors. In many ways, cybersecurity faces the same challenges as language processing. Attackers may not use idioms, but many techniques are analogous to homonyms, words that have the same spelling or pronunciations but different meanings. Some attacker techniques likewise closely resemble actions a system administrator might take for perfectly benign reasons.

IT environments vary across organizations in purpose, architecture, prioritization, and risk tolerance. It's impossible to create algorithms, ML or otherwise, that broadly address security use cases in all scenarios. This is why most successful applications of ML in security combine multiple methods to address a very specific issue. Good examples include spam filters, DDoS or bot mitigation, and malware detection.

**Garbage in, Garbage Out**

The biggest challenge in ML is availability of relevant, usable data to solve your problem. For supervised ML, you need a large, correctly labeled dataset. To build a model that identifies cat photos, for example, you train the model on many photos of cats labeled "cat" and many photos of things that aren't cats labeled "not cat." If you don’t have enough photos or they're poorly labeled, your model won't work well.

In security, a well-known supervised ML use case is signatureless malware detection. Many endpoint protection platform (EPP) vendors use ML to label huge quantities of malicious samples and benign samples, training a model on "what malware looks like." These models can correctly identify evasive mutating malware and other trickery where a file is altered enough to dodge a signature but remains malicious. ML doesn't match the signature. It predicts malice using another feature set and can often catch malware that signature-based methods miss.

However, because ML models are probabilistic, there's a trade-off. ML can catch malware that signatures miss, but it may also miss malware that signatures catch. This is why modern EPP tools use hybrid methods that combine ML and signature-based techniques for optimal coverage.

**Something, Something, False Positives**

Even if the model is well-crafted, ML presents some additional challenges when it comes to interpreting the output, including:

*   **The result is a probability.** The ML model outputs the likelihood of something. If your model is designed to identify cats, you'll get results like "this thing is 80% cat." This uncertainty is an inherent characteristic of ML systems and can make the result difficult to interpret. Is 80% cat enough?
*   **The model can't be tuned**, at least not by the end user. To handle the probabilistic outcomes, a tool might have vendor-set thresholds that collapse them to binary results. For example, the cat-identification model may report that anything >90% "cat" is a cat. Your business’s tolerance for cat-ness may be higher or lower than what the vendor set.
*   **False negatives (FN)**, the failure to detect real evil, are one painful consequence of ML models, especially poorly tuned ones. We dislike false positives (FP) because they waste time. But there is an inherent trade-off between FP and FN rates. ML models are tuned to optimize the trade-off, prioritizing the "best" FP-FN rate balance. However, the "correct" balance varies among organizations, depending on their individual threat and risk assessments. When using ML-based products, you must trust vendors to select the appropriate thresholds for you.
*   **Not enough context for alert triage.** Part of the ML magic is extracting powerful predictive but arbitrary "features" from datasets. Imagine that identifying a cat happened to be highly correlated with the weather. No human would reason this way. But this is the point of ML — to find patterns we couldn't otherwise find and to do so at scale. Yet, even if the reason for the prediction can be exposed to the user, it's often unhelpful in an alert triage or incident response situation. This is because the "features" that ultimately define the ML system's decision are optimized for predictive power, not practical relevance to security analysts.

**Would "Statistics" by Any Other Name Smell as Sweet?**

Beyond the pros and cons of ML, there's one more catch: Not all "ML" is really ML. Statistics gives you some conclusions about your data. ML makes predictions about data you didn't have based on data you did have. Marketers have enthusiastically latched onto "machine learning" and "artificial intelligence" to signal a modern, innovative, advanced technology product of some kind. However, there's often very little regard for whether the tech even uses ML, never mind if ML was the right approach.

**So, Can ML Detect Evil or Not?**

ML can detect evil when "evil" is well-defined and narrowly scoped. It can also detect deviations from expected behavior in highly predictable systems. The more stable the environment, the more likely ML is to correctly identify anomalies. But not every anomaly is malicious, and the operator isn't always equipped with enough context to respond. ML's superpower is not in replacing but in extending the capabilities of existing methods, systems, and teams for optimal coverage and efficiency.

The Beautiful Lies of Machine Learning in Security

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.

According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.

The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.

****Phishing By the Numbers****

Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).

Click to Enlarge

Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.

The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.

“Phishing attacks are more sophisticated than ever,” wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.

“Hackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,” he wrote.

Tag

#google