Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

WithSecure DeepGuard 6 allows attackers to affect confidentiality, availability, and/or integrity.

**WithSecure™ Client Security**

Proven business protection and security for computers

1.  Home
2.  Solutions
3.  Software and services
4.  Business Suite
5.  Client Security

**Secure your business with the best in endpoint protection.**

**Client Security is much more than anti-malware – it offers next-gen protection elements such as threat intelligence, behavioral analysis and proactive protection against all the latest threats.**

Client Security is a business security product that offers you the best security for your business endpoints – continuously, year after year.

**Why WithSecure™ Client Security?**

Windows

**Award-winning**

Get award-winning, multi-layered security for desktops and laptops

**Protection engine**

Stay safe against zero-day vulnerabilities with DeepGuard, our proactive on-host protection engine

**Automatic patches**

Get centrally managed, automatic patches to your software to protect it against known vulnerabilities

**Performance**

Enjoy complete protection with minimal impact on system performance

**Automatically Augmented Security**

Enjoy automatically augmented security for online banking and other business-critical transactions

**Protection technologies**

Benefit from protection technologies powered by next-generation threat intelligence, advanced machine learning techniques, and highly skilled cyber security experts

Mac

**WithSecure Security Cloud**

Global protection against emerging threats within 60 seconds of initial detection

**Advanced anti-malware**

Anti-malware with real-time reputation checks for the latest threats

**Banking protection**

Provides added security for online banking

**Browsing protection**

Allows users to safely work and browse online without limiting them

**Firewall**

Utilizes Mac's own firewall to control incoming connections

“By achieving nearly 100% protection in all certification tests AV-Test performed in 2016, Client Security has proven to be a leader in protection of businesses.”

_Maik Morgenstern, CTO, AV-TEST GmbH_

**Your benefits**

Don't compromise on business security.

Client Security provides the best continuous protection available for Windows desktops and laptops. It is uniquely able to provide impenetrable protection against all online threats while minimizing the impact on system performance.

Endpoint protection is at the core of cyber security, and this is the best of the best. Complete endpoint protection is just the beginning. Client Security also saves you time with automatic patch management and boosts employee productivity with web browsing controls.

**1****No business downtimes**

No business downtime with the best, uncompromising, consistent security for desktops and laptops

**2****Application Control**

Avoid unsecure applications that put your business at risk with Application Control

**3****Web Content Control**

Work securely and productively with Web Content Control

**4****Connection Control**

Superior security for your business-critical work through automated Connection Control

**5****Software Updater**

Less opportunities for attackers with automated, up-to-date security with Software Updater

**Product features**

Standard

**Deepguard 6**

Behavior-based protection to keep your business safe against new and emerging threats

**Multi-engine Anti-malware**

Get unmatched protection against viruses, Trojans, rootkits, and other malware

**WithSecure Security Cloud**

Gain immediate protection against emerging threats discovered worldwide

**Browsing protection**

Ensure safe and efficient online work

**Advanced firewall**

Guard against malicious network activities

**Device control**

Prevent malware infections via USB

**Advanced protection**

Gain advanced protection against selected file types from unknown sites

**Botnet blocker**

Stop external control of compromised assets

Premium

**Connection control**

Prevent confidential information from being compromised

**Web content control**

Avoid legal risks and exposure to malicious content

**Patch management**

Automatic patch management for Windows operating system and third-party software

**Dataguard**

Provides additional protection against ransomware, and prevents the destruction and tampering of data

**Application control**

Blocks execution of applications and scripts according to rules created by our penetration testers, or as defined by the administrator

**Looking for product support?**

Find latest articles, instructions and other important support materials.

**Product details**

Malware and Spyware Protection

**Superior malware protection**

Our computer security component utilizes our multi-engine security platform to detect and prevent malware. It offers superior protection to traditional signature-based technologies:

*   Detects a broader range of malicious features, patterns and trends, enabling more reliable and accurate detections, even for previously unseen malware variants
*   By using real-time look-ups from the WithSecure Security Cloud, it can react faster to new and emerging threats in addition to ensuring a small footprint
*   Emulation enables detection of malware that utilize obfuscation techniques, and offers another layer of security before a file is run

DeepGuard 6

**Heuristic & behavior analysis**

DeepGuard combines some of our most advanced security technologies. It's the final and most critical layer of defense against new threats—even those that target previously unknown vulnerabilities.

DeepGuard observes application behavior and proactively intercepts any potentially harmful action on-the-fly before it causes damage. By switching the focus from signature characteristics to malicious behavior patterns, DeepGuard can identify and block malware even before a sample has been acquired and examined.

When an unknown or suspicious program is first launched, DeepGuard temporarily delays its execution in order to perform a file reputation and prevalence rate check, runs it in a sandbox environment, then finally executes it for behavioral analysis and exploit interception.

For more information about Deep Guard functions and benefits, consult our technical whitepaper.

**Compare the versions**

Choose the right version for your needs

Feature

Commad line endition

Full edition

Web-based GUI

 

X

Central control

 

X

Real-time scanning

 

X

Manual Scanning

X

X

Scheduled Scanning

X

X

Operated from the command line

X

 

Managed Firewall

**Better security and compatibility**

The new WithSecure firewall uses the default Windows rule engine to execute firewall rules. This greatly increases compatibility with other applications and appliances. The WithSecure expert ruleset, which contains advanced rules that counter risks such as propagating ransomware and lateral movement, is added on top of the standard Windows ruleset.

The administrator can extend the WithSecure rulesets with rules to tackle company and context-specific threats. Additionally, auto-selection rules allow administrators to define profiles adapted to the security needs of various networks.

Web Traffic Scanning

**Block malicious web content**

Web Traffic Protection prevents the exploitation of active content such as Java and Flash, which are used in the vast majority of online attacks. These components are automatically blocked on unknown and suspicious sites based on their reputation data. Administrators can make exceptions to this by adding sites to a trusted sites list, for example company intranet sites for which WithSecure does not have any reputation data.

Web Traffic Protection scans HTTP web traffic in real-time with multiple complementary anti-malware scanning engines and reputation checks. This ensures that malware and exploits are found and blocked at the traffic stage, before data is written to the hard disk. This provides additional protection against more advanced malware—for example the memory-only variety.

Browsing Protection

**Safe and efficient online work**

Browsing Protection ensures that employees can work safely and efficiently online without worries.

*   Proactively prevents employees from accessing harmful sites, links, and content
*   Eliminates human error and proactively minimizes exposure
*   Works with all major browsers

Botnet Blocker

**Repel botnets effectively**

Botnet Blocker stops criminals aiming to control compromised assets by preventing communication to Command & Control domains.

*   Administrators can prevent network activity relating to known botnets
*   Blocks Domain Name Server (DNS) queries on the host level
*   Can effectively stop most attacks, including ransomware and advanced persistent threats
*   Administrators can filter out queries based on domain reputation with the option of whitelisting them

Connection Control

**Elevated security for vital websites (Premium)**

Connection Control is a security layer that greatly increases protection for business-critical web activity like the use of intranets or sensitive cloud services like CRMs.

As soon as an employee accesses a website that requires additional security, Connection Control automatically elevates the security level for that session. During this period, Connection Control closes network connections to all unknown sites from the endpoint. Users can continue to use sites that are verified safe by WithSecure so as not to reduce employee productivity.

By blocking untrusted connections, banking trojans and other malware cannot send criminals confidential business information such as user credentials and cloud-based information. Security returns to normal when the specified browser process finishes or the user ends the session.

Patch Management

**Automatic patch management (Premium)**

Over 80% of cyber-attacks occur as a result of outdated software. Software Updater automatically keeps your third-party software and Windows up to date and patched against known vulnerabilities. Since it's integrated, you can easily avoid attacks based on known vulnerabilities.

*   Software Updater fully integrated in the solution, no infrastructure needed
*   Automatically patches OS and third-party, non-Microsoft applications
*   Automatically downloads and installs security patches, with a manual setting if needed

Learn more 

DataGuard

**WithSecure DataGuard (Premium)**

WithSecure DataGuard subjects selected high-risk and value-critical folders to advanced monitoring and additional detection logic. It makes them significantly more fortified against ransomware, and prevents malicious and unknown applications from destroying or tampering with the data that they contain. The high-risk and value-critical folders include, for example, the Downloads folder (web downloads), document folders, temp files (email attachments), and data repositories.

The feature's complementary detection logic significantly increases detection accuracy and aggressiveness against ransomware and their encryption processes. The Data Access module ensures that the data in these folders is not destroyed, tampered with, or encrypted by malicious or unknown applications, such as ransomware. Among other benefits, the Data Access module enables the recovery of data in the event of a successful ransomware attack, as it cannot encrypt the data located in those folders.

Application Control

**Prevent applications from executing (Premium)**

Application Control prevents threats from executing and running scripts, even if they bypass other security layers to get onto your device. This mitigates the risks posed by malicious, illegal, and unauthorized software in the corporate environment.

With Application Control you can:

*   Identify and control which applications are allowed to run in your environment
*   Identify trusted, authorized software automatically
*   Prevent all other applications, whether malicious, untrusted, or simply unwanted from running 
*   Eliminate unknown and unwanted applications in your environment to reduce complexity and risk
*   Monitor all applications running within the endpoint environment

Finally, you can use it to block applications from running scripts, for example:

*   Prevent all Microsoft Office applications from running PowerShell scripts
*   Prevent all Microsoft Office applications from running Batch scripts

Application control works based on rules created by our penetration testers that cover attack vectors used to breach into corporate environments. Alternatively, the administrator can define the rules based on various criteria, such as the application name or version.

**Compare the versions**

Choose the right version for your needs

Feature

Standard

Premium

Malware and Spyware Protection

X

X

DeepGuard 6

X

X

Managed Firewall

X

X

Web Traffic Scanning

X

X

Browsing Protection

X

X

Botnet Blocker

X

X

Web Content Control

 

X

Connection Control

 

X

Patch Management

 

X

DataGuard

 

X

Application Control

 

X

**Find an authorized reseller**

We partner with selected resellers to offer our security solutions.

Request a trial

**Request a trial**

Fill in the form and one of our dedicated security expert will reach out to help you get started with your trial.

Contact sales

CVE-2022-45871: Business Suite Virtual Security

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest

By Habiba Rashid
The Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Previously **we reported** on the results from Pwn2Own Toronto for Day 1 and Day 2 and today we will be talking about the proceedings of the last two days of the contest. Without further ado, let’s get right into it.

**Pwn2Own Day 3**

On December 08, 2022, the first success of the day went to Team Viettel which earned $20,000 for their execution of an OS Command Injection attack against the WD My Cloud PRO SERIES PR4 100 in the NAS category. 

A newcomer Chi Tran of team Bun Bo Ong Chi executed their stack-based buffer overflow attack against the Canon image CLASS MF74Cdw in the Printer category and was rewarded $10,000 for their hack.

Team DEVCORE on the other hand, used one unique and one previously used bug against the Sonos One Speaker in the Smart Speaker category, earning $22,500. 

NCC Group’s representative team earned $50,000 for hacking a Ubiquiti router and a Lexmark printer in the SOHO Smashup category. The Star Labs team earned $25,000 for an attack targeting a Synology router and a Canon printer. Team Viettel was awarded $37,500 for a hack involving a Cisco router and a Canon printer.

For only the Samsung Galaxy S22 exploits throughout the event, the contestants earned a total of $125,000. Google and Apple phones were not targeted. 

By the end of the third day of the competition, a total of $934,750 had been awarded to the contestants for their successful hacks.

**Watch as Hackers Hack at Pwn2Own**

**Pwn2Own Day 4**

On December 09, 2022, on the fourth day, ZDI, the organization behind Pwn2Own, awarded another $55,000, bringing the total contest prize money to $989,750. 63 unique zero days were purchased during the four-day contest. 

The Master of Pwn title was awarded to the DEVCORE team for their winnings of $142,500 and 18.5 points. Team Viettel and NCC Group followed close behind with 16.5 and 15.5 points respectively. 

Out of the 11 attempts scheduled for the last day of the contest, targeting printers and routers, only 3 were successful since the others either failed or used bugs previously reported in the event. 

The first victory went to Chris Anastasion who used a heap-based buffer overflow to exploit the Lexmark printer, earning $10,000. This was followed by ANHTUD Information Security Department earning $10,000 by using another heap-based overflow to exploit the Canon printer. 

The last successful hack of the Pwn2Own Toronto contest was carried out by the namnp team which won $10,000 for their unique bug against the Canon printer.

**Watch as Hackers Hack at Pwn2Own**

With this, the hacking competition came to an end, marking yet another successful Pwn2Own iteration. However, the Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023. It will be an ICS/SCADA-themed event.

1.  **Google Launches Bug Bounty Prog for Open-Source Software**
2.  **Multichain hack: Hacker returns $1m, keeps $150k as bug bounty**
3.  **Xiaomi, Amazon Echo, & Samsung Smart TVs pwned at Pwn2Own**
4.  **Hack the US Army for good with ‘Hack The Army’ bug bounty prog**
5.  **Pwn2Own: Microsoft Exchange server, Teams, Zoom, Chrome pwned**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers.
"This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs

Endpoint Detection / Data Security

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers.

"This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair said. "It does all that without implementing code that touches the target files, making it fully undetectable."

EDR software, by design, are capable of continually scanning a machine for potentially suspicious and malicious files, and taking appropriate action, such as deleting or quarantining them.

The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by making use of specially crafted paths.

This is achieved by taking advantage of what's called a junction point (aka soft link), where a directory serves as an alias to another directory on the computer.

Put differently, between the window the EDR software identifies a file as malicious and attempts to delete the file from the system, the attacker uses a junction to point the software towards a different path, like C:\\ drive.

The approach, however, didn't result in a wipe as EDRs prevented further access to a file after it was flagged as malicious. What's more, should the rogue file be deleted by the user, the software was clever enough to detect the deletion and stop itself from acting on it.

The ultimate solution arrived in the form of a wiper tool, dubbed Aikido, that triggers the privileged delete by creating a malicious file at a decoy directory and not granting it any permission, causing the EDRs to postpone the delete until next reboot.

Given this new attack interval, all an adversary has to do is delete the directory containing the rogue file, create a junction to point to the target directory to be deleted, and reboot the system.

Successful weaponization of the technique could result in the deletion of system files like drivers, preventing the operating system from booting. It can also be abused to remove all files from administrator user directories.

Out of 11 security products that were tested, six were found vulnerable to the zero-day wiper exploit, prompting the vendors to release updates to address the shortcoming -

*   **CVE-2022-37971** (CVSS score: 7.1) - Microsoft Defender and Defender for Endpoint
*   **CVE-2022-45797** (CVSS score: N/A) - Trend Micro Apex One
*   **CVE-2022-4173** (CVSS score: 8.8) - Avast and AVG Antivirus

"The wiper executes its malicious actions using the most trusted entity on the system — the EDR or AV," Yair said. "EDRs and AVs do not prevent themselves from deleting files."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Demonstrate How EDR and Antivirus Can Be Weaponized Against Users

Catch up on the highlights of last week’s cybersecurity conference

Catch up on the highlights of last week’s cybersecurity conference

Alongside the release of hacking tools and a thought-provoking keynote, there was plenty on offer for web security professionals among the briefings at Black Hat Europe last week.

Vulnerability researchers often leave out the gnarly bits in talks that focus on their success in finding vulnerabilities, but a pair of hackers from Trellix gave a talk on how to learn from missteps and failures along the way.

Apparent failures can offer salutary lessons and – mixed with no little grit and persistence –eventually result in significant discoveries, researchers Douglas McKee and Philippe Laulheret told Black Hat delegates.

The session – ‘Fail Harder: Finding Critical 0-Days in Spite of Ourselves’ – took a “deep dive into all the things that didn’t work, along with the many challenges that preceded the findings of critical zero-day bugs across multiple projects”.

Among other things, the researchers explained how “failing harder” requires “lots of time spent researching systems before they can be hacked”.

**Ethics in social engineering**

In another talk, Ragnhild ‘Bridget’ Sageng of Orange Cyberdefence explored the ethics of using social engineering in penetration tests.

Such tests attempt to raise employee awareness about phishing attacks, but if not well thought through they can be counterproductive – especially if workers are left feeling duped or blamed for failures. Playing the blame game runs counter to fostering a productive learning experience, Sageng argued.

After all, the results of such tests have shown that even security professionals can fall victim to phishing lures, hence the need to increase focus on the (often neglected) post-engagement process.

**Wif WAF**

Back in the arena of finding vulnerabilities in technology, researcher Noam Moshe from Claroty’s Team82 explained how they discovered that a range of web application firewalls (WAFs) could be rendered blind to SQL injection payloads.

The issue – which stemmed from a failure to support JSON syntax in the SQL injection inspection process – affected technology from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five fixed the problem after Claroty highlighted the issue, as explained in more depth by The Daily Swig last week.

**Delivering Parcels**

Deserialization flaws have yielded a steady stream of issues for traditional apps over recent years. The hacking technique has also proven a problem for Android-based mobile systems.

During a presentation at Black Hat Europe, a team of engineers from Google outlined the evolution of Android Parcels, a technology designed to manage cross-process interaction and clamp down on bugs that arise from deserialization.

**Bohemian hack story**

Active defense has been discussed as an approach to thwart cyber-attacks orchestrated by nation states for several years. The details of how such an approach might work in practice have been shrouded in secrecy, but a talk by two threat intel experts from the state treasury of the Czech Republic showed how a combination of threat intelligence and active defense was used to thwart a series of attacks blamed on Russia.

The analysts explained that it was only by continuously improving their threat model and fine tuning their approach that they were able to make improvements in making critical information infrastructure more resilient.

**Binded by the light**

Web security researchers and bug hunters were offered insights into how it might be possible to hack web-based frameworks by abusing DataBinding.

DataBinding is used to bind request parameters to a domain object.

The approach is supported by a variety of programming frameworks, including Java, JavaScript, Groovy, Python, and Ruby.

However, implementation flaws in databinding have spawned a number of flaws in platforms including Spring, Struts, Grails, and Ruby on Rails.

Haowen Mu and Biao He from Ant Security FG Lab explained how the insecurity of the DataBinding mechanism itself spawned the infamous Spring4Shell, among other flaws, during their presentation at Black Hat.

YOU MAY ALSO LIKE Black Hat Europe 2022: Hacking tools showcased at annual security conference

Black Hat Europe redux: The top web hacking talks for 2022

Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution or LLMNR.

CVE-2021-3942: Certain HP Print Products, Digital Sending Products - Potential remote code execution and buffer overflow

An Out-of-bounds read vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is similar to, but not the same as CVE-2022-44647.

November 21st, 2022

**Trend Micro Apex One Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-1618  
ZDI-CAN-16566**

CVE ID

CVE-2022-44648

CVSS SCORE

4.4, (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the User Mode Hooking Monitor Engine. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291770  

DISCLOSURE TIMELINE

*   2022-02-16 - Vulnerability reported to vendor
*   2022-11-21 - Coordinated public release of advisory

CREDIT

Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-44648: ZDI-22-1618

An out-of-bounds access vulnerability in the Unauthorized Change Prevention service of Trend Micro Apex One and Apex One as a Service could allow a local attacker to elevate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

November 21st, 2022

**Trend Micro Apex One Unauthorized Change Prevention Service Out-Of-Bounds Access Local Privilege Escalation Vulnerability****ZDI-22-1619  
ZDI-CAN-17387**

CVE ID

CVE-2022-44649

CVSS SCORE

7.0, (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Unauthorized Change Prevention Service. A crafted request can trigger a write past the end of an allocated data structure. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291770  

DISCLOSURE TIMELINE

*   2022-05-10 - Vulnerability reported to vendor
*   2022-11-21 - Coordinated public release of advisory

CREDIT

Simon Zuckerbraun - Trend Micro Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-44649: ZDI-22-1619

An Out-of-bounds read vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is similar to, but not the same as CVE-2022-44648.

November 21st, 2022

**Trend Micro Apex One Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-1617  
ZDI-CAN-16565**

CVE ID

CVE-2022-44647

CVSS SCORE

4.4, (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the User Mode Hooking Monitor Engine. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291770  

DISCLOSURE TIMELINE

*   2022-02-16 - Vulnerability reported to vendor
*   2022-11-21 - Coordinated public release of advisory
*   2022-11-21 - Advisory Updated

CREDIT

Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative  

BACK TO ADVISORIES

Tag

#zero_day