Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. This vulnerability affects Firefox for iOS < 102.

Sorry, I can't find "_1654416?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-31746: Invalid Bug ID

An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).

@@ -12,88 +12,81 @@ import UIKit import SafariServices  
extension Notification.Name { static let callbackURLNotification \= Notification.Name("callbackURL") }  
class LoginViewController: UIViewController, Navigating { static var navigableItem: NavigableItem \= .login  
private let guardianAPI \= DependencyManager.shared.guardianAPI private var safariViewController: SFSafariViewController? private var verificationURL: URL? private var verifyTimer: Timer? private var isVerifying \= false private let accountManager \= DependencyManager.shared.accountManager private let PKCECode: (String, String) \= PKCECodeGenerator.generateCode  
init() { super.init(nibName: nil, bundle: nil) guardianAPI.initiateUserLogin { \[weak self\] result in switch result { case .success(let checkpointModel): guard let loginURL \= checkpointModel.loginUrl else { return } self?.verificationURL \= checkpointModel.verificationUrl let safariViewController \= SFSafariViewController(url: loginURL) DispatchQueue.main.async { self?.addChild(safariViewController) self?.view.addSubview(safariViewController.view) safariViewController.view.frame \= self?.view.bounds ?? CGRect.zero safariViewController.view.autoresizingMask \= \[.flexibleWidth, .flexibleHeight\] safariViewController.didMove(toParent: self) } safariViewController.delegate \= self self?.safariViewController \= safariViewController case .failure(let error): let loginError \= error.getLoginError() let context: NavigableContext \= loginError \== .maxDevicesReached ? .maxDevicesReached : .error(loginError) self?.navigate(to: .landing, context: context) } } }  
deinit { verifyTimer?.invalidate() }  
required init?(coder: NSCoder) { fatalError("init(coder:) has not been implemented") }  
@objc private func verify() { guard let verificationURL \= verificationURL else { return } if isVerifying { return } isVerifying \= true override func viewDidLoad() { super.viewDidLoad()  
guardianAPI.verify(urlString: verificationURL.absoluteString) { \[weak self\] result in guard let self \= self else { return } let safariViewController \= SFSafariViewController(url: GuardianURLRequest.pkceLoginURL(codeChallenge: PKCECode.0)) addChild(safariViewController) view.addSubview(safariViewController.view) safariViewController.view.frame \= self.view.bounds safariViewController.view.autoresizingMask \= \[.flexibleWidth, .flexibleHeight\] safariViewController.didMove(toParent: self) safariViewController.delegate \= self self.safariViewController \= safariViewController  
NotificationCenter.default.addObserver(self, selector: #selector(handleCallback), name: .callbackURLNotification, object: nil) }  
@objc private func handleCallback(notification: Notification) { guard let url \= notification.userInfo?\["callbackURL"\] as? URL, let queryItems \= URLComponents(string: url.absoluteString)?.queryItems, let code \= queryItems.first(where: { $0.name \== "code" })?.value else { navigate(to: .landing) return } verify(code: code) }  
private func verify(code: String) { guardianAPI.verify(code: code, codeVerifier: PKCECode.1) { \[weak self\] result in guard let self \= self else { return } switch result { case .success(let verification): DependencyManager.shared.accountManager.login(with: verification) { loginResult in self.isVerifying \= false self.verifyTimer?.invalidate() switch loginResult { case .success: self.navigate(to: .home) case .failure(let error): Logger.global?.log(message: "Authentication Error: \\(error)") let context: NavigableContext \= error \== .maxDevicesReached ? .maxDevicesReached : .error(error) self.navigate(to: .landing, context: context) } } case .failure: self.isVerifying \= false return self.login(verification: verification) case .failure(let error): self.navigate(to: .landing, context: .error(error)) } } } }  
// MARK: - SFSafariViewControllerDelegate extension LoginViewController: SFSafariViewControllerDelegate { func safariViewController(\_ controller: SFSafariViewController, didCompleteInitialLoad didLoadSuccessfully: Bool) { if didLoadSuccessfully && verifyTimer \== nil { verifyTimer \= Timer.scheduledTimer(timeInterval: 3, target: self, selector: #selector(verify), userInfo: nil, repeats: true) private func login(verification: VerifyResponse) { accountManager.login(with: verification) { \[weak self\] loginResult in guard let self \= self else { return } switch loginResult { case .success: self.navigate(to: .home) case .failure(let error): Logger.global?.log(message: "Authentication Error: \\(error)") let context: NavigableContext \= error \== .maxDevicesReached ? .maxDevicesReached : .error(error) self.navigate(to: .landing, context: context) } } } }  
// MARK: - SFSafariViewControllerDelegate extension LoginViewController: SFSafariViewControllerDelegate { func safariViewControllerDidFinish(\_ controller: SFSafariViewController) { self.verifyTimer?.invalidate() navigate(to: .landing) } }

CVE-2020-15679: PGAND-410 Resolve oauth session fixation on iOS (#272) · mozilla-mobile/guardian-vpn-ios@4309f5c

The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101.

Sorry, I can't find "_1767205?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1887: Invalid Bug ID

An exhaustive analysis of FIN7 has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.
It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.
The highly active threat group, also known as Carbanak,

An exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.

It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.

The highly active threat group, also known as Carbanak, is known for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.

More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.

FIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise and the use of stolen credentials purchased from underground markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

According to the Swiss cybersecurity company, the threat actors have also been observed to weaponize flaws in Microsoft Exchange such as CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell flaws in Microsoft Exchange Server to obtain a foothold into target environments.

The use of double extortion tactics notwithstanding, attacks mounted by the group have deployed backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.

The idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.

This "demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups," the researchers said.

Put differently, the modus operandi of FIN7 boils down to this: It utilizes services like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.

Initial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.

These infection sequences are also designed to load the remote access trojans such as Carbanak, Lizar (aka Tirion), and IceBot, the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.

Other tools developed by FIN7 encompass modules to automate scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as Cobalt Strike for post-exploitation.

In yet another indication that criminal groups function like traditional companies, FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.

While two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.

However, it has also been observed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to "hurt their family members in case of resigning or escaping from responsibilities."

The findings come more than a month after cybersecurity company SentinelOne identified potential links between FIN7 and the Black Basta ransomware operation.

"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies," PRODAFT concluded.

"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets. Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FIN7 Cybercrime Syndicate Emerges as Major Player in Ransomware Landscape

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.
"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

Password Management / Online Security

Multiple high-severity vulnerabilities have been disclosed in **Passwordstate** password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.

"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG said in a report published this week.

"Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username."

Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.

One of the flaws also impacts Passwordstate version 9.5.8.4 for the Chrome web browser. The latest version of the browser add-on is 9.6.1.2, which was released on September 7, 2022.

The list of vulnerabilities identified by modzero AG is below -

*   CVE-2022-3875 (CVSS score: 9.1) - An authentication bypass for Passwordstate's API
*   CVE-2022-3876 (CVSS score: 6.5) - A bypass of access controls through user-controlled keys
*   CVE-2022-3877 (CVSS score: 5.7) - A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
*   No CVE (CVSS score: 6.0) - An insufficient mechanism for securing passwords by using server-side symmetric encryption
*   No CVE (CVSS score: 5.3) - Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
*   No CVE (CVSS score: 4.3) - Use of insufficiently protected credentials for Password Lists

Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.

What's more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.

In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.

Users are recommended to update to Passwordstate 9.6 - Build 9653 released on November 7, 2022, or later versions to mitigate the potential threats.

Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service's update mechanism to drop a backdoor on customer's machines.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Don’t be fooled by its fun name and Tamagotchi-like interface—this do-everything gadget is trouble waiting to happen and a whole lot more.

Across the US, countless buildings, from government offices to your next hotel room door, are protected by RFID-controlled locks. On a recent trip to my office, I passed nearly 20 of these keyless entry systems, which are among the most pervasive in the world. But a playful palm-sized gadget with a Tamagotchi-like interface can likely thwart the locks on many of these doors. 

The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet.

If you had only heard about Flipper Zero through TikTok, where the tool has gone viral, you might think that it was a toy that could make ATMs spit out money, cars unlock themselves, and gas spill out of pumps for free. I spent the last week testing one to determine whether the world was as vulnerable to Flipper Zero as social media made it out to be. What I found was mixed: Many of the most dramatic videos posted to TikTok are likely staged—most modern wireless devices are not susceptible to simple replay attacks—but the Flipper Zero is still undeniably powerful, giving aspiring hackers and seasoned pen-testers a convenient new tool to probe the security of the world’s most ubiquitous wireless devices. 

In reviews, people liken Flipper Zero to a Swiss Army knife for physical penetration testing. But in my week testing Flipper Zero, it felt more like a blacklight—something I could literally hold up to a device that would reveal information, invisible to the human eye, about how it worked, what data it was emitting, and how often it was doing so. 

Here’s a brief list of some things I’ve learned with the help of Flipper Zero this week: Some animal microchips will tell you the body temperature of your pet. My neighbor’s car tire pressure sensor leaks data to anyone in range of the signal. My iPhone blasts my face with infrared signals every few seconds. My home security system has built-in signal-jamming detection. WIRED’s office bathroom has a soap dispenser that broadcasts whether it needs a refill.

When I told Alex Kulagin, one of Flipper Zero’s co-creators, about my experiences using his tool to make these kinds of mundane observations, he explained that this is exactly what the device is meant for. “We want to help you understand something deeply, explore how it works, and explore the wireless world that’s all around you but difficult to understand,” he says. 

Kulagin and his business partner, Pavel Zhovner, first came up with the idea for Flipper Zero in 2019. Since then, their company has sold 150,000 devices and they’ve grown their team to nearly 50 people. But as they’ve grown, they’ve encountered some resistance. This summer, payments of more than $1.3 million were held up by PayPal, and in September, US Customs and Border Patrol seized a shipment of devices. According to Kulagin, CBP released the shipment after a month but has yet to tell the company why it held the shipment. CBP declined WIRED’s request to comment about the seized Flipper Zeros.

Bob Zahreddine is a lieutenant for the Glendale Police Department and executive officer with the High Tech Crime Cops, an industry group made up of law enforcement officials that, according to its website, “connects cyber cops and investigators.” Zahreddine says that he isn’t necessarily surprised that CBP has taken an interest in Flipper Zero. “Because Flipper Zero is so customizable, the potential is there for it to be used in all sorts of crime,” he says. 

Zahreddine’s organization maintains a listserv where investigators will often solicit advice from their peers and share news or information about developments in the latest law enforcement technology. He told WIRED that while he hasn’t heard any chatter about Flipper Zero being used in any crimes on his listserv, investigators there are aware of the tool and have been following its development since Kulagin and Zhovner began fundraising on Kickstarter. 

Indeed, it’s easy to imagine how someone could break the law or even just get up to some petty mischief with this device. For instance, not only was I able to clone the ID badge of my office with Flipper Zero, I was able to record the signal that my neighbor’s garage door opener makes when he pulls into his driveway. Older cars that don’t use rolling code encryption are likely unlockable with the device, and my Flipper Zero was able to read my credit card number through my wallet and pants.

But Kulagin isn’t particularly concerned about his tool’s potential for criminal mischief. “Obviously, there are old cars that are vulnerable to Flipper. But they aren’t secure by definition—that is not Flipper’s fault,” he says. “There are bad people out there, and they can do bad stuff with any computer. We aren’t intending to break laws.”

To that end, Flipper Zero’s firmware, by default, prevents individuals from transmitting on frequencies that are banned in the country the device is in, and Flipper Zero’s Discord server explicitly forbids discussions about alternative firmware with illegal features. The tool also isn’t able to copy or replay any encrypted signals. For instance, while I was able to read the signal from my credit and debit cards, I was unable to use that signal to actually pay for anything with contactless payment systems. However, because the project is open source, a savvy Flipper user could adjust the firmware to enable additional, perhaps malicious, functionality.

When I asked Kulagin whether he had been contacted by law enforcement about the Flipper, he told me that he hadn’t. “No, not yet at least,” he says.

While it’s possible to get into trouble with a device like a Flipper Zero, the tool undeniably gives any curious person looking to learn about the devices around them a way to access and dissect the signals and protocols that power our lives. Personally, I am more engaged with the technology I encounter while walking around after my week with the Flipper Zero. I’m thinking more like a pen-tester.

What Is Flipper Zero? The Hacker Tool Going Viral on TikTok, Explained

Video conferencing platform fixes cross-site scripting vulnerability

Video conferencing platform fixes cross-site scripting vulnerability

  

Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app.

Zoom Whiteboard allows users to collaborate in real-time on a shared canvas by adding and editing different objects. Whiteboard runs JavaScript code both in the browser and the desktop app.

**Escaping sanitization**

The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.

Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.

To store and transfer objects, it uses Protocol Buffer (), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast objects across all clients and provide real-time updates on the whiteboard.

Read more of the latest news about web security vulnerabilities

Once received, the client transforms the object into its corresponding React component and inserts it into the user interface.

React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.

Lim discovered that with a well-crafted HTML string, he could bypass the sanitization check and send arbitrary JavaScript code to all other clients and stage an XSS attack.

**Weaponizing the clipboard**

Exploiting the bug would require a complicated effort by the attacker.

“WebSocket messages are sent in the format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the message correctly before the request is dropped,” Lim told The Daily Swig.

To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.

**The challenges of hybrid applications**

Lim believes there are two factors that make it difficult to find and plug such bugs. First is the breadth and depth of JavaScript web APIs that support additional features.

“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.

And second is the growing overlap between web and native/desktop applications.

“Developers need to secure their apps across multiple platforms, which increases the complexity as JavaScript in React on Safari might work slightly differently than React Native with Hermes on Android,” Lim said.

**Check your third-party dependencies**

Finally, Lim warned about flaws in third-party dependencies.

“Code scanning tools did not pick up the actual \[Zoom\] vulnerability because the user input flowed through a third-party dependency,” he said.

Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.

“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”

DON’T MISS How to become a penetration tester: Part 2 – ‘Mr hacking’ John Jackson on the virtue of ‘endless curiosity’

Zoom Whiteboard patches XSS bug

Categories: Android
Categories: News
Tags: Android

Tags:  banking Trojan

Tags:  Godfather

Tags:  Anubis

Tags:  lay-over screen

Tags:  MYT

Tags:  Google Protect

Researchers have uncovered a new campaign of the Godfather banking Trojan, that comes with some new tricks.



(Read more...)




The post Godfather Android banking malware is on the rise appeared first on Malwarebytes Labs.

Researchers at Cyble Research & Intelligence Labs (CRIL) have found a new version of the Android banking Trojan called Godfather.

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.

**History**

Group-IB researchers established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.

Godfather's success is mostly due to its ability to create convincing lay-over screens for over 400 applications. This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services. The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

**Install**

Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.

**Getting permissions**

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices. It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device. With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.

**Capabilities**

Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number. It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs. The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed. The Command & Control (C2) server’s URL is fetched from a Telegram channel.

**IOCs**

For the variant posing as the MYT Muzik app CRIL provided:

APK Metadata Information

*   App Name: MYT Müzik
*   Package Name: com.expressvpn.vpn
*   SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Malwarebytes for Android detects these new variants of the Godfather Trojan as Android/Trojan.Spy.Banker.MYT.

**How to avoid malware**

There are a few basic guidelines that can help you prevent installing malware on your device.

*   Download and install software only from official app stores like Google Play Store or the iOS App Store. And check whether the app you are downloading is exactly the one you wanted and not some imitator.
*   Use a reputed anti-virus/anti-malware and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
*   Use strong passwords and enforce multi-factor authentication (MFA) wherever possible.
*   Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device if possible.
*   Be very careful before opening any links received via SMS or emails delivered to your phone.
*   Ensure that Google Play Protect is enabled on Android devices.
*   Be careful while enabling any permissions. Reading carefully what you are allowing an app to do helps you flag unusual and suspicious requests.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Godfather Android banking malware is on the rise

Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-9 Safari 16.2

Safari 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213537.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

WebKit  
We would like to acknowledge an anonymous researcher, scarlet for  
their assistance.

Safari 16.2 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX0ACgkQ4RjMIDke  
NxniRQ/+LTObFcBEWogS56q3+7wjz2BgzBZYn4gwNGfvXf0zZfmXnTE0WXUolVa1  
8/glHt7Tu5/KKfy6JDqmQvrF6fo2YpBgH0wrux/j4VPVCeaaOa2gXRAw0CBa4e4E  
OabGVEXEsgJjyE4MSMKh8Hn1VD4ANTPPKn5jWmDsCsSS2zEo94gD7Mkqh81CeFoV  
Yhmbv87nZAdEz2nHUkoM6PmN8SPAY5VtRp6i1rbkpcmMfs3VyA/ehnkfBGQK2xH7  
vHpx2yyoXlqwR0zc7uHEge13e8kZ1Zh8UdIecgJuoyOvvmRR5DcchMFUYpUq8JcZ  
JOqN2lsRBu52WvoEGCkD80/PWamhD+CJWeMvgbvEZSOiNKKOSY1qO0w0NsGMPXCh  
6xdcjfeTpslNn4zNUfaAwnUGIyxbIsNNHIgw3VX5GnFihpEsknBqbjxTLCBrDdFE  
T5xuHPBj7vXEW3V2ZXVt2MctWCr0GQdHt66C2m3gAEhL9xoN6YMEXLI0RVgUHmaf  
hOY/EZMIGm1cL33OvMKuvWCJuGW81+2+LJSwoscguhrj7Jb2qTOL2w06VDyNftuY  
F876pPWZgEj1O7DAtL9OP8IdrpSmQnAkvVUIZA6Sx3MaxTdl4f6lG4NlcsMGz+se  
PxxMCYWi8f/sPNxSdfoYardNkQcPsKm13UFu+Q9nSuV0A+x0qgA=  
=F0qN  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-9

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213535.

Accounts  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42848: ABC Research s.r.o

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted TIFF file may lead to  
disclosure of user information  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Preferences  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq  
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V  
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou  
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y  
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m  
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ  
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8  
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U  
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn  
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C  
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=  
=i2O9  
-----END PGP SIGNATURE-----

Tag

#ios