By Deeba Ahmed
The vulnerabilities stem from the way Jenkins handles user-supplied data.
This is a post from HackRead.com Read the original post: Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024.

Sonar’s Vulnerability Research Team has discovered security vulnerabilities in Jenkins, an open-source CI/CD software. These vulnerabilities, which the company refers to as ‘Excessive Expansion,’ allow unauthorized attackers to read and execute arbitrary code on the server, potentially escalating privileges to admins.

For your information, Jenkins is a popular automation server used to automate the software development lifecycle, with a market share of 44% in 2023. The potential impact of security vulnerabilities on end-users is, therefore, significant.

Two vulnerabilities were identified in Jenkins software tracked as CVE-2024-23897 and CVE-2024-23898. The first leverages the “expandAtFiles” functionality to allow arbitrary file reading and code execution, and the second allows arbitrary command execution by manipulating users to visit malicious links.

The vulnerabilities stem from the way Jenkins handles user-supplied data. CVE-2024-23897 allows unauthorized adversaries with “overall/read” permission to read arbitrary files on the Jenkins controller file system. However, even without these permissions, they can read the first few lines of files due to the built-in command line interface (CLI) that uses the args4j library to parse command arguments and options on the Jenkins controller.

This allows attackers to expand arguments from a file on the Jenkins instance and potentially leak file contents. The default character encoding allows attackers with Overall/Read permission to read entire files, and those without the permission can read the first few lines. Unfortunately, this feature is enabled by default, and disabling it isn’t an option in Jenkins 2.441 and LTS 2.426.2 or earlier versions.

Unauthenticated attackers can access the system with Read permission if they meet certain conditions, including enabling legacy mode authorization, signup feature, and “Allow anonymous read access” configuration. This allows users to access the basic Jenkins API, object APIs, people directory, and agents, while administrators can access everything on a Jenkins instance. Researchers successfully read files without plugins, but couldn’t identify plugins that can increase line count.

CVE-2024-23898 is a high-severity, cross-site WebSocket hijacking (CSWSH) vulnerability, which allows attackers to execute CLI commands by manipulating victims to click on links. Modern web browsers, like Safari and Firefox, have a “lax by default” policy to protect against a vulnerability but it isn’t strictly enforced.

Due to potential bypass techniques and outdated browsers, this vulnerability is assigned a High severity classification. Browsers don’t enforce SOP and CORS policies on WebSockets, as they work over WS(WebSocket) or WSS(WebSocketSecure) protocols. WebSockets can be used by any website to invoke Jenkins-CLI commands with the victim’s identity, similar to CSRF vulnerabilities without Jenkins-crumb or Origin header check.

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024. The vendor fixed CVE-2024-23897 and CVE-2024-23898 by enabling secure configuration and origin verification for WebSocket endpoints, allowing administrators to override the default behaviour. Developers/users must immediately apply patches released in Jenkins versions 2.442 and LTS 2.426.3.

For insights, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who stated that “The urgency behind users patching their Jenkins servers immediately is driven by POC exploits already being published on GitHub, and the severity level is extremely high.”  

“With this CVE, agile development teams using Jenkins are ideal vehicles for introducing and spreading vulnerabilities; that’s the real risk here.  If successful, threat actors could use this exploit to infect many independent software distributions,” John explained.

“As with many open-source projects, patching is difficult because the size of teams using it tends to be small, their time pressure being agile is great, and there may be a false belief that other layers of security will offer protection. Having an accurate application inventory and automated patching solutions will reduce the time that threat actors can exploit this CVE,” he warned.

1.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
2.  **Hackers can hijack your Bosch Thermostat and Install Malware**
3.  **Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks**
4.  **TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

Apple Security Advisory 01-22-2024-7 - macOS Monterey 12.7.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

macOS Monterey 12.7.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214057.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl version  
8.4.0.  
CVE-2023-38545  
CVE-2023-38039  
CVE-2023-38546  
CVE-2023-42915

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may result in disclosure  
of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Mail Search  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and  
Ian de Marcellus

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

macOS Monterey 12.7.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDnUACgkQX+5d1TXa  
Ivqrqw//QZOnZpH5CnbfH10rxFF0CbZFRcHClM3RutihC4AuO5FedR3EDnUGyp53  
eJADLlNz3dTg15scv6P4AuT+hg8k3OFEPi1f2jVgRxlqsW8a15iIXYGti8y4UVwo  
kQgzfxYv33zuY0yWlIlERIP7imIT0jNgwFKn+Gs2ZaBq1xw52xq3I/jf97txAQHX  
Rpe35hnhYS7eGlB8spErKGBgyTuOf+piL7zccb+G/Hw6Y8AwSLsvXg3lSgZavEWE  
UIBoYGLycszT9U7tybuPUJ83jD0lIqFNhGNzHM6BnajYJ8SVdAXqVfid8Km9ixoi  
Sm73F6ZlCrUSLxihjXz92NQnBXJM2AxVI3Z1QqsqxOTS9yrkHYSgFgqUxxaP7ONt  
voHYw6fuycYca9TbFPmu6aStW1UBNwMLWYgjxbuTqqs+OEI8DKGcHIihGPQ184jW  
VF1bYNK8bvRMM+n/kaIHNo9/AyPnnSjmEOzr946ypg90FvTy3Wu1HhUm1MslzjNC  
LG5j6/hh0H7MXii8o5UL4ayabnPyZbWJrhRntvwx86xTLV9DPwmuwvxeVWm87Wu0  
EYC/XRAbtspHXMn5ItTNgqGbf0lKlrluXrAW79EFQdvPyD/Fzyljb+W9o2w1IA/9  
O8oXMVxqM4W+iRokcDbcbNQI3J2xGaP8FNwG6EEBB+bKkNWZ0m0=  
=zFhG  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-7

Apple Security Advisory 01-22-2024-6 - macOS Ventura 13.6.4 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

macOS Ventura 13.6.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214058.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23212: Ye Zhang of Baidu Security

Accessibility  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Core Data  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-40528: Kirin (@Pwnrin) of NorthSea

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl version  
8.4.0.  
CVE-2023-38545  
CVE-2023-38039  
CVE-2023-38546  
CVE-2023-42915

Finder  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2024-23224: Brian McNulty

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted image may result in disclosure  
of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

LoginWindow  
Available for: macOS Ventura  
Impact: A local attacker may be able to view the previous logged in  
user’s desktop from the fast user switching screen  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42935

Mail Search  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and  
Ian de Marcellus

NSOpenPanel  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2023-42887: Ron Masas of BreakPoint.sh

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

macOS Ventura 13.6.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDk0ACgkQX+5d1TXa  
IvrWTw/8DbDE/5ejAyR2F08VphoiOnJD5URY5WINPWVWps0w9svMI83Ig+MLlbVY  
APek5kQlSVJJoI7RXrSxgRCs3gcWVWVo08iVIM6woBbsd5JPaTYXe9/yUdRzWBX4  
zgOxvCh5wL4czXUV0ym4OMlDE5BZ3N+hEpyAIOJmNV7jkNnMshMWfeN6puFZgwt/  
FYt1BrU+MJ4PRA/A3B01ic3VQFnHifCE1jF/ebfb7DwZafK6EO2Hf91MNgAic5Td  
Q4TvwnHOqAq1N0cZa+SKNsStVx5Yk4J0ovNeecdQA2xNVfnd7jLaU1Y57SHjxNi9  
wbsENC3bTpZed+lMhDiBaRIj//Ej6KMeQKUNbcvPH5HCHP5YN68QFwkoA+QJdX66  
SH7jvDI6xgjlvVoNjqZ6bYHDr+CK5AB7fLDXhEGWBIssjce8AeaNPPA7JHMsVCen  
o7WXri4Bb7W4BwfpicTPlumkF+vva+nKYWvuAfob7v2yayeCa8vPKgrEPHXbCnWa  
8r1lqyQVqKL1wqS5RcpsHZEWrV2HF0hoKam4x3ZmLqNDhnVC0t8IipL0vqN+vzaU  
t26QZrpiW8V7CZRiXeCj5rDhv8Z1w+wEiuGLTqp9Z1JD/mCVy7Tmm2Y6RNYZw+jk  
lwpJpwqOpXbsCdx6kU28V8H1elS5cz3RdGCDex55lOlrMXp+KOs=  
=VoRh  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-6

A list of topics we covered in the week of January 22 to January 28 of 2024

January 25, 2024 - Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

January 25, 2024 - ThreatDown has earned 37/37 awards over nine consecutive quarters.

January 24, 2024 - 2023 was the worst ransomware year on record for Education.

January 24, 2024 - Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

January 24, 2024 - Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

 A week in security (January 22 &#8211; January 28) 

By Deeba Ahmed
Vendors have 90 days to release security patches before Trend Micro publicly discloses it.
This is a post from HackRead.com Read the original post: Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Pwn2Own Automotive 2024 took place in Tokyo, Japan, from January 24 to 26.

Pwn2Own Automotive 2024, a three-day contest organized by Trend Micro’s Zero Day Initiative, saw competitors earn $1,323,750 for hacking Tesla twice and discovering 49 zero-day bugs in EV systems.

Synacktiv Team won the contest, earning $450,000 in cash for hacking a Tesla car twice, gaining root permissions, and demonstrating a sandbox escape in the Tesla infotainment system. They also demonstrated two-bug chains against Ubiquiti Connect and JuiceBox 40 Smart EV Stations. Second on the list was fuzzware.io for received $177,500. In third place were Midnight Blue/PHP Hooligans with $80,000 in rewards.

Participants earned over $700,000 on the first day, including $60,000 for EV charger hacks and $40,000 for infotainment system and Tesla modem hacks. The second day saw the Automotive Grade Linux exploit earning the biggest reward of $35,000, while EV charger exploits earned teams $30,000. On the third day, researchers received $60,000 for an Emporia EV charger exploit and $30,000 each for other exploits, resulting in payouts ranging from $20,000 to $26,000.

Here, are the prominent happenings and results from all three days of the contest.

On the first day, researchers discovered vulnerabilities in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, collectively earning $722,500 in awards for identifying three bug collisions and 24 zero-day exploits.

The NCC Group EDG team won $70,000 for exploiting zero-day bugs to hack Pioneer DMH-WT7600NEX and Phoenix Contact CHARX SEC-3100 EV chargers. Sina Kheirkhah, Tobias Scharnowski, and Felix Buchmann attacked ChargePoint Home Flex and Sony XAV-AX5500, earning $60,000 and $40,000, respectively.

Synacktiv Team successfully exploited Tesla Modem and JuiceBox 40 Smart EV charging stations, while the PCAutomotive Team exploited Alpine Halo9 iLX-F509.

On Day 2, Team Tortuga successfully exploited a known bug in a 2-bug chain against the ChargePoint Home Flex, earning $5,000 and 3 Master of Pwn Points. The Midnight Blue / PHP Hooligans team also used a known bug in a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100, earning $30,000 and 6 Master of Pwn Points.

PCAutomotive couldn’t exploit the JuiceBox 40 Smart EV Charging Station whereas Katsuhiko Sato successfully attacked the Sony XAV-AX5500, earning $10,000 and 2 Master of Pwn Points.

Computest Sector 7 successfully targeted the JuiceBox 40 Smart EV Charging Station for a known bug, earning $15,000 and 3 Master of Pwn Points. Sina Kheirkhah failed to exploit the Autel MaxiCharger AC Wallbox Commercial, while Synacktiv and NCC Group EDG successfully exploited the Tesla Infotainment System and Alpine Halo9 iLX-F509, using a 2-bug chain, earning $100,000 and $20,000, respectively.

Synacktiv earned $35,000 and 5 Master of Pwn Points using a 3-bug chain, while Le Tran Hai Tung earned $20,000 and 4 Master of Pwn Points using a 2-bug chain. Sina Kheirkhah and Alex Olson failed to get their exploits working, while fuzzware.io earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow. RET2 Systems also earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow.

Day 3 saw Computest Sector 7 exploiting the ChargePoint Home Flex and earning $30,000 and 6 Master of Pwn Points using a 2-bug chain. Synacktiv successfully exploited the Sony XAV-AX5500, earning $20,000 and 4 Master of Pwn Points. Katsuhiko Sato failed to exploit the Pioneer DMH-WT7600NEX.

Sina Kheirkhah attacked the Ubiquiti Connect EV, earning $30,000 and 6 Master of Pwn Points. fuzzware.io exploited the Phoenix Contact CHARX SEC-3100, earning $22,500 and 4.5 Master of Pwn Points.

Nettitude’s Connor Ford exploited the JuiceBox 40 Smart EV Charging Station, using a stack-based buffer overflow, earning $30,000 and 6 Master of Pwn Points. Team Cluck exploited the Phoenix Contact CHARX SEC-3100, earning $26,250 and 5.25 Master of Pwn Points.

Vendors have 90 days to release security patches before Trend Micro publicly discloses it.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Apple Security Advisory 01-22-2024-3 - iOS 16.7.5 and iPadOS 16.7.5 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5iOS 16.7.5 and iPadOS 16.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214063.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccessibilityAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Apple Neural EngineAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecuritycurlAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Multiple issues in curlDescription: Multiple issues were addressed by updating to curl version8.4.0.CVE-2023-38545CVE-2023-38039CVE-2023-38546CVE-2023-42915ImageIOAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing a maliciously crafted image may result in disclosureof process memoryDescription: The issue was addressed with improved checks.CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeSafariAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.5 and iPadOS 16.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDacACgkQX+5d1TXaIvpgXxAAvQ8KvvppTOQ/4HsWUyKkJyubBU+8sgfM/tKBbk/Lb2ABMGhzb/Ln68Bg2GB23kOI5y0X6Gy9IZqAl8TY71baaxrgZQrz0uXMfdgzA1Gcf3mAP/mGyDYcKy2pBMwnuJQbO0dzZCcm0P069WDBW6jDwBJwzZ3f50LUCH8CgqNgdZ+ey+hMLfDEbamTtySwDXxL3ORgFoDY1X4ysxUlPGRqZhQ0vwWQ0cvcDFJyrP+Xy76V5XhP8/zEiAUmlzf6jVWjJq3DkkTKw1CamM5tvyc5Jm7tagOFZPaLi2k5no8YtjU7kKxXjTpsg+itT0p5yNJeCtKP6fZdRryT+t9tGUk0QjFjin8WUO0otqn3v+MI/ezn4YM8ioCzL5YcN6rvm+9ta4Q5C5h9UoVF1KsM9Zs/e6f8nfF8aWRcrMTCR83TUhBoviSuWyvfxo5iDbNDws+ijuBKqEYHRrBnGMZSyyzFzfl5Nlf9HeEyslpJ0Jt0ta1i9IyYNlDotKo3wDcvDQc3lIM4oeW/A3qt0lDqwfhz1M5Kf6I5LqY6YE5fCGg8YOBqSVtvH39BwDzT2yVmJHeX6CpFEkR4tsGYN4HTKoo50SVQeAtPh4iaG4qLes2T5b/T18hEjaSfVsJOL4vHPIQiU1DqfQa5Fjn/HVUljPZPL5A+OsjYcs8z9nPbySIlWyE==9qeR-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-3

ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

The NCSC issued a report that warns about the growth and impact of malware, especially ransomware, due to the availability of AI.

The British National Cyber Security Centre (NCSC) says it expects Artificial Intelligence (AI) to heighten the global ransomware threat.

In a report, the NCSC makes the assessment that AI will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years. We’re already seeing that cybercriminals of all trades are using AI in the initial stages of attacks to increase their effectiveness. The NCSC confirmed, saying:

> “All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.”

The NCSC expects the volume and the impact of cyberattacks to grow over the next two years.

The volume is expected to grow because AI lowers the barrier for entry-level cybercriminals to carry out effective access and information gathering operations.

The impact is expected to grow for several reasons:

*   AI already helps cybercriminals to compose more effective phishing emails.
*   AI will help to improve existing tactics, techniques, and procedures (TTPs).
*   Reconnaissance and social engineering are specific fields where AI can be deployed.
*   Stolen data can be analyzed by AI-driven tools and used for even more effective attacks.
*   More advanced threat actors, like state sponsored groups will be on the forefront of more sophisticated methods to utilize AI and others will follow.

Generative AI (GenAI) can already be used to create and entertain a convincing interaction with victims, including the creation of lure documents, without the translation, spelling, and grammatical errors that used to reveal phishing.

The NCSC expects that by 2025, GenAI and large language models (LLMs) will make it difficult for everyone, regardless of their cybersecurity posture, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or other social engineering attempts.

Currently only state sponsored groups, professional spyware vendors, and the large criminal operations have access to, and know how to use advanced AI tools to increase the effectivity of their attacks. But that availability will undoubtedly grow.

In how far new moves on the front of a United Nations Cybercrime Treaty will have a short-term effect on the behavior of state-sponsored groups is very hard to predict. I’m inclined to say that international legislation has never stopped any hacktivist before, they were just more careful about revealing their location and their principals.

Professional spyware vendors have deep enough pockets to invest in new tools, training, and development. We can expect them to use AI to find new zero-day vulnerabilities and new exploits for largely unpatched vulnerabilities.

As we at Malwarebytes Labs have tested ourselves, ChatGPT can be used to write ransomware. While this may draw new players to the field, they are not expected to have an immediate impact on the threat level. But the NCSC does expect AI to play a larger role in the near future when it comes to the development of malware and exploits.

Since ransomware is the most profitable form of malware at the moment, and this is expected to stay that way, this threat is likely to see the largest increase in volume. Which means that for the visible part of cybercrime, the landscape is not likely to change dramatically. The numbers may increase and the sophistication of the attacks is likely to grow, but the type of malware is probably the same.

To sum up the conclusion of the report, NCSC chief executive Lindy Cameron said:

> “The emergent use of AI in cyberattacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.”

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 AI likely to boost ransomware, warns government body 

By Deeba Ahmed
Bug Bounty Bonanza: Hackers Rake in Big Bucks as Connected Cars Show Security Cracks.
This is a post from HackRead.com Read the original post: Pwn2Own Automotive: Tesla, Sony, Alpine Players Breached on Day One

Pwn2Own Automotive 2024 takes place in Tokyo, Japan, from January 24 to 26.

The Pwn2Own Automotive 2024 hacking contest, taking place in Tokyo, Japan from January 24 to January 26, focuses on loopholes in automotive technologies. Tesla is the contest’s sponsor with VicOne and Trend Micro’s Zero Day Initiative as co-hosts.

During the context, they will demonstrate zero-day exploits targeting Model 3/Y or Model S/X systems, including the infotainment, modem, tuner, wireless, and autopilot systems. The top prize for zero-day exploits will be $200,000 and a Tesla car.

On its first day, many vulnerabilities were highlighted, including weaknesses in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, raising concerns about the security of connected vehicles.

Security researchers hacked multiple fully patched EV charging stations and infotainment systems. The NCC Group EDG team won $70,000 for hacking the Pioneer DMH-WT7600NEX infotainment system and the Phoenix Contact CHARX SEC-3100 EV charger exploiting zero days.  

Sina Kheirkhah successfully attacked ChargePoint Home Flex, earning $60,000 and six Master of Pwn Points. Tobias Scharnowski and Felix Buchmann attacked Sony XAV-AX5500 for $40,000 and four Master of Pwn Points. Gary Li Wang exploited the Sony XAV-AX5500 using a stack-based buffer overflow.

Security researchers successfully hacked a Tesla Modem and earned $722,500 in total in awards for identifying three bug collisions and 24 unique zero-day exploits. Synacktiv Team completed a 3-bug chain against Tesla Modem and JuiceBox 40 Smart EV Charging Station, earning $100,000 and $60,000 along with 10 and 6 Master of Pwn Points, respectively.

This means, the team chained three zero-day bugs to gain root permissions on a Tesla Modem. The Synacktiv Team also successfully attacked the Ubiquiti Connect EV Station, earning six Master of Pwn Points and $60,000.

A third exploit chain targeted the ChargePoint Home Flex EV charger, which earned security researchers $16,000 in cash and $295,000 in prizes.

The PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 using a UAF exploit, earning $40,000 and 4 Master of Pwn Points. They discovered a vulnerability in Alpine’s car audio player, allowing arbitrary code execution. This could potentially give attackers control over the audio system, allowing them to play loud noises or inject malicious code into other connected systems.

RET2 Systems also achieved 6 Master of Pwn Points and $60,000 for exploiting a 2-bug chain against the Phoenix Contact CHARX SEC-3100. The PHP Hooligans / Midnight Blue team successfully targeted a Sony XAV-AX5500, earning $20,000.

For additional insights on Pwn2Own Automotive’s day 1 results, check out Zero Day Initiative’s blog.

The Pwn2Own exploits highlight the growing vulnerability of cars to cyberattacks due to the increasing integration of technology in vehicles. While researchers disclose their findings to help manufacturers fix vulnerabilities, car owners must remain vigilant.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Pwn2Own Automotive: Tesla, Sony, Alpine Players Breached on Day One

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.

Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Updates are available for:

Safari 17.3

macOS Monterey and macOS Ventura

iOS 17.3 and iPadOS 17.3

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.1 and iPadOS 15.8.1

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.3

macOS Sonoma

macOS Ventura 13.6.4

macOS Ventura

macOS Monterey 12.7.3

macOS Monterey

watchOS 10.3

Apple Watch Series 4 and later

tvOS 17.3

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.

Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.

**CISA**

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#zero_day