The next time someone wants to borrow your device to make a call or take a picture, take these steps to protect your privacy.

From the nephew who wants to play games for a few minutes, to the friend who wants to see your vacation snaps, to the stranger who needs to make a call, there are going to be people who want to borrow your phone.

That's quite a privacy and security risk if you think about everything that your phone gives you access to: social media profiles, banking details, instant messenger conversations, photos and videos that you'd rather the world didn't see, and so on.

However, there are ways to hand over your phone to someone else without having to worry about what they might get up to on it. You just need to make sure that you've taken a few precautions before the exchange takes place.

iPhone

Guided Access is built into iOS.

Apple via David Nield

(Apple via David Nield)

The feature you need to know about on the iPhone is called Guided Access, and you can enable it by opening up iOS Settings and choosing **Accessibility** and **Guided Access**. Turn the **Guided Access** toggle switch on and the feature is ready to go—just make sure you use **Passcode Settings** to set a passcode to protect Guided Access mode.

To actually turn Guided Access on, you need to triple-tap the home button if your iPhone has one, or the side button if it doesn't. You can then tap **Options** to configure how Guided Access is going to work: You're able to restrict access to the volume buttons, for example, and the software keyboard. You can even turn off touchscreen functionality and put a limit on Guided Access mode. Tapping **Start** launches Guided Access.

Whoever is using the iPhone is then locked into the current app, so you need to open up the app in question—the Phone app, a particular game, or whatever it is—before you triple-tap the button on your device to launch Guided Access. You get out of Guided Access with another triple-tap of the same button, at which point you'll need the passcode that you set at the start.

The idea is that without the passcode, the person using your iPhone can't get out of the app you've put them in—there's no way to switch apps, open up the Control Center, or even turn the phone off. It's worth being aware of the app that they're in, though, and what they can do inside that app: If you're showing someone your photos, they'll be able to access all of them.

One extra option in the Photos app is to hide photos and videos by opening them, tapping the share button (bottom left), and choosing **Hide**. This hides these pictures and clips in a special Hidden folder. They won't be visible in normal view in the Photos app, and they won't appear in searches, but the person borrowing your smartphone can still get at them by choosing **Hidden** from the **Albums** tab.

Android

Apps can be pinned inside Android.

Google via David Nield

If you're using an Android device, you can take advantage of a feature similar to Guided Access on iOS. It's called App Pinning, and again the idea is that the person borrowing your phone is limited to one app. They're not able to get to another app or access the phone's settings without a PIN code set by you.

There are certain software variations among Android phone makers when it comes to finding and enabling App Pinning, but you should be able to find it without too much trouble. On the stock version of Android that Google puts in its Pixel phones, you can enable it by going to the main Android Settings menu, then choosing **Security**, **Advanced Settings** and **App Pinning**.

Turn on the **Use App Pinning** toggle switch, and make sure that **Ask for PIN Before Unpinning** is enabled as well—this prevents everyone but you from switching apps. To find the app you want to pin, swipe up and hold from the bottom of the screen until you see thumbnails of your recently used apps. Find the one you want, tap the app icon at the top, and choose **Pin** from the drop-down menu. 

To get out of app pinning, swipe up and hold from the bottom of the screen again. The phone will be locked, and your PIN code will be required to regain access and move between apps. Assuming that the person borrowing your phone doesn't know your PIN, you'll be able to keep them in one app.

Like Apple Photos, Google Photos can also hide photos and videos, which can help if someone is browsing through your pictures. Open an image or clip, tap the three dots (top right), then choose **Move to Locked Folder**—the photos and videos that you send here can't be accessed without unlocking your phone first, which will require a PIN, a fingerprint scan, or a face scan, depending on how you've set it up.

How to Safely Lend Someone Else Your Phone

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin settings.

CVE-2022-29495: Popup Builder – Create highly converting, mobile friendly marketing popups.

Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.

Product: OX App Suite  
Vendor: OX Software GmbH

Internal reference: DOCS-4106  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev13, 7.10.3-rev6, 7.10.4-rev6, 7.10.5-rev5, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-01-13  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23100  
CVSS: 8.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)

Vulnerability Details:  
OX Documentconverter has a Remote Code Execution flaw that allows authenticated OX App Suite users to run commands on the instance which runs OX Documentconverter if they have the ability to perform document conversions, for example of E-Mail attachments or OX Drive content.

Risk:  
Attackers can inject arbitrary operating-system level commands via OX App Suite API and/or OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable Documentconverter API is not publicly accessible, however this might be worked around by abusing other weaknesses, configuration flaws or social engineering.

Steps to reproduce:  
1. Create a forged Documentconverter API call that embeds escape characters and a system command  
2. Inject the malicious API call via App Suite as a proxy or other means

Solution:  
We reduceed available API parameters to a limited set of enumerations, rather than accepting API input.

---

Internal reference: MWB-1350  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev37, 7.10.6-rev9  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23099  
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Existing sanitization and filtering mechanisms for HTML files can be bypassed by forcing block-wise read. Using this technique, the recognition procedure misses to detect tags and attributes that span multiple blocks.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.

Steps to reproduce:  
1. As attacker, create a HTML malicious code-snippet which masks tags (e.g. <script>) by block boundaries  
2. Upload the code snippet to drive and create a sharing link  
3. Sent that link to a victim and make it follow it

Solution:  
We now check for possible HTML content through overlapping reads from data streams.

---

Internal reference: MWB-1366  
Vulnerability type: n/a  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev38, 7.10.6-rev9  
Vendor notification: 2021-12-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2021-42550  
CVSS: n/a

Vulnerability Details:  
In the wake of the CVE-2021-44228 (Log4Shell) issue, a similar potential vulnerability at the Logback library has been identified (LOGBACK-1591, CVE-2021-42550). At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration.

Risk:  
We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.

Steps to reproduce:  
1. n/a

Solution:  
We provided a component update to Logback 1.2.8 and slf4j 1.7.32.

---

Internal reference: OXUIB-1172  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev69, 7.10.3-rev31, 7.10.4-rev28, 7.10.5-rev30  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23101  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Deep-links within E-Mail (e.g. links to Drive files) are not checked for malicious use of the appHandler function (see CVE-2021-38374) and may therefore be used to inject references to malicious code.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require to forge App Suite specific mails and force the victim to follow a hyperlink.

Steps to reproduce:  
1. As an attacker, create a malicious E-Mail that uses App Suite "Deep-links" as mail header and embed a call to the AppLoader component  
2. Deliver the mail and make the victim open the link

Proof of concept:  
X-Open-Xchange-Share-URL: https://example.com/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/drive/script.js?cut=&id=123

Solution:  
We now check for a enumeration of valid applications for deep-links as well.

---

Internal reference: DOCS-4161  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev14, 7.10.3-rev7, 7.10.4-rev7, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-24  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24405  
CVSS: 7.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:  
The compatibility layer of documentconverter API processes serialized Java classes when using remote cache calls. This can be exploited to inject malicious code that is being executed in the context of the documentconverter component.

Risk:  
Attackers can inject arbitrary operating-system level commands via the OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable OX Documentconverter API is not publicly accessible and we are not aware that this could have been exploited without privileged network or system access.

Steps to reproduce:  
1. Create a malicious Java class and serialize it  
2. Use the OX Documentconverter API to inject this class as a reference/hash to remote caches

Solution:  
We now apply input sanitization to this API call and retrict it to strings. We also implemented a set of additional hardening procedures for other API calls which work in a similar way.

---

Internal reference: DOCS-4120  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter-api  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev10, 7.10.3-rev5, 7.10.4-rev6, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24406  
CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Vulnerability Details:  
By creating colissions of HTTP multipart-formdata boundaries it is possible to alter the API request parameters between OX App Suite and OX Documentconverter. Legitimate multipart-formdata boundaries are created based on a timestamp with millisecond resolution. This allows attackers to predict the next boundary and attempt to overwrite its content. The most practical way to exploit this is sending a large number of formdata parts, each with a unique boundary based on a future point in time.

Risk:  
Attackers can modify parameters of internal API calls to OX Documentconverter and by that circumvent network trust boundaries. In effect, a server-side request forgery attack is possible, for example to exploit DOCS-4106 (CVE-2022-23100) with limited privileges using OX App Suite API as a "proxy".

Steps to reproduce:  
1. Create a HTTP request with multipart-formdata boundaries representing timestamps in the near future  
2. Add internal API parameters to those multipart-formdata sections and use them as requests to OX App Suite API

Solution:  
We modified the algorithm to create multipart-formdata boundaries in a way that they are no longer predictable. We also restricted the number of multipart-formdata parts to a sensible amount and issue an Exception if a client exceeds it.

Open-Xchange App Suite 7.10.x Cross Site Scripting / Command Injection

Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-6 watchOS 8.7

watchOS 8.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213340.

APFS  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: A buffer overflow issue was addressed with improved  
bounds checking.  
CVE-2022-32788: Natalie Silvanovich of Google Project Zero

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

CoreText  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

ICU  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: Apple Watch Series 3 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with arbitrary kernel read and write capability may be  
able to bypass Pointer Authentication  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

Liblouis  
Available for: Apple Watch Series 3 and later  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Software Update  
Available for: Apple Watch Series 3 and later  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

Wi-Fi  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhjSsg//XnukSPtKHk58IOSkcWaTk0WdrYv2+dGbdgkcPBgO2ehNQqk1xI3LDHLN  
b6A5MMaoR4ityTEC+i4XFWxVJNfzXFa1SHMiht1uJDtaNCc2F+VIP+EZJx2KYe7H  
O8F0g9lF33hQE3xDjrwtPe+7wYjfzgDX8iCbsfaNDPAWBq0BfNA8/4bv5GzPaPC4  
qcP+W9IRb11yAzlnCEgJNhMB0SLwtzpcUYLKcJbPdilABeYe08CLIIVAw2vKI1Kk  
J7sk/ZiGKnB1ZHa+fl17ahApKkLePnFtHR9rMseEpyRbPa7EvomZxUQoLvbaDf+Q  
gRqtysAw8oxfhetorvDFwAem3eCRdgJ/T/0U6jC+4dfHzVnGxV27K/PgF3GWRDU5  
trPVZ0cu8qdzgNAwSuRHTxTg923FN7cR14NL66TkGZ1d/VKfn1l0h1wctoPOhHPR  
zWJi5P8WbprG1XVWNx+aJYW09VIMsujJrrGQSn78o6gXOR2salEDiCs2JixKZnqK  
CV4+uGQIiE8bD0oA1B1uFQiPx3XtgOY92QQl8Jnn/7Xa6QQ0hq/3NmDN66RzO78S  
I4pH4Vt/L0LNoArGMCrO4URpLiQx5Au0niH5+jbvHyWr1Bm3Y+dMRP1yds3aLQ0Q  
16FIrWStzY+cnmOXQKczTIiaJYuSMjCOQicLuWx/q2ghfLCJ16E=  
=6Uj+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-6

Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-1 iOS 15.6 and iPadOS 15.6iOS 15.6 and iPadOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213346.APFSAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause kernel code executionDescription: A buffer overflow was addressed with improved boundschecking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroApple Neural EngineAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-32845: Mohamed Ghannam (@_simo36)Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32840: Mohamed Ghannam (@_simo36)CVE-2022-32829: an anonymous researcherApple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32810: Mohamed Ghannam (@_simo36)AudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)HomeAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user may be able to view restricted content from the lockscreenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32855: an anonymous researcheriCloud Photo LibraryAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing an image may lead to a denial-of-serviceDescription: A null pointer dereference was addressed with improvedvalidation.CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)IOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improved statehandling.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)PluginKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to read arbitrary filesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32838: Mickey Jin (@patch1t) of Trend MicroSafari ExtensionsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a maliciously crafted website may leak sensitivedataDescription: The issue was addressed with improved UI handling.CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul NationalUniversitySoftware UpdateAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 242339CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence teamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6 and iPadOS 15.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuMACgkQeC9qKD1prhhc5hAA2emrXEYGmfH1M/gji0MOPflW+wrr0y8buntNyeJYFQbf1xgGkr9hmHlMDkROvVCXDzuMyH9QDOPNFGPqBTAe/5cL+auNq497f/vGVjEOZ09Y4vC/FVBBklgokQND7CoWBhk99PgNxVdJyzkeKhBEs9JrNaIyGVqg8tChTWWghRzyyyQfHpSQfwj1M9042Kj8w9hi4SrY9R8Oe+QrcCYw/lYo3yO6WIUfajzIs/urT175BFedXS+9l4cK6srMpa/n67w3XZU9psQBVddlkVDymx1c5Lzuo84haM7TYNddOYDVluP+676Uq0vj5E24vTuGLS+vdDlJri6WMJv2d7NZ8dtJAVhPioP3ThGGsAXdpT/PmNbkc5R0RbiVTKs/2CDK4+raGHlOz6leuEfUJtUD1rHLI5n21XBQY1HOvwB9CDqGc5l7FpRoMdajDY/8yaIbWKVu1iycA2NAsxfyc9u1QTwwluGmzelpo9XdAWIZ17j6Dkalta9scCQbakHz3M1PSAYw4ljfGuYYiHElAKuZn/daeAUKZ0zMJOVdHtecliJbV3VlqMzaOKqmgXWNoBOwCow8Tj80F2dFNTvlQe91L8r7NeQAo7KCzEXbVSQqfemojtrREl5BvmWS9s7+QxqDWAHSUr+WakmKTESMA3DTlZBhBbUXE+uNRrEwboUQKeI==Nnrk-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-1

With more staff working remotely, identity, authentication, and access have never been more important.

Last week, Thales announced that it had the signature of an agreement to acquire OneWelcome, a European leader in the fast-growing market of customer identity and access management (CIAM), for a total consideration of €100 million. Thales aims to capitalize on OneWelcome's strong cloud-native software-as-a-service (SaaS) product by extending its market footprint beyond Europe and selling it to existing Thales clients in North America and the Asia-Pacific region.

**Complementary Identity Acquisition**

OneWelcome's strong digital identity life-cycle management capabilities will complement Thales's existing identity services (secure credential enrollment, issuance and management, know your customer etc.). With this acquisition, Thales will be able to provide an expanded identity platform that will:

*   Be accessible to organizations of all sizes to manage internal and external identities
*   Quickly bring new businesses online
*   Improve operational efficiency and customer experience
*   Meet or exceed regulatory compliance requirements

It does look like CIAM is disappearing as a stand-alone pillar and is becoming a major pillar within larger vendors expanding cybersecurity portfolios. In addition to Thales' acquisition of OneWelcome, other notable ones include:

*   Ping Identity acquired Unbound ID in 2016.
*   SAP bought Gigya for $350 million in 2017.
*   Akamai acquired Janrain in 2019.

**CIAM of Interest to Technology Vendors in Various Sectors**

It's interesting that these acquisitions don't follow a pattern. Thales is arguably the biggest vendor in data security with its encryption capabilities. Ping was already a significant player in enterprise identity management/IDaaS before it added CIAM, and SAP, of course, has a huge enterprise resource planning (ERP) and customer relationship management (CRM) business. And Akamai is a content delivery network (CDN) that has been expanding its security offerings for the best part of a decade.

What they have in common, however, is that the acquirers all serve enterprise customers who deal with large numbers of customers in the consumer market and their interactions with them have moved increasingly online, making CIAM a vital part of their security toolkit. Think of CIAM as the place where identity management (IAM and IDaaS) meets CRM, enabling consumers to access online resources and learning from their behaviors to improve their experience and, hopefully, to drive more sales.

**Data Security and CIAM Convergence**

Thales is a major player in the data security space and the acquisition of OneWelcome helps it expand its identity portfolio.

It does seem that an increasing number of vendors are wanting to play in the identity space. Only last month, Microsoft expanded its capabilities in identity with the launch of Entra. The good growth potential of CIAM and clamor by big vendors to enter this space can help to explain why Omdia projects this market to increase from $8.1 billion in 2021 to $16.7 billion in 2026.

    

The world market for CIAM, by revenues ($ Millions). Source: Omdia’s Identity Authentication Access Market Tracker. 1H22

Thales Expands Cybersecurity Portfolio With OneWelcome Acquisition

Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change.
"Based on our review of customer feedback, we've made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios," the company said in an update on July

Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change.

"Based on our review of customer feedback, we've made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios," the company said in an update on July 20.

Earlier this February, Microsoft publicized its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio, and Word as a way to prevent threat actors from abusing the feature to deliver malware.

It's a known fact that a majority of the damaging cyberattacks today leverage email-based phishing lures to spread bogus documents containing malicious macros as a primary vector for initial access.

"Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to unsuspecting victims," the company notes in its documentation.

By disabling the option by default for any Office file downloaded from the internet or received as an email attachment, the idea is to eliminate an entire class of attack vectors and disrupt the activities of malware such as Emotet, IcedID, Qakbot, and Bumblebee.

However, Microsoft backtracked on the change in the first week of July, telling The Hacker News that it's pausing the rollout of the feature to make additional usability improvements. In the interim, the tech giant's decision to block macros has led adversaries to adapt their campaigns to resort to alternative distribution methods such as .LNK and .ISO files.

That said, using malicious macros as an entry point to trigger the infection chain is not limited to Microsoft Office alone.

Last week, HP Wolf Security flagged an "unusually stealthy malware campaign" that makes use of OpenDocument text (.odt) files to distribute malware targeting the hotel industry in Latin America.

The documents, which come attached with fake booking request emails, prompt the recipients to enable macros, doing so, which results in the execution of the AsyncRAT malware payload.

"Detection of malware in OpenDocument files is very poor," security researcher Patrick Schläpfer said. "The structure of OpenDocument files is not as well analyzed by antivirus scanners or as frequently used in malware campaigns."

"Many email gateways would warn about more common file types containing multiple linked documents or macros, but OpenDocument files are not picked up and blocked in this way – meaning that protection and detection is failing at the first stage."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.
"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.

"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it. The app permissions section will be back shortly."

To that end, in addition to showcasing the new Data safety section that offers users a simplified summary of an app's data collection, processing, and security practices, Google also intends to highlight all the permissions required by the app to make sense of its "ability to access specific restricted data and actions."

The reinstatement comes as the internet giant moved to swap out the apps permission section with the newer Data safety labels last week ahead of the enforcement deadline on July 20, 2022, which requires developers to provide information about "how they collect and handle user data for the apps they publish on Google Play."

A quick check, however, shows that apps like Tor Browser, Discord and those from Amazon, including its namesake app, Kindle, Alexa, Amazon Music, and Amazon Photos, continue to not include a Data safety section.

The new system also comes with its own set of problems in that it completely relies on the developers to make "complete and accurate declarations," potentially leading to scenarios where it could be misleading or flat-out inaccurate.

In contrast, the apps permission list is derived from the permissions declared by the developer in an app's manifest file.

It's worth noting that the Apple App Store has a similar policy in place for its privacy "nutrition" labels that allows developers to highlight "self‑reported summaries of some of their privacy practices," a method that, as a report from The Washington Post found, "falls short of being helpful."

Google, however, states in its support documentation that it may take appropriate enforcement action if it runs into cases where there is a discrepancy between app's behavior and its declaration.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Bringing the Android App Permissions Section Back to the Play Store

The CloudMensis spyware, which can lift reams of sensitive information from Apple machines, is the first Mac malware observed to exclusively rely on cloud storage for C2 activities.

A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.

All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.

**Spyware in the Cloud**

The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.

"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."

This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."

While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.

**Attribution, Victimology Remain a Mystery**

So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).

However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.

"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.

Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.

"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."

However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.

M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.

"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS \[to bypass security mitigations\]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."

**How to Protect Your Business from CloudMensis & Spyware**

To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.

Researchers also recommended turning on Apple's new Lockdown Mode feature.

"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."

Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.

"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."

Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene

Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress.

Tag

#ios