New platform features and integrations enable analysts to quickly detect and remediate threats.

**Broomfield, Colo. — January 05, 2023 —** LogRhythm, the company empowering security teams to navigate the ever-changing threat landscape with confidence, today announced a series of expanded capabilities and integrations for its security operations solutions. The updates propel LogRhythm’s ability to be a much-needed force multiplier for overwhelmed security teams who are expected to confidently, effectively, and efficiently defend against cyberattacks.  

Following the October launch of LogRhythm Axon, a groundbreaking, cloud-native security operations platform, the company is introducing new visualizations and powerful analytics that offer seamless visibility into potential security risks. Designed to streamline the experience of security analysts, Axon and its latest updates make it easier for teams to detect, investigate, and report on potential threats, reducing the burden of managing threats and the operating infrastructure.  

“On a daily basis, we strive to empower lean and overburdened security teams with the most intuitive experience and contextual analytics,” said Chris O’Malley, CEO of LogRhythm. “By continuously working to fulfill that mission and deliver innovation that matters to customers every quarter, we are delivering on our promise of helping customers quickly reduce noise and secure their environment so that they can concentrate on safely competing in the digital age where fast beats slow.”  

“Axon has already given our team the tools to effectively analyze our environment and improve our security posture,” said Eric L., Network Engineer at global manufacturing company. “Data collection and correlation to detect threats and respond can be time consuming. Axon gives us an intuitive interface to perform complex searches on data to filter in what really matters. We cannot wait to use the powerful analytics tools that will quickly surface threats.” 

This quarter’s enhancements span LogRhythm’s product portfolio to collectively enable SOC teams to detect and resolve threats more easily, improving analyst productivity and effectiveness. Additional enhancements and integrations with LogRhythm’s Axon, SIEM, NDR, and UEBA solutions released in this quarterly rollout include: 

LogRhythm Axon 

·New custom and out-of-the box analytics rules, including rules for MITRE ATT&CK detections 

·New markdown widget and histogram widget cuts down on time spent searching for data 

·Easily investigate log observations raised by analytics through the Observation Workflow 

LogRhythm SIEM 

·Improved administrative workflow for collection shortens time to configure, deploy, and manage log sources that require Open Collector 

·Enhanced audit logging makes it easier to monitor suspicious activity and track when users make important changes 

·Updated and expanded LogRhythm’s library of supported log sources 

LogRhythm UEBA 

·New detection models for Windows systems to quickly uncover hard to detect threats 

LogRhythm NDR 

·Improved blind spot detection and endpoint visibility through integration with Microsoft EDR  

·Easily ingest data from VirusTotal with new configuration page 

·Improved analyst experience with expanded UI improvements 

“This quarter, we are especially excited about the number of groundbreaking and enhanced capabilities coming to our market-leading solutions,” said Kish Dill, Chief Product and Customer Officer of LogRhythm. “These enhancements and integrations have been curated with the goal of simplifying the lives of security analysts and enabling them to detect threats faster through seamless visibility, enhanced collection, and an intuitive analyst experience.” 

To learn more about LogRhythm’s offerings, please visit: https://logrhythm.com. 

**About LogRhythm** 

LogRhythm helps busy and lean security operations teams save the day — day after day. There’s a lot riding on the shoulders of security professionals — the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources — the weight of protecting the world.   

LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps. Together, LogRhythm and our customers are ready to defend. Learn more at logrhythm.com.

LogRhythm Enhances Security Analytics With Expanded Security Operations Capabilities

**DALLAS****,** **Jan. 5, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has established CTOne, a new Trend Micro subsidiary focused on advancing 5G network security and beyond. The group's intellectual capital and leadership come from Trend Micro's culture of innovation and is the latest incubation project to launch as a standalone business.

_To learn more about CTOne's private 5G network solutions, please visit:_ https://www.ctone.com

Eva Chen**, CEO of Trend Micro:** "Trend Micro has been at the forefront of network transformations for over three decades. The 5G network technology has enabled new capabilities and applications requiring new cybersecurity infrastructure. With our foresight and over six years of dedicated research into network technology, we are confident that CTOne will safeguard organizations in all 5G network environments."

Organizations need to integrate resources to combat emerging threats in the private 5G networks more effectively. By pre-deploying a security net, CTOne strengthens the digital resilience of vertical application fields and provides security for landing applications in private 5G network environments and achieving comprehensive protection from network to endpoint.

Low latency, large bandwidth, and high-density capabilities have accelerated many organizations to adopt private 5G networks. According to a Grand View Research report\*, the global private 5G network market size was valued at USD 1.38 billion in 2021 and is expected to expand at a compound annual growth rate of 49% in the next year. Private 5G networks are usually considered the most secure wireless communications standard. However, with the widely used Open Radio Access (O-RAN) structure, the proliferation of cloud networks, open-source software, and the variety of IoT devices, the 5G environment faces more cyber threats than ever.

Jason Huang**, CEO of CTOne:** "Safety today doesn't guarantee Safety tomorrow. While the communications technology market is booming, business operations are facing exposure to more complex risks. CTOne enables enterprises to secure private 5G networks against potential cyberattacks and build a high-quality industrial application ecosystem. In the future, we will collaborate with partners to maximize the advantages of private 5G with comprehensive security solutions."

In addition to private 5G network end-to-end security solutions, CTOne is also developing O-RAN and edge computing security solutions to assist enterprises in mitigating cyber risk when deploying related technologies.

\* Private 5G Network Market Size, Share & Trends Analysis Report By Component (Hardware, Software, Services), By Frequency (Sub-6 GHz, mmWave), By Spectrum, By Vertical, By Region, And Segment Forecasts, 2022 – 2030, Grand View Research

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

**About CTOne**

CTOne, a global cybersecurity leader in communication technology, offers enterprise cybersecurity solutions for next-generation wireless networks. A subsidiary of Trend Micro, CTOne enables digital transformation and strengthens the resilience of communication technology. https://www.ctone.com

SOURCE Trend Micro Incorporated

Trend Micro Announces New Subsidiary for 5G Cybersecurity

The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.
"When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a

The notorious information-stealer known as **Vidar** is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.

"When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. "Threat actors write identifying characters and the C2 address in parts of this page."

In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address.

An advantage to this approach is that should the C2 server be taken down or blocked, the adversary can trivially get around the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the server.

Vidar, first identified in 2018, is a commercial off-the-shelf malware that's capable of harvesting a wide range of information from compromised hosts. It typically relies on delivery mechanisms like phishing emails and cracked software for propagation.

"After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server," ASEC researchers said.

What's new in the latest version of the malware (version 56.1) is that the gathered data is encoded prior to exfiltration, a change from the previous variants that have been known to send the compressed file data in plaintext format.

"As Vidar uses famous platforms as the intermediary C2, it has a long lifespan," the researchers said. "A threat actor's account created six months ago is still being maintained and continuously updated."

The development comes amid recent findings that the malware is being distributed using a variety of methods, including malicious Google Ads and a malware loader dubbed Bumblebee, the latter of which is attributed to a threat actor tracked as Exotic Lily and Projector Libra.

Risk consulting firm Kroll, in an analysis published last month, said it discovered an ad for the GIMP open source image editor that, when clicked from the Google search result, redirected the victim to a typosquatted domain hosting the Vidar malware.

If anything, the evolution of malware delivery methods in the threat landscape is in part a response to Microsoft's decision to block macros by default in Office files downloaded from the internet since July 2022.

This has led to an increase in the abuse of alternative file formats like ISO, VHD, SVG, and XLL in email attachments to bypass Mark of the Web (MotW) protections and evade anti-malware scanning measures.

"Disk image files can bypass the MotW feature because when the files inside them are extracted or mounted, MotW is not inherited to the files," ASEC researchers said, detailing a Qakbot campaign that leverages a combination of HTML smuggling and VHD file to launch the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media

The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.

Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka CVE-2022-41080.

"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

CVE-2022-41080 is a bug that Microsoft patched in November. 

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused "authentication errors" that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was employing a new technique to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services provider.

Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself.   

Patching is the answer if you can do it," the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. "They evaluated, considered and weighed \[the risk\] they knew about" at that time, the external advisor says. The company still hasn't applied the patch since the servers remain down. 

A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.
"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.
The intrusions, observed against

Post-Exploitation / Malware

Financial and insurance sectors in Europe have been targeted by the **Raspberry Robin** worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.

Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.

Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.

Security Joes' forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim's browser via social engineering and contains an MSI installer file designed to drop multiple modules.

In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that's known to distribute adware.

The archive file, stored in a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader that's protected with numerous layers of obfuscation and encryption to evade detection.

The shellcode downloader is primarily engineered to fetch additional executables, but it has also seen significant upgrades that enables it to profile its victims to deliver appropriate payloads, in some cases even resorting to a form of trickery by serving fake malware.

This involves collecting the host's Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information that was gathered by older versions of the malware.

The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that's then executed on the machine.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload," threat researcher Felipe Duarte said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

Summary

Certain browsers can bypass authentication and redirect to the redirect url provided without any validation (CVE-2022-3614)

Advisory Number

2022-26

Discovery Date

05 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

22 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-3614

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x versions after 3.5.1
*   All 4.x versions
*   All 2018.x, 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x and 2022.2.x versions
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8063

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.10750
*   2022.4.8063

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

3.5 and greater

2022.3.10750 or greater

4.x, 2018.x, 2019.x, 2020.x, 2021.x

2022.3.10750 or greater

2022.1.x, 2022.2.x

2022.3.10750 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8063 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3614, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3614: Security Advisory 2022-26

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

Summary

Certain types of sensitive variables may be displayed as plain text in variable preview (CVE-2022-3460)

Advisory Number

2022-25

Discovery Date

10 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

21 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-3460

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2018.x versions after 2018.3
*   All 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8552
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8221

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8552
*   2022.3.10750
*   2022.4.8221

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

2018.3 and greater

2022.2.8552 or greater

2019.x, 2020.x, 2021.x and 2022.1.x

2022.2.8552 or greater

2022.2.x

2022.2.8552 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8221 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3460, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3460: Security Advisory 2022-25

A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic. This vulnerability affects the function runs_post of the file application/controllers/Restapi.php. The manipulation of the argument sourcefilename leads to an unknown weakness. Upgrading to version 1.6.5 is able to address this issue. The name of the patch is 694da5013dbecc8d30dd83e2a83e78faadf93771. It is recommended to upgrade the affected component. VDB-217174 is the identifier assigned to this vulnerability.

@@ -149,10 +149,12 @@ public function runs\_post() {

$this\->error('runs\_post: missing or invalid run\_spec parameter', 400);

}

if (!is\_array($run) || !isset($run\['sourcecode'\]) ||

!isset($run\['language\_id'\])

) {

!isset($run\['language\_id'\]) ) {

$this\->error('runs\_post: invalid run specification', 400);

}

if (isset($run\->sourcefilename) && !self::is\_valid\_source\_filename($run\->sourcefilename)) {

$this\->error('runs\_post: invalid sourcefilename');

}

  

// REST\_Controller has called to\_array on the JSON decoded

// object, so we must first turn it back into an object.

@@ -273,6 +275,24 @@ public function languages\_get()

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

// Support functions

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

  

// Return true unless the given filename looks dangerous, e.g. has '/' or '..'

// substrings. Uses code from https://stackoverflow.com/questions/2021624/string-sanitizer-for-filename

private function is\_valid\_source\_filename($filename) {

$sanitised = preg\_replace(

'~

\[<>:"/\\\\|?\*\]| # file system reserved https://en.wikipedia.org/wiki/Filename#Reserved\_characters\_and\_words

\[\\x00-\\x1F\]| # control characters http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx

\[\\x7F\\xA0\\xAD\]| # non-printing characters DEL, NO-BREAK SPACE, SOFT HYPHEN

\[#\\\[\\\]@!$&\\'()+,;=\]| # URI reserved https://tools.ietf.org/html/rfc3986#section-2.2

\[{}^\\~\`\] # URL unsafe characters https://www.ietf.org/rfc/rfc1738.txt

~x',

'-', $filename);

// Avoid ".", ".." or ".hiddenFiles"

$sanitised = ltrim($sanitised, '.-');

return $sanitised === $filename;

}

  

private function is\_valid\_filespec($file) {

return (count($file) == 2 || count($file) == 3) &&

is\_string($file\[0\]) &&

CVE-2021-4297: Prevent privilege escalation attacks via sourcefilename [issue #46](h… · trampgeek/jobe@694da50

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Tag

#microsoft