IT NEWS

Warnings about including credentials, keys, and tokens when sharing code on publicly accessible repositories shouldn’t be necessary. It should speak for itself that you don’t just hand over the keys to your data. But what if a misconfiguration ends in a supposed internal storage account becoming suddenly accessible to everyone?

That’s how Microsoft managed to leak access to 38 terabytes of data.

Wiz Research found that Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations. The backups contained sensitive data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

An Azure feature called Shared Access Signature (SAS) tokens, which allows users to share data from Azure Storage accounts, was the source of the problem.

SAS token can be used to restrict:

• What resources a client can access
• What operations a client can perform (read, write, list, delete)
• What network a client can access from (HTTPS, IP address)
• How long a client has access (start time, end time)

Blob storage is a type of cloud storage for unstructured data. A “blob,” which is short for Binary Large Object, is a mass of data in binary form. Azure Storage SAS tokens are essentially strings that allow access to Azure Storage services in a secure manner. They are a type of URI (Uniform Resource Identifier) that offer specific access rights to specified Azure Storage resources, like a blob, or a whole range of blobs.

A Microsoft employee shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive SAS token for an internal storage account.

The URL allowed access to more than just the open-source models. It was configured to grant permissions on the entire storage account, thus exposing the additional sensitive data by mistake.

But exposing sensitive data is not even the worst that could have happened, Wiz explains.

“An attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.”

After Wiz shared its findings with Microsoft on June 22, 2023 Microsoft revoked the SAS token two days later.

Microsoft stated that:

“The information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations. No customer data was exposed, and no other Microsoft services were put at risk because of this issue. Customers do not need to take any additional action to remain secure.”

Microsoft also said that as a result of Wiz’s research, it has expanded GitHub’s secret spanning service, which monitors all public open source code changes for plaintext exposure of credentials and other secrets to include any SAS token that may have overly permissive expirations or privileges.

Best practices for SAS tokens

Allowing others to learn from their mistakes, Microsoft shared some tips on working with SAS URLs.

• Apply the principle of least privilege: Scope SAS URLs to the smallest set of resources required by clients (e.g. a single blob), and limit permissions to only those needed by the application (e.g. read-only, write-only).
• Use short-lived SAS: Always use a near-term expiration time when creating a SAS, and have clients request new SAS URLs when needed. Azure Storage recommends one hour or less for all SAS URLs.
• Handle SAS tokens carefully: SAS URLs grant access to your data and should be treated as an application secret. Only expose SAS URLs to clients who need access to a storage account.
• Have a revocation plan: Associate SAS tokens with a stored access policy for fine-grained revocation of a SAS within a container. Be ready to remove the stored access policy or rotate storage account keys if a SAS or shared key is leaked.
• Monitor and audit your application: Track how requests to your storage account are authorized by enabling Azure Monitor and Azure Storage Logs. Use a SAS Expiration Policy to detect clients using long-lived SAS URLs.

Wiz advises against the external usage of SAS tokens.

“{SAS] tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal. In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

We don’t just report on cloud security.

Cybersecurity risks should never spread beyond a headline. Detect sophisticated threats across Box and other vendors’ cloud repositories by using Malwarebytes Cloud Storage Scanning.

The recent attack on MGM Resorts generated lots of speculation with regard to what the cause was. Some folks claimed the culprit was ransomware. Well, confirmation is now forthcoming as an affiliate of the BlackCat/ALPHV ransomware group is said to be the one responsible for the attack and subsequent outage.

The statement is quite long, takes a few digs at MGM Resorts, and seeks to correct what the group feels to be inaccurate statements made by security vendors and others with regard to the attack.

It begins:

Statement on MGM Resorts International: Setting the record straight

9/14/2023, 7:46:49 PM

We have made multiple attempts to reach out to MGM Resorts International, “MGM”. As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams. 

MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan. 

On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to “take offline” seemingly important components of their infrastructure on Sunday.

As with so many break ins, this begins with a social engineering attack. There have been claims on social media that this was done by finding an employee on LinkedIn, and calling the helpdesk for what would presumably be a password reset attempt. However, the statement is quite light with regard to the specifics:

We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner if he so chooses.

The rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it. Starting to the actors’ identities as they are so well-versed in them.

There are also claims that the attackers still have access to the MGM Resorts network, despite the shutdown and clean up operation taking place:

The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim that we had claimed responsibility for the attack before we had.

We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks.  We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.

We’ve written about BlackCat/ALPHV many times on the Malwarebytes Labs Blog. Their range is large, with high-publicity takedowns ranging from major cosmetics firms and leaked hospital photographs to point of sale outages and video game publishers.

In this specific case, Bleeping Computer describes the alleged group behind the chaos as “Scattered Spider”. This particular group has a fondness for social engineering tactics used to slip into corporate networks. They don’t just use password reset impersonation, but also phishing, SIM swapping (hijacking someone’s mobile number), and even MFA fatigue where your mission is to annoy an employee with so many alerts that they eventually say “yes”.

An interesting development, then. Even so, with so much speculation and claim/counterclaim flying around it’s probably best to keep an open mind on these latest developments. The truth will out one way or another, but the biggest concern has to remain potential data theft and leakage of those making use of MGM Resort facilities.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Included in the September 2023 Patch Tuesday updates was a fix for a vulnerability which has been dubbed ThemeBleed. A Proof-of-Concept (PoC) exploit has been released by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as CVE-2023-38146: a Windows Themes Remote Code Execution (RCE) vulnerability.

Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying:

“An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.”

A .theme file is a configuration (.ini) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets ([]) inside the .ini file. A .theme file enables you to change the appearance of certain desktop elements.

A related file format, .themepack, was introduced with Windows 7 to help users share themes. A .themepack must include your .theme file, as well as the background picture, screen saver, and icons files.

Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.

The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted .theme file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

The .theme files contain references to .msstyles files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the .msstyles file will also be loaded.

The researcher found that invoking a check of the theme version calls the ReviseVersionIfNecessary function and does not safely load a signed DLL (_vrf.dll), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.

Another problem lies in the fact that if a user were to download a theme from the web, this triggers the ‘mark-of-the-web’ (MOTW) warning. MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. However, this could be bypassed if the attacker wrapped the theme into a .themepack file. When using the .themepack file, the contained .theme opens automatically without serving the MOTW warning.

While Microsoft’s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of .msstyles files. Nor has it added MOTW warnings to .themepack files.

The researcher notes that the vulnerability appears to be only present in Windows 11.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Feedback from real users placed Malwarebytes EDR as the most user-friendly EDR solution available in the Mid-market Usability Index, with a Usability Score that surpasses the average across all vendors by almost 10 percent. 

“If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B. 

“Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User 

Malwarebytes EDR and MDR are recognized as leaders in endpoint security by real, reputable customers. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Europol lifts the lid on cybercrime tactics
• Malwarebytes wins every Q2 MRG Effitas award & scores 100% on new phishing test
• Watch out, this LastPass email with “Important information about your account” is a phish
• iPhone 15 launch: Wonderlust scammers rear their heads
• Upgrading your iPhone? Read this first
• 3 reasons why your endpoint security is not enough
• Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days
• PSA: Ongoing Webex malvertising campaign drops BatLoader
• Ransomware review: September 2023
• Update Chrome now! Google patches critical vulnerability being exploited in the wild
• Microsoft Teams used to deliver DarkGate Loader malware
• Two Apple issues added by CISA to its catalog of known exploited vulnerabilities
• Major cyberattack leaves MGM Resorts reeling
• Re-air: What teenagers face growing up online: Lock and Code S04E19
• Wyze home cameras temporarily show other people’s security feeds
• The main causes of ransomware reinfection

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The European Union Agency for Law Enforcement Cooperation (Europol), has published a report that examines developments in cyberattacks, discussing new methodologies and threats observed by Europol’s operational analysts. The report also discusses the criminal organizations behind cyberattacks and the influence of geopolitical events.

The report follows the Internet Organized Crime Assessment (IOCTA), Europol’s assessment of the cybercrime landscape and how it has changed over the last 24 months.

When it comes to the most deployed tactics, the report holds no big surprises.

“Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics used by cybercriminals. Legitimate software and tools built into operating systems are then misused to establish persistence and traverse their victims’ networks.”

Cybercriminals usually gain initial access through compromised user credentials or by exploiting vulnerabilities in the targeted infrastructure.

Ransomware is named as the most prominent threat with a broad reach and a significant financial impact on industry. This in contrast to an FBI report that stated more money is lost to investment fraud than ransomware and business email compromise (BEC) combined. But if we look at news coverage then ransomware is certainly the most prominent one. And we have seen that the number of ransomware attacks and the height of the ransomware demands have gone up.

Affiliate programs remain the most observed form of organization for ransomware groups. The most common service providers for ransomware groups include initial access brokers (IABs), crypter developers, droppers-as-a-service, money laundering, and bullet-proof hosting services.

These groups work closely with other malware-as-a-service groups to compromise high-revenue targets and post huge ransom demands, running into millions of Euros. IAB’s will typically sell the access they have gained to other criminals, who could be inside or outside of the same criminal organization. Compromised organizations can be exposed to several simultaneous or consecutive cyber-attacks because the IABs usually do not offer exclusivity of their assets to the buyers.

Another trend flagged in the Europol report is that most ransomware groups are still using the multi-layered extortion method, with indications that the theft of sensitive information might become the core threat. The information theft is also seen to be feeding an ecosystem of criminals dealing in and making use of personal and financial information.

The Russian conflict with Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets. The most noticeable DDoS attacks were politically motivated and coordinated by pro-Russian hacker groups. Together with Russia’s internal politics it has uprooted cybercriminals pushing them to move to other jurisdictions.

Confirming several observations made by researchers, Europol points out that criminals have shifted their preference of using malicious macros in favor of container files after Microsoft blocked macros delivered over the Internet in its applications. Criminals are using SEO techniques and search-engine advertising tools to lure potential victims to web pages masquerading as download sites for popular software programs, which actually deliver malware to the victim’s system.

Other notable facts:

• Mobile malware campaigns are less prolific after the takedown of Flubot.
• Cyberattacks are becoming more targeted and continue causing disruptions in all sectors.
• Crypters have become a key component in malware development operations.
• Microsoft Exchange Server vulnerabilities are another common intrusion tactic.
• Ransomware groups sometimes rent separate servers for victim data exfiltration, but are increasingly moving toward using legitimate cloud storage providers.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The consequences of last year’s LastPass breach continue to be felt, with the latest insult to users coming in the form of a highly convincing phishing email.

Although the “unauthorized party” that compromised LastPass users’ data was able to steal password vaults, it’s likely that they are having a hard time cracking them open. LastPass’s own assessment was that “it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.”

Brute force guessing techniques may be successful for some weak passwords, but it’s an approach that quickly runs out of steam. The frequency with which passwords are uncovered diminishes exponentially, and the cost per password increases in the same way. So while some passwords will be so strong they are effectively uncrackable, many weaker ones are likely to be safe simply because they’re too costly to uncover.

However, there is another, far easier way for criminals to get at LastPass users’ passwords, without cracking them: They can simply ask.

They can do this becasue alongside the password vaults that were stolen, criminals also made off with customers’ email addresses, as well as “basic customer account information”, company names, end-user names, billing addresses, telephone numbers, and IP addresses.

Armed with this data, attackers can send targeted phishing emails that attempt to steal the passwords needed to unlock the stolen password vaults.

The LastPass phishing email we received was convincing, familiar, and executed with high production values. However, as convincing as it was, the email could not avoid the two red flags that allow anyone to spot almost any scam: A demand for personal information and an attempt to hurry the victim.

The email lure tells users to verify their personal data or face losing deactivation of “certain features” on 26 September.

The full email reads:

Verification of your personal data

Warning: Some of your contact information is out of date, it must be verified in order to maintain full access to your LastPass account.

LastPass is based on two fundamentaI principIes: the security and confidentiaIity of your personaI data. For us, data security is paramount. LastPass takes payment security and the trust our customers pIace in us very seriousIy. When you use LastPass , we make every effort to protect your personaI information and that reIated to your payments.

To avoid the deactivation of certain features of your LastPass account, log in before September 26, 2023 to confirm your account information.

Although we spotted quickly that the “From” address of the email was registered in Thailand and didn’t appear to be related to LastPass, we suspect many won’t. Unfortunately, the old advice to watch out for strange addresses, complicated URLs, and to not click on links is being undermined by a vast army of legitimate companies using mailing systems that do all three.

The email’s ‘Confirm my information’ link uses a complicated URL format that likely contains a unique ID, which redirects to the phishing site itself. Like the email, the site is an almost pixel-perfect copy of the real thing. (The only giveaways in the design were ‘Create an account’ and ‘Forgot password’ buttons that don’t do anything.)

Again, while some users might be put off by the Slovakian domain name, it looks neat enough and somewhat official.

Filling in the username and password causes the page to reload, this time with a request for a two-factor authentication (2FA) code—allowing us to remind you once again that while code-based 2FA is a solid defence against all kinds of password attacks, it is no defence against phishing. (For that you need 2FA based on FIDO2, such as hardware keys.)

Having fed the criminals some useless information, we checked the site’s Slovakian domain name and discovered that it had been created just a few days before on September 2, 2023, via the Russian registrar webnames.ru—a veritable bunting of fluttering red flags.

Thankfully, while this phish was convincing and difficult to spot, our standard phishing advice still applies, and would have kept you safe:

• Block known bad websites. Malwarebytes DNS filtering blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
• Don’t take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Take action. If you receive a phishing attempt at work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
• Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
• Use a FIDO2 2FA device. Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Yesterday, Apple launched its latest iPhone and Watch models at its massive Wonderlust event. As with many high profile launches like this, it attracted not just a mountain of press, but a whole load of scammers too.

One site uses the Apple brand to host a cryptocurrency scam. The hook is a supposed giveaway of “50,000 ETH and 5,000 BTC”, which is $79,885,500 and $130,325,000 respectively. Sadly the site, registered just yesterday, is not giving away this kind of digital cash.

The front page claims:

We believe that Blockchain and BTC coin will make the world more fair. To speed up the process of cryptocurrency mass adoption, we decided to run a 5,000 BTC giveaway.

As to how the scammers claw their ill-gotten gains from the victims, it’s a case of double your money. To get your foot on the ladder, all participants are required to chip in a little cryptocurrency of their own so there’s a large pool of funds for the lucky winner.

The site continues:

To participate you just need to send from 0.1 BTC to 50 BTC to the contribution address and we will immediately send you back 0.2 BTC to 100 BTC (x2) to the address you sent it from.

To give you an idea of the supposed investment in the prize fund, 0.1 BTC is $2,606. 50 BTC is an eye watering $1,305,600. Meanwhile over in ETH land, a donation of 1 ETH would set you back $1,599. The maximum donation amount of 500 ETH is worth $79,9975.

This is an incredibly fast path to losing all of your money. An ETH and BTC address are provided for both fake donation options, and anyone sending funds to these addresses will likely not be seeing their money again.

Scrolling down the page shows a very long list of supposed transactions, as a way of encouraging people to hop on the bandwagon. However, sites which track address transactions and other activity display zero funds going in or out of those addresses.

With the event now over, the chances of this particular site hitting a payday will become increasingly remote. The people behind these kinds of sites are hoping that visitors won’t look too closely lest they spot the scam coming apart at the seams.

Even so, this is a common tactic and a popular way for scammers to encourage panic sending with the promise of huge payouts just out of reach. If any site asks you to “donate” cryptocurrency funds claiming you’ll double your money, you can safely ignore and move on.

This fake donation technique was doing the rounds last year, typically bolted on to Elon Musk scams. Here’s one from last April which used a “guess the planet” competition as bait. That same month, another scam made use of fake Medium blogs to achieve the same end result.

The value of your digital currency may rise or fall, but none of it matters if you’ve handed the lot to a scammer. If ever something had “If it’s too good to be true…” attached, this is most definitely somewhere up at the top.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has released an update for Chrome Desktop which includes one critical security fix. There is an active exploit for the patched vulnerability, according to Google, which means cybercriminals are aware of the vulnerability and are using it.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/.188 for Windows, or later.

The vulnerability

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day patched in this update is listed as:

CVE-2023-4863: a heap buffer overflow in WebP, also described as a vulnerability that resides in the WebP image format which could lead to arbitrary code execution or a crash.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

Credit for reporting the vulnerability was given to Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06. The fact that this happens to coincide with a report by CitizenLab about two Apple vulnerabilities that used by the NSO group to drop the Pegasus spyware, seems too much to be a coincidence.

Add the fact that both Apple CVE-2023-41064 and  Chrome CVE-2023-4863 are based on image processing and we feel comfortable saying that these two vulnerabilities are very, very likely to be related.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.