Luna, Black Basta add to rapidly growing list of malware tools targeted at virtual machines deployed on VMware's bare-metal hypervisor technology.

The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware's bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

"Infrastructure services like networking equipment and hosting infrastructure like ESXi can't easily be patched on demand," says Tim McGuffin, director of adversarial engineering at Lares Consulting. "Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once."

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

**The Cross-Platform Ransomware Threat**

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky's analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also uses multithreading to speed up the encryption process by getting all processors on the infected systems to work at the same time on the task.

Since surfacing in February, the operators of Black Basta have managed to compromise at least 40 organizations worldwide. Victims include organizations in the manufacturing and electronics sectors in the US and multiple other countries. Available telemetry suggests the threat actor could soon chalk up other hits across Europe, United States, and Asia, according to Kaspersky.

**A Target for Inflicting Wide Damage**

The proliferation of ransomware targeting ESXi systems poses a major threat to organizations using the technology, security experts have noted. An attacker that gains access to an EXSi host system can infect all virtual machines running on it and the host itself. If the host is part of a larger cluster with shared storage volumes, an attacker can infect all VMs in the cluster as well, causing widespread damage.

"If a VMware guest server is encrypted at the operating system level, recovery from VMware backups or snapshots can be fairly easy," McGuffin says. '\[But\] if the VMware server itself is used to encrypt the guests, those backups and snapshots are likely encrypted as well." Recovering from such an attack would require first recovering the infrastructure and then the virtual machines. "Organizations should consider truly offline storage for backups where they will be unavailable for attackers to encrypt," McGuffin adds.

Vulnerabilities are another factor that is likely fueling attacker interest in ESXi. VMware has disclosed multiple vulnerabilities in recent months. In February, for instance, the company disclosed five flaws — including important and critical ones — that affected ESXi (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050). The same month, VMware announced a heap overflow vulnerability in the technology (CVE-2021-22045), and there have been multiple other moderate to low severity flaws the company has disclosed over the past year or so, including a critical remote code execution flaw.

"In recent months, VMware ESXi had several notable vulnerability disclosures and patches, which might be why attackers have an increased interest in targeting those environments," says Joseph Carson, chief security scientist and advisory CISO at Delinea. Most of these virtual environments tend to have a strong backup and snapshot strategy. However, attackers can cause a significant impact if they can also deploy ransomware on the backup systems as well, he says.

Carson advocates that organizations running VMware conduct risk assessments and consistently check for known vulnerabilities and misconfigurations to ensure they are patched and configured correctly. They also need to ensure that Internet-facing systems have strong access controls in place to ensure only authorized employees have access to those systems.

Matthew Warner, chief technology officer and co-founder at Blumira, points to the Log4j vulnerability as another likely reason for the mushrooming attacker interest in ESXi environments. "VMware has an incredibly wide range of solutions that utilized Log4i and were impacted by this vulnerability," he says. VMware itself acted quickly to provide mitigation guidance. But it's likely that many ignored the mitigation advice and are now targets of ransomware purveyors, he says.

"There is almost never a situation where VMware Horizon should be Internet-facing," Warner says. "It opens up untold amounts of risk to the infrastructure." Blumira has run into several instances where VMware Horizon servers were exposed due to access control issues on the firewalls, not to purposeful exposure. "This serves as a good reminder that your DMZ and Internet exposure must be monitored on an ongoing basis within your environment," he advocates.

Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

Apple Security Advisory Safari - Safari 15.6 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

Safari 15.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213341.

Safari Extensions  
Available for: macOS Big Sur and macOS Catalina  
Impact: Visiting a maliciously crafted website may leak sensitive  
data  
Description: The issue was addressed with improved UI handling.  
CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National  
University

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Safari 15.6 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhh3QA//cN/O9LcDr67uACD/222GDWGZnm80emLeEmJaczyRYZNswciqGhAc7EPd  
qfyVvzq2DHAvFm64gGSGX6rzOzZbY9QRvkQ4TodqugeBoAIO0VM2moLTO/KR74fE  
SwWeWHTrPYD9k6/zCL7o3XdrwTcqvlbYD9AXSIJ1lI4BmmbDIjjLFjH5NfrsBixy  
vthQmj99twepLofgo1Wfjg1AfwUMrr6BVnZcpxEyBBjrjpBD5FVEZWJ+RB4nUaKP  
6aM4CPpXqPbou0w3bgMt0K8x2qpudolxOFfStu2FsSFVnw2B5khgcCL0C2qIO9Hb  
5n5NDb1FuPI7sDNcREIbBGjHqcjpQv5wkF7lz1EK6UQk3D4Rp8RJXFKYDWgwKNVA  
GcMEBXW8XmI3UrfpRJi/B8o/rMA9y75hVnPujl+KN9jX/6Ey7p09OK3hJavaFDuY  
heZyqdlfAa81Gwf+VBoF8bkYKZj2GCGOOL+zsuPLrtyEL8y28P5ZIBc5ALSzDgK5  
Fv4VnaE4adu8NIqU3DimQeD44G4IpZAhhS4BMiTVosZ+KUjtnX3hmFR+wI8bV2I1  
oBYtwRZOUyMHAfRSLtJFriqy5N5XK4NRD4Xb9q5auOOeyhWcgGY0K+9kSTNdDP6o  
hR93N6uOYQt7htOmiXF7ztUDMikh2i7A9NScLyX/k3y9uvtWMmw=  
=bU24  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-7

Apple Security Advisory 2022-07-20-4 - Security Update 2022-005 Catalina addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-4 Security Update 2022-005 Catalina

Security Update 2022-005 Catalina addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213343.

APFS  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Catalina  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Catalina  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Catalina  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Catalina  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Catalina  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Catalina  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Catalina  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Catalina  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2021-4136  
CVE-2021-4166  
CVE-2021-4173  
CVE-2021-4187  
CVE-2021-4192  
CVE-2021-4193  
CVE-2021-46059  
CVE-2022-0128

Wi-Fi  
Available for: macOS Catalina  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Security Update 2022-005 Catalina may be obtained from the Mac App  
Store or Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuQACgkQeC9qKD1p  
rhiuNw//V3lvbuk3ZcN4l2+dumbidEYnYD+qrrm+V332BNA9zqn9Uyoy1l9mXY32  
qA/UfHpnuZj5F2qjBNinkpV9VlwMZUIZmWfLBrVz3+cF1wrF6RZVFmz05sVsWTCC  
zB7H9eCPQr/afrTgjf2evIsaCZaqveOP7ZVFV3dOEOpzp/hMUYFWF69mEbYfl2Z1  
PlB3bkZPys4fZ3nCq70egWotGl7V4M/9aqGBDQZzAwmcsepeppBaCP1MnDiDiWqA  
6m2jVNDDTP/CasfPt1k3jR3aKf7f+ySZozQLyUyMhRpTLnZ1fpEtD5jjwK/hprKW  
g00gdTOBl7aGAxbKL3xlsxXRGzhzy9n2RVN4duhRKEbDKDShCfRFmCxXGxAGJB7J  
96TqA/wy1s7gnlxNzUfJewJMopr3AU4ffhdyOgKV1Is7eRwAhKYlh3K5T6C28Uuj  
8TXAqY2qwMqs+jIqe3dGEuPBj83tQMD0xukIhzGtuxwoziiPyzSfrgUHvSK8vBYN  
NGGfLdHn8ailAYpnFeRxhImxclr59QddI8uzS/G6O9CLJY0jUh3tjCNC3fjIjS6F  
lD3+P/J/Hf5HFvpvNyw6aJVVYIcGFOQi+RmhVGysMHuGIz4aqc9rTdvbAKdeKpyK  
8p0C6S1/sV+pu7morGBm9aSm/rRyDZSVWSA2l/3fRA9mJmrL8Ao=  
=fcrb  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-4

Apple Security Advisory 2022-07-20-3 - macOS Big Sur 11.6.8 addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-3 macOS Big Sur 11.6.8

macOS Big Sur 11.6.8 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213344.

APFS  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Big Sur  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Big Sur  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Big Sur  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

Software Update  
Available for: macOS Big Sur  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Big Sur  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Big Sur  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2022-0156  
CVE-2022-0158

Wi-Fi  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Big Sur  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

macOS Big Sur 11.6.8 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYf6sACgkQeC9qKD1p  
rhgOJBAAtzyKOqdTnnBbwbFoG/HoZIbCVSVOtI5VIGH1weMQ72R3X2tXB5yTlpto  
3l/eoMe0/covxipiZ+CvTh9tM5ZfV3IxN4bpsbxew1R/s81YE2K55dFp5+4zzqgh  
YyWrx8SntngP9PywAdKa+GRZrW7R95oNp2UTwifcQvFPs40F/OPrNQm23Xkmqsx0  
zNNvMmqPaeCU8mgIOadO/uv626LjnkyKdwHKM3VBxGmklNEddQDjjoWcYugH7QYj  
e28EpKINEYfGVP/5n4uSeP6+kXmJj9nLzdKzfBD78gyBu5NX3Ai5Wh1BbsFMoFYE  
wcqlgEjMk3440babLb9kSRm81NX+EPgJLtjVPNRIrqs8pTh95CcDTRsotDUDl03R  
BrP6XGyXiS+3XyhdbamJDG9pCthJdo455XaYOlmzgIfgTJMkX3kdxiMAgGvbkPVl  
3IesUuChRvi6pZwTWXN4k5Rn9epZSV+9HaYplnFPScJpYeLzUKThz1P2KbMTd0CT  
fiBU+fxwQqfzGRX3gyzRz0DMqiGdk0PnO9pfWND+9lQDyht7s73XnZrVOnPZHGYC  
tiNdrEHm+4WKaEwl/5invCZ8vPaiJ9cTH/aSbeRkeqR8ilDQMIhm2xooSP8Sd00E  
gTOoTOANfxrOqkFWhj0HQEq5OmCeALkE8BqiLuOVVIrN4e2LgPg=  
=6wU+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-3

Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-2 macOS Monterey 12.5

macOS Monterey 12.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213345.

APFS  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32852: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Automation  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Calendar  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

CoreMedia  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

CoreText  
Available for: macOS Monterey  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

iCloud Photo Library  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

ICU  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575  
ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Kernel  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32829: an anonymous researcher

Liblouis  
Available for: macOS Monterey  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Monterey  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

subversion  
Available for: macOS Monterey  
Impact: Multiple issues in subversion  
Description: Multiple issues were addressed by updating subversion.  
CVE-2021-28544: Evgeny Kotkov, visualsvn.com  
CVE-2022-24070: Evgeny Kotkov, visualsvn.com  
CVE-2022-29046: Evgeny Kotkov, visualsvn.com  
CVE-2022-29048: Evgeny Kotkov, visualsvn.com

TCC  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

WebKit  
Available for: macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Wi-Fi  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32837: Wang Yu of Cyberserval

Wi-Fi  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Monterey  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

Additional recognition

802.1X  
We would like to acknowledge Shin Sun of National Taiwan University  
for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Calendar  
We would like to acknowledge Joshua Jones for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

DiskArbitration  
We would like to acknowledge Mike Cush for their assistance.

macOS Monterey 12.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYiL4ACgkQeC9qKD1p  
rhhjpQ//TQX1ihtXRIjFpPOViMy6IxuLE1CsKFxq5MweXelbPB/UdeUl/zL5G54b  
/Lx2XYKoWj6u27FCO0BHxBqtYbAd6sfx70VLCk5W6gyk/yCi0n3zh7BvRvWB/Ugh  
6NuHB39a1kbbjLLoQPbW0L6egdrCfqP/+ZujqjKl7xI58nda9jMHJC1ns87KQoDn  
Er5SAGf7M2ErGNzOFqvXjpJYvGsrKJyfqNxp99H/sPlzu7URX9Gq3f3n1o55IUUa  
mcxlBPDfUmDQPjdSqw/BprQkDOvp0fzmTy+phB0fkgmvVJ8EmEJAoilL4SyH4uW9  
V1GD9rtjUKh7G/gSFAo7y0HBDQoM+E9hA+4PPlH2o1nUOAl6BRWUka6jf4yaqrpr  
pfo1K2hPQj1g4MMZFCDWkJ+7V1+1GTQ9WlagL5gB3QaKefiSG4cTnL06Y8zn38TD  
TY3JrdqUI7Pzugu+FuHs7P168yNIGXTscb1ptrVlaVBaVuyICmEcKX4HS+I5o30q  
WqCOaRoaa6WRqBwNEy7zVAExjSPt7t8ZWt85avWSt+rLxNGiVkPrpHu4fE+V2IAV  
fz1VA4S/w69h9uJHXdcG+QfvNxX+zj/vljF6DK3dyQ957Mqfyr2y9ojSbdf6vo4n  
DJFXNxbEk35loy/kDDidC1C1sFKY+JeQF7ZBi0/QOyuSdSdJrSg=  
=ibIr  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-2

Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-1 iOS 15.6 and iPadOS 15.6iOS 15.6 and iPadOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213346.APFSAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause kernel code executionDescription: A buffer overflow was addressed with improved boundschecking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroApple Neural EngineAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-32845: Mohamed Ghannam (@_simo36)Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32840: Mohamed Ghannam (@_simo36)CVE-2022-32829: an anonymous researcherApple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32810: Mohamed Ghannam (@_simo36)AudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)HomeAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user may be able to view restricted content from the lockscreenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32855: an anonymous researcheriCloud Photo LibraryAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing an image may lead to a denial-of-serviceDescription: A null pointer dereference was addressed with improvedvalidation.CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)IOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improved statehandling.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)PluginKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to read arbitrary filesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32838: Mickey Jin (@patch1t) of Trend MicroSafari ExtensionsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a maliciously crafted website may leak sensitivedataDescription: The issue was addressed with improved UI handling.CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul NationalUniversitySoftware UpdateAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 242339CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence teamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6 and iPadOS 15.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuMACgkQeC9qKD1prhhc5hAA2emrXEYGmfH1M/gji0MOPflW+wrr0y8buntNyeJYFQbf1xgGkr9hmHlMDkROvVCXDzuMyH9QDOPNFGPqBTAe/5cL+auNq497f/vGVjEOZ09Y4vC/FVBBklgokQND7CoWBhk99PgNxVdJyzkeKhBEs9JrNaIyGVqg8tChTWWghRzyyyQfHpSQfwj1M9042Kj8w9hi4SrY9R8Oe+QrcCYw/lYo3yO6WIUfajzIs/urT175BFedXS+9l4cK6srMpa/n67w3XZU9psQBVddlkVDymx1c5Lzuo84haM7TYNddOYDVluP+676Uq0vj5E24vTuGLS+vdDlJri6WMJv2d7NZ8dtJAVhPioP3ThGGsAXdpT/PmNbkc5R0RbiVTKs/2CDK4+raGHlOz6leuEfUJtUD1rHLI5n21XBQY1HOvwB9CDqGc5l7FpRoMdajDY/8yaIbWKVu1iycA2NAsxfyc9u1QTwwluGmzelpo9XdAWIZ17j6Dkalta9scCQbakHz3M1PSAYw4ljfGuYYiHElAKuZn/daeAUKZ0zMJOVdHtecliJbV3VlqMzaOKqmgXWNoBOwCow8Tj80F2dFNTvlQe91L8r7NeQAo7KCzEXbVSQqfemojtrREl5BvmWS9s7+QxqDWAHSUr+WakmKTESMA3DTlZBhBbUXE+uNRrEwboUQKeI==Nnrk-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-1

The ever-evolving threat from phishing is growing more sophisticated as attackers design high-pressure situations and leverage ever-more-convincing social engineering tactics to increase their success rates.

This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.  

The hacker has posted documents on a forum that purport to contain information about some of Roblox's most popular games and creators, according to Motherboard. Additionally, some of the documents include individuals' personally identifiable information.  

But Roblox is hardly alone — it's just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises. 

In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that hackers have found a new way into the inbox by creating fake invoices in PayPal, leveraging the site's legitimacy to gain access.  

The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.

In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users were victims of back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns over multichannel phishing attacks are growing, with a particular focus on smishing and business text compromises.

Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.

**Phishing Lures Grow in Sophistication**

Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.

"We've seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks," he says. "We'll see more of these attacks that can snag more than one item from an end user."

Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.

"These are messages that look 'right' on the surface, that tap into ways of working," she says. "These types of subtle manipulations can be difficult for people to spot, and it's critical that workers be made aware of attackers' capabilities and propensities to operate in this manner."

Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.

"If it's something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited," she says. "Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software."

**Distributed Workforce Adds to Vulnerabilities**

Social engineering is inherently people-centric, and in today's hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.

Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.

"Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise," she says. "These trends have opened the door to a whole host of social engineering tactics and other cyber threats."

She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.

Fuchs agrees remote work has its challenges, including not being able to stop by IT's desk to ask about an email.

"But while working from home, distraction might play a role," he adds. "There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside."

**Deploying Advanced ML, AI Tech**

Fuchs argues IT policies must move away from static "allow and block lists" and move toward advanced AI.

"Static lists allow these legitimate services to be used for phishing," Fuchs says. "Advanced AL and ML can suss out what's real and what's not."

Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.

She adds that it's important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.

"Users are a critical line of defense against phishing and it's important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it," she says. "This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint."

Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.

From his perspective, a two-second check can often avoid disaster.

"The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands," he says.

Whether it's spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the user's inbox and more likely to be acted upon.

"Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, it's not likely to slow down," he warns.

Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In

Open source security expert warns there is still a ‘long road’ ahead to prepare for the next attack wave

Open source security expert warns there is still a ‘long road’ ahead to prepare for the next attack wave

INTERVIEW The security of the software supply chain has rocketed up the infosec agenda since The Daily Swig last spoke to Brian Fox, co-founder and CTO at DevSecOps vendor Sonatype.

The landmark Log4j bug and SolarWinds supply chain attack in particular have prompted the White House to act with a clarity, swiftness, and even bipartisan support that has proved elusive in other policy areas.

Fox, who has sounded the alarm on supply chain security for many years, has welcomed the government’s belated recognition of the threat, but warns that the cybersecurity industry is still failing to sufficiently prioritize the issue.

Two years on from our last interview, the recently appointed OpenSSF governance board member also considers the legacy of ‘Log4Shell’, rebuffs criticism of the volunteer-driven open source model, and foresees attack techniques mutating when defenders finally ‘vaccinate’ themselves against current methods.

Daily Swig: Sonatype has been supporting White House efforts to bolster the software supply chain – how is that progressing?

Brian Fox: In the wake of the Log4j incident there was an initial \[open source security\] summit in January, testimony before the Senate and inquiries in the Senate and House, then the White House convened some meetings.

A follow-up summit in May with many participants across the ecosystem \[resulted in a\] 10-point mobilization plan that includes everything from better educating developers around secure practices, to better tooling, to funding, to audits of popular open source projects, to prioritizing the most used projects, driving better tooling around software bills of materials, \[and\] digital signatures...

DON’T MISS ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

A number of companies have made monetary pledges – \[totalling\] about $30 million – to help this effort, which is a lot, but estimates \[of the sum needed\] to drive all 10 streams were more like $150 million \[over two years\].

There’s some other tentative talks trying to get other governments involved, because this is not just a US-centric problem; it’s a global problem.

DS: So do you feel reassured that the US government is tackling the problem in broadly the right way?

BF: Generally, yes. The executive order a little over a year ago set in motion requirements for anybody selling software to the US government to have a reproducible software bill of materials \[SBOM\] to disclose all components – think food labels.

However, there was a \[similar\] bill before Congress in 2013 that didn’t get any airtime. So it’s nice to see it happening now but it would’ve been better to see it happening almost a decade ago.

I think there will be a trickle-down effect. Even software companies that don’t directly sell to the US government, if their consumers are selling to the US government, they’re going to have to provide a bill of materials all the way down, right?

DS: Are you still as frustrated as you were in 2020, when you lamented that “many companies still don’t have inventories of their open source components”?

BF: It’s improving, but I’m impatient. In the wake of Log4j, as of May 2022, 33% of Log4j downloads from the central repository in the last 24 hours were known vulnerable versions.

Six-plus months on \[from the Log4j bug surfacing\], was this acceptable? Everybody had a collective freakout, everybody was writing about it – there’s zero reason why you wouldn’t know about it.

Oftentimes companies with really good physical parts practices have terrible digital goods practices – that blows my mind. I don’t understand why I have to educate them.

PREVIOUS INTERVIEW Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps

The mobilization plan largely focuses on improving the open source projects. That needs to be done, but it largely misses the point that organizations have a responsibility to understand what components they’re using.

Take the Takata airbag incident. Let’s say all the \[automotive\] manufacturers were like, “we’re going to give Takata more money to make better airbags, so we no longer need to track which parts go into our cars” – we would laugh at them. But that’s kind of what’s happening right now \[in the software supply chain\].

Log4j was fixed and patched over Thanksgiving \[within a day of the proof of concept surfacing\] – but that doesn’t solve this problem \[of users not updating their systems\].

DS: What do you make of criticisms of the open source ecosystem’s volunteer-driven model?

BF: I don’t think throwing money at maintainers solves the problem. In fact, it can often complicate things, because then you have new people motivated only by money.

Most problems are not so simple as \[maintainers\] doing a terrible job. Take Log4j – it wasn’t even really a bug in the code. It was a weird interaction between a feature in Log4j and a feature in Java runtime that executed the JNDI code.

The kneejerk reaction is, “They’re volunteers, therefore they must be amateurs” – and that’s just not true. Most people working on these projects are in fact very good software developers working for big companies during the day. Oftentimes companies pay them to work on these projects.

DS: Can you summarize the current open source threat landscape and how Sonatype is helping developers protect the ecosystem?

BF: There’s a theoretical attack where a malicious committer shows up to a popular project and puts something malicious into a real package. So far that’s not happening.

Because consumers aren’t paying enough attention, it’s really easy to confuse them by creating a fake component with malware in it that sounds similar to the real component.

We’re trying to detect when components are malicious, or are anomalous, and stop consumers from accessing them via our firewall product. The \[attack\] targets are the developers and development infrastructure, and the bad behavior – the backdoor – is triggered as soon as you download it. They’re not trying to slip code into your software so that it gets distributed to your end user or to production.

Catch up with the latest software supply chain attack news

So the only way to prevent that is to know, in real time, when that component hits the public repo, that there’s something wrong about it, and be able to stop it.

Timeliness is super important. Finding it six weeks later does no good because during that \[time\] everybody who touched it got tainted.

We use an MLAI \[machine learning, artificial intelligence\] technique, so we can train on new attacks and the model gets better and better. As of last month, we’ve reported more than 88,000 malicious packages using this technique, so it’s hundreds of orders of magnitude more \[productive\] than zero-day research.

DS: Are we likely to see attackers innovate in the way you envisaged – poisoning projects directly rather than duping developers – any time soon?

BF: They’re continuing to exploit the target vector I was talking about with sometimes more advanced attacks, but many just look like copycats.

We’ve seen this pattern before. It’s a bit like Covid – if everybody gets the vaccine then a mutation finds a way to work around it and that’s the one that survives.

But not enough people are immunized to the current round of attacks so we’re not seeing a ton of innovation.

That’s why we're finding and reporting dozens of these every, single day. It’s ridiculous.

But what happens when we get really good at \[defense\]? For over a decade and a half, I was afraid that the attackers would start focusing on the supply chain. That didn’t start happening until 2019.

So if we get good at blocking these easy-ish-to-detect things, then you’ll see them move into the projects with more insidious and difficult-to-detect attacks.

The \[White House\] mobilization plan will help open source projects become more inherently secure, but it’s a long road so I worry that we’re not gonna get there fast enough.

DS: How receptive has the industry been to your message about protecting the supply chain?

BF: Much of the industry is still fighting the last decade’s battle, which is doing static analysis, prioritizing vulnerabilities, and scanning products before they go into production or get distributed downstream.

Back in the 1990s browsers had vulnerabilities all over the place and, little did you know, you could get hacked just by loading a nefarious website.

That’s kind of what’s happening with these malicious attacks. The developers grab the wrong component, which isn’t trying to compile – it’s literally just a payload to deliver a backdoor or do whatever it does. So the developer’s build fails, and they realize it’s not the component they wanted \[but not only that\] they potentially got hacked.

If you only check what developers have committed or are building for release, you are blind to these 88,000-plus \[monthly\] attacks on developers’ machines.

We’ve been really leaning hard on that messaging and a lot of people are finally latching onto it.

RECOMMENDED PyPI repo to distribute 4,000 security keys to maintainers of ‘critical projects’ in 2FA drive

‘We’re still fighting last decade’s battle’ – Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

By Deeba Ahmed
The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims…
This is a post from HackRead.com Read the original post: Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

****The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims in Palestine, Turkey, and Yemen and Lebanese journalists.****

Antivirus firm Avast has identified a serious flaw in the Chrome browser. According to Avast’s report, the Chrome browser vulnerability, which Google patched earlier this month, is tracked as CVE-2022-2294.

The vulnerability is linked to Candiru aka Saito Tech, an Israel-based spyware vendor that offers governments hacking-for-hire services. It is worth noting that the flaw was identified by Avast and disclosed to Google on 1st July 2022, and a fix was released on 4th July with Chrome 103.

**Vulnerability Details**

Avast reported that someone exploited the zero-day flaw already to spy on Lebanese journalists. Like NSO Group’s Pegasus Spyware, Candiru’s spyware is also used by law enforcement agencies and governments to confront crime and terrorism.

However, as per Avast’s research, Candiru’s spyware was used to target political dissidents, journalists, and critics of authoritarian and repressive regimes. The US Commerce Department sanctioned Candiru for its involvement in anti-US activities.

**Who Were the Targets?**

According to Avast, Candiru used the Chrome zero-day in March 2022 to target people in Palestine, Turkey, and Yemen and Lebanese journalists. In Lebanon, Candiru also compromised a news agency website.

The screenshot shared by Avast shows the malicious code injected into the compromised website stylishblockcom

Avast malware researcher Jan Vojtěšek stated that it is currently unclear why the attackers targeted people in the Middle East, particularly journalists. However, the company is sure that its primary objective was to spy on them and collect sensitive data and information. Such an attack is a blatant violation of freedom of speech and press freedom.

**How Was Zero-Day Exploited?**

As per the Avast report, the attacker planted the Chrome zero-day exploit on the Lebanese news agency website to collect 50 data points from the target’s browser, which includes timezone, language, screen information, browser plugins, device type, and device memory.

Hence, the attacker ensured their target’s device was fully compromised before delivering the spyware payload, which Avast claims matches a Windows-based malware DevilsTongue and Microsoft uncovered it in a previous attack involving Candiru.

It is worth noting that this is government-grade spyware capable of stealing messages, call logs, and photos from the victim’s phone, as well as tracking their location in real-time. Users must quickly update the Chrome browser to stay protected. Separate patches have been released by Apple Safari and Microsoft Edge as these use WebRTC.

Your Chrome browser is likely one of the most important pieces of software on your computer. It’s where you do all your online work, so keeping it up-to-date is essential for your security and productivity. Here’s how to update Chrome on Windows, Mac, and Linux:

**Windows:** Open Chrome and go to the menu in the top right corner. Click “Help” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Mac:** Open Chrome and go to the menu in the top left corner. Click “Chrome” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Linux:** Open a terminal window and type “sudo apt update && sudo apt upgrade google-chrome-stable.

**More Chrome and Spyware News**

1.  5 Ways to Protect Your Privacy on Google Chrome
2.  Predator Spyware Using Zero-day to Target Android Devices
3.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
4.  Pakistani Android users hit by spyware campaign with malicious apps
5.  ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change.
"Based on our review of customer feedback, we've made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios," the company said in an update on July

Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change.

"Based on our review of customer feedback, we've made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios," the company said in an update on July 20.

Earlier this February, Microsoft publicized its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio, and Word as a way to prevent threat actors from abusing the feature to deliver malware.

It's a known fact that a majority of the damaging cyberattacks today leverage email-based phishing lures to spread bogus documents containing malicious macros as a primary vector for initial access.

"Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to unsuspecting victims," the company notes in its documentation.

By disabling the option by default for any Office file downloaded from the internet or received as an email attachment, the idea is to eliminate an entire class of attack vectors and disrupt the activities of malware such as Emotet, IcedID, Qakbot, and Bumblebee.

However, Microsoft backtracked on the change in the first week of July, telling The Hacker News that it's pausing the rollout of the feature to make additional usability improvements. In the interim, the tech giant's decision to block macros has led adversaries to adapt their campaigns to resort to alternative distribution methods such as .LNK and .ISO files.

That said, using malicious macros as an entry point to trigger the infection chain is not limited to Microsoft Office alone.

Last week, HP Wolf Security flagged an "unusually stealthy malware campaign" that makes use of OpenDocument text (.odt) files to distribute malware targeting the hotel industry in Latin America.

The documents, which come attached with fake booking request emails, prompt the recipients to enable macros, doing so, which results in the execution of the AsyncRAT malware payload.

"Detection of malware in OpenDocument files is very poor," security researcher Patrick Schläpfer said. "The structure of OpenDocument files is not as well analyzed by antivirus scanners or as frequently used in malware campaigns."

"Many email gateways would warn about more common file types containing multiple linked documents or macros, but OpenDocument files are not picked up and blocked in this way – meaning that protection and detection is failing at the first stage."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac