Apple Zero Day Vulnerabilities

Summary: Apple released two separate patches to address security vulnerabilities on iOS, iPadOS, and macOS devices. Both alerts were reported by an anonymous researcher. The vulnerabilities were assigned CVE-2022-22675 and CVE-2022-22674. The former CVE was listed as “an out-of-bounds write issue was addressed with improved bounds checking.” The latter CVE was listed as “an out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation.”

CVE-2022-22675 affects macOS, iOS, and iPadOS devices running versions before iOS 15.4.1 and iPadOS 15.4.1. And CVE-2022-22674 affects macOS devices running versions prior to Monterey 12.3.1.

Why it matters:  Security should be built into every aspect of applications and organizations. The vulnerabilities presented by these two new CVEs by Apple presents the risk of sensitive memory and kernel information to be read or a buffer overflow.

The OWASP Top 10 is a list of the top 10 security risks for applications. Of the top 10, the vulnerabilities presented are considered “Vulnerable and Outdated Components” as these issues have been addressed and releasedAdditionally, the root cause is considered “Memory Management Errors” is an OWASP concern outside of the top 10. It is best for all Apple device owners to update their devices to the latest version to address these concerns.

Google Chrome Zero Day Update

Summary: A bug using the popular V8 JavaScript engine which is used by Chrome and Chromium-based web browsers is present in the browser’s stable channel. The presence of the bug is a type-confusion that can lead to the execution of the wrong code. The vulnerability is currently being actively exploited and has been assigned the identification CVE-2022-1096.

To combat the problem, an update has been provided for Google Chrome’s stable channel. The newest version 99.0.4844.84 is available for download for Mac, Linux, and Windows.

Why it matters: Google Chrome is one of the most popular web browsers in use around the world. As such, this vulnerability can affect many people. The OWASP’s Top 10 lists the 10 most common web application security concerns. This vulnerability is a form of Insecure Design due to the design flaw of improper type-checking. The threat of the vulnerability has caused Google to release the security update as a standalone, indicating that the threat could be severe as security patches usually address multiple issues. Additionally, details of the bug are hidden until most users have been updated with a fix. For now, it is best to update to the newest version.

 

Android Spyware

Summary:  A new spyware has been discovered on Android phones by Lab52. The spyware uses the same shared-hosting infrastructure that was previously used by the Russian APT group known as Turla. As of now, it is not known whether the same group is still behind the infrastructure.

The spyware, known as Process Manager, records audio, tracks location, and more. A total of 18 permissions are granted to the app. The source of the app is now known at this time; however, it is known that the app disguises itself as an app drawer and uses a gear icon to trick the user into navigating and using their phones while their app collects information. The file’s hash has been added to Virus Total and has been marked by as malicious.

Why it matters:  A concern is that spyware can allow for a leak of sensitive information. Once the app is successfully downloaded and used, personal information and features on the phone including camera usage are all potential sources of information to the attacker. Spyware could lead to personal and business-related security and data concerns.

The OWASP Top 10 security vulnerabilities lists 10 common vulnerabilities of common applications. Of the 10, the Security Logging and Monitoring Failures, focuses on the monitoring failure of the Google Play Store from failing to detect the spyware and its other associate apps. To ascertain the removal of the application and unfamiliar applications from your device. Additionally, consider a hard reset for your device and redownload only known apps to minimize access.

 

New Malware Exploits Windows Bug to Create Hidden Scheduled Tasks

Summary: Chinese-backed Hafnium has created a new malware capable of creating and hiding scheduled tasks on compromised Windows systems to establish persistence. The malware called “Tarrask” uses a Windows bug to hide from “schtask/query” and Task Scheduler by deleting the related Security Descriptor registry value.

The scheduled tasks maintain access to the hacked devices even after the device has been rebooted by reestablishing connections to command-and-control infrastructure. To delete all traces of their malicious activity, it would have removed persistence across restarts. Reports indicate that the task itself is named to avoid suspicion “WinUpdate.”

Why it matters: With the ability to create new hidden scheduled tasks, an attacker could establish persistence for future exploits. The ability for “Tarrask” to create persistence through scheduled tasks should not be taken lightly. Once this malware has embedded itself into the Windows Registry and hidden itself, it will become hard to detect, however, detection is not impossible. It will still be possible to find it manually or using tools that can examine the registry and automatically remove suspicious entries. A list of Indicators of Compromise can be found here

Security Tip of the Month

Summary: Many people are used to implementing technical defenses to combat cyber threats. However, low technology vulnerabilities exist in the real world as well and take advantage of the human factor in technology. One such social exploit is known as shoulder surfing.

The threat of shoulder surfing is present to all physical devices used by users as the attack type only requires visibility of the screen. One such way of protecting from this attack is by using privacy screens. Privacy screens are filters that are added in front of digital screens to reduce the field of view to the ones directly in front of the screen.

Why it matters: Devices can be used for both personal and business purposes. The duality of its usage allows them to carry sensitive information either about the user or the company that has issued the device. The appliance of a privacy screen can thus help users protect their privacy and the sensitive data stored within their devices by reducing the viewing angle of attackers. As threats can come internally, the application of privacy controls to work devices would bolster the security posture of the entire company.