Code injection vulnerability harnessed in attacks on south Asia

John Leyden 26 September 2022 at 14:02 UTC  
Updated: 27 September 2022 at 08:50 UTC

Code injection vulnerability harnessed in attacks on south Asia

A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.

The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.

Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.

Catch up on the latest network security news

In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.

This is just as well given the vulnerability has already featured in attacks in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.

“Sophos will provide further details as we continue to investigate,” it added.

Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.

The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.

In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:

A customer notified Sophos, at which time Sophos took immediate steps to issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.

The vulnerability is noteworthy since it represents a web security flaw in a network security product.

One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.

“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.

YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw

Web security flaw in Sophos Firewall patched

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Released March 8, 2022

**ImageIO**

Available for: Windows 10 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: Windows 10 and later

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

Entry added May 25, 2022

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

Entry added May 25, 2022

CVE-2022-22629: About the security content of iTunes 12.12.3 for Windows

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4, tvOS 15.4, Safari 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Released March 14, 2022

**Accelerate Framework**

Available for: Apple TV 4K and Apple TV HD

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22633: ryuzaki

Entry added May 25, 2022

**Accelerate Framework**

Available for: Apple TV 4K and Apple TV HD

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: ryuzaki

Entry added May 25, 2022

**AppleAVD**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-22634: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22635: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22636: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**IOGPUFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**LLVM**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to delete files for which it does not have permission

Description: A race condition was addressed with additional validation.

CVE-2022-21658: Florian Weimer (@fweimer)

Entry added May 25, 2022

**MediaRemote**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to identify what other applications a user has installed

Description: An access issue was addressed with improved access restrictions.

CVE-2022-22670: Brandon Azad

**Preferences**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Sandbox**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani (@sudhakarmuthu04) of Primefort Private Limited, Khiem Tran

Entry updated May 25, 2022

**UIKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

CVE-2022-22624: About the security content of tvOS 15.4

Rockwell Automation ThinManager ThinServer versions 11.0.0 - 13.0.0 is vulnerable to a heap-based buffer overflow. An attacker could send a specifically crafted TFTP or HTTPS request, causing a heap-based buffer overflow that crashes the ThinServer process. If successfully exploited, this could expose the server to arbitrary remote code execution.

Skip Navigation

menu

*   Support Center
*   Get Support Chat & Submit a Question Phone Support Holiday Schedule
*   Training & Webinars
*   Online Forum
*   Customer Care Customer Care Overview Phone Support Holiday Schedule

Sign In

Quickly log in or create an account using an existing service

Yahoo

What will happen: When you click on this button you will be taken to Yahoo. Once you log in, Yahoo will verify you and send you back here where you'll be logged in!

Log In or Create an AccountOpens new dialog

Please log in to continue, Username Password

Email Address \*

Username \*

Password

Re-enter a value for the field 'Password'

Must match Password

First Name \*

Last Name \*

Forgot your username or password?

The page will refresh upon submission. Any pending input will be lost.

03-Feb-2022 - Important product notice regarding Microsoft vulnerability patch (MS KB5004442)

Current product hierarchy

1.  HMI / Communication
2.  Performance and Visualization (HMI)
3.  ThinManager

ID: PN1604 | Access Levels: Everyone

**Search**

Did you mean:

**Published Date**Published Date 09/22/2022

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation.  The vulnerability was discovered in the ThinManager® ThinServer™ s...

**Login Required to View Full Answer Content**

Please use the 'Sign In' button above

CVE-2022-38742: ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack

Warning added to Python documentation was deemed preferable to a patch

Adam Bannister 22 September 2022 at 15:39 UTC  
Updated: 22 September 2022 at 15:57 UTC

Warning added to Python documentation was deemed preferable to a patch

An estimated 350,000 open source repositories are affected by a 15-year old path traversal vulnerability in Python’s tarfile module, according to security researchers.

Having “stumbled across” the unpatched issue while investigating an unrelated vulnerability, they initially thought the flaw was a new zero-day bug before realizing it actually dated back to 2007.

Originally designated a severity score of CVSS 6.8, CVE-2007-4559 allows attackers to gain code execution from the file-write “in most cases”, said Trellix researcher Kasimir Schulz in a blog post published yesterday (September 21).

Catch up with the latest open source software security news

Schulz explained how Trellix researchers successfully achieved this outcome against wireless protocol analyzer Universal Radio Hacker, IT infrastructure management service Polemarch, and Spyder IDE, an open-source development environment for scientific programming.

**Patching marathon**

In a separate Trellix blog post, Douglas McKee said 61% of a sample of around 300,000 files containing the tarfile module, which makes it possible to read and write tar archives, were vulnerable to the bug.

Trellix has created patches for around 11,000 projects and anticipates that a further 70,000 projects will receive a fix in the coming weeks.

The vulnerability arose “from two or three lines of code using unsanitized or the built-in defaults of ,” explains a third Trellix blog post by Charles McFarland. “Failure to write any safety code to sanitize the members files before calling or results in a directory traversal vulnerability, enabling a bad actor access to the file system.”

If an attacker adds ‘’ with the separator for the operating system (‘’ or ‘’) into the file name, they can escape the directory the file is supposed to be extracted into.

**Just a warning**

However, a Python bug thread from 2007, which has been reopened in recent days, concluded with a maintainer asserting that “tarfile.py does nothing wrong, its behaviour conforms to the pax definition and pathname resolution guidelines in POSIX. There is no known or possible practical exploit”.

The maintainer did add a warning to the Python documentation, which remains in place, that urges developers to “never extract archives from untrusted sources without prior inspection”.

**Corner cases**

Trellix’s McKee acknowledged that there are legitimate use cases for preserving behavior that could be abused for malicious purposes. However, he said, “in this instance I believe the risk outweighs the reward for accommodating a few corner cases”, especially given “most” third party online tutorials seemed to “incorrectly demonstrate the insecure use of the tarfile module”.

Trellix created and open-sourced a tool to aid the research and patching process that automatically detects the vulnerability in source code by leveraging AST intermediate representation.

Called Creosote, the utility provides a means to scan closed source repositories too.

“This vulnerability is incredibly easy to exploit” and prevalent in the wild, making Python’s tarfile module “a massive supply chain issue threatening infrastructure around the world”, concluded Schulz.

YOU MIGHT ALSO LIKE Parse Server fixes brute-forcing bug that put sensitive user data at risk

Tarfile path traversal bug from 2007 still present in 350k open source repos

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks 5G-Native Security Now Available on Microsoft Azure Private Multi-Access Edge Compute

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.

This document describes the security content of Safari 16.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16**

Released September 12, 2022

**Safari Extensions**

Available for: macOS Big Sur and macOS Monterey

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 243236  
CVE-2022-32891: @real\_as3617, an anonymous researcher

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 12, 2022

Tag

#zero_day