Update Now: New Mac Vulnerability Allows Apps to Spy On You

Microsoft is warning Mac users to update to the latest version of MacOS Monterey after it found a vulnerability in Apple’s Transparency, Consent, and Control (TCC) feature.

Exploiting this vulnerability could allow malicious actors to spoof the TCC and plant malware or hijack another app on the computer.

Introduced in 2012 with MacOS Mountain Lion, TCC is designed to help control an app’s access to things such as the camera, microphone, and data. When an app requests access to protected data, the request is compared to existing stored records in a special database. If the records exist, then the app is denied or approved access based on a flag that denotes the level of access.

Otherwise, a prompt is shown to the user to explicitly grant or deny access. Once the user responds, that request is stored in the database and future requests will follow the user’s previous input.

According to Microsoft, the “powerdir” vulnerability, also known as CVE-2021-30970, was actually exploited two times by their security researchers. The first “proof of concept” exploit basically planted a fake TCC database file and changed the user’s home directory.

By doing this, Microsoft was able to change the settings on any application or enable access to the microphone or camera. Microsoft was even cheekily able to give Teams mic and camera access. Microsoft reported these initial findings to Apple in July 2021, though the exploit apparently still worked, despite Apple fixing a similar exploit demonstrated at Black Hat 2021.

The second proof of concept exploit came about because a change in MacOS Monterey’s dsimport tool broke the first exploit. This new exploit allows an attacker to use code injection to change binary called /usr/libexec/configd. This binary is responsible for making system level configuration changes, including access to the TCC database. This allowed Microsoft to silently change the home directory and execute the same kind of attack as the first exploit.

Fortunately, Microsoft again notified Apple of the vulnerability, and it was patched last month. Microsoft is urging macOS users to ensure that their version of MacOS Monterey is updated with the latest patch. The company also took time to promote its own Defender for Endpoint enterprise security solution, which was able to prevent those exploits even before Apple patched them.

There have been previous TCC exploits, including one that utilizes Apple’s built in Time Machine utility, that have since been patched as well. It’s always highly advised to keep all of your devices updated with the latest patches to prevent possible exploits like this. Feel free to read the details of Microsoft’s TCC exploits on their security blog post.

Editors’ Choice

Repost: Original Source and Author Link


Researchers find new vulnerability with Apple Silicon chips

Researchers have released details of an Apple Silicon vulnerability dubbed “Augury.” However, it doesn’t seem to be a huge issue at the moment.

Jose Rodrigo Sanchez Vicarte from the University of Illinois at Urbana-Champaign and Michael Flanders of the University of Washington published their findings of a flaw within Apple Silicon. The vulnerability itself is due to a flaw in Apple’s implementation of the Data-Memory Dependent Prefetcher (DMP).

In short, a DMP looks at memory to determine what content to “prefetch” for the CPU. The researchers found that Apple’s M1, M1 Max, and A14 chips used an “array of pointers” pattern that loops through an array and dereferences the contents.

This could possibly leak data that’s not read because it gets dereferenced by the prefetcher. Apple’s implementation is different from a traditional prefetcher as explained by the paper.

“Once it has seen *arr[0] … *arr[2] occur (even speculatively!) it will begin prefetching *arr[3] onward. That is, it will first prefetch ahead the contents of arr and then dereference those contents. In contrast, a conventional prefetcher would not perform the second step/dereference operation.”

Because the CPU cores never read the data, defenses that try to track access to the data don’t work against the Augery vulnerability.

David Kohlbrenner, assistant professor at the University of Washington, downplayed the impact of Augery, noting that Apple’s DMP “is about the weakest DMP an attacker can get.”

The good news here is that this is about the weakest DMP an attacker can get. It only prefetches when content is a valid virtual address, and has number of odd limitations. We show this can be used to leak pointers and break ASLR.

We believe there are better attacks possible.

— David Kohlbrenner (@dkohlbre) April 29, 2022

For now, researchers say that only the pointers can be accessed and even then via the research sandbox environment used to research the vulnerability. Apple was also notified about the vulnerability before the public disclosure, so a patch is likely incoming soon.

Apple issued a March 2022 patch for MacOS Monterey that fixed some nasty Bluetooth and display bugs. It also patched two vulnerabilities that allowed an application to execute code with kernel-level privileges.

Other critical fixes to Apple’s desktop operating system include one that patched a vulnerability that exposed browsing data in the Safari browser.

Finding bugs in Apple’s hardware can sometimes net a pretty profit. A Ph.D. student from Georgia Tech found a major vulnerability that allowed unauthorized access to the webcam. Apple handsomely rewarded him about $100,000 for his efforts.

Editors’ Choice

Repost: Original Source and Author Link


‘Extremely bad’ vulnerability found in widely used logging system

Security teams at companies large and small are scrambling to patch a previously unknown vulnerability called Log4Shell, which has the potential to let hackers compromise millions of devices across the internet.

If exploited, the vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that would completely compromise machines.

The vulnerability is found in log4j, an open-source logging library used by apps and services across the internet. Logging is a process where applications keep a running list of activities they have performed which can later be reviewed in case of error. Nearly every network security system runs some kind of logging process, which gives popular libraries like log4j an enormous reach.

Marcus Hutchins, a prominent security researcher best known for halting the global WannaCry malware attack, noted online that millions of applications would be affected. “Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Hutchins said in a tweet.

The exploit was first seen on sites hosting Minecraft servers, which discovered that attackers could trigger the vulnerability by posting chat messages. A tweet from security analysis company GreyNoise reported that the company has already detected numerous servers searching the internet for machines vulnerable to the exploit.

A blog post from application security company LunaSec claimed that gaming platform Steam and Apple’s iCloud had already been found to be vulnerable. Neither Valve nor Apple immediately responded to a request for comment.

To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. Since applications routinely log a wide range of events — such as messages sent and received by users, or the details of system errors — the vulnerability is unusually easy to exploit and can be triggered in a variety of ways.

“This is a very serious vulnerability because of the widespread use of Java and this package log4j,” Cloudflare CTO John Graham-Cumming told The Verge. “There’s a tremendous amount of Java software connected to the internet and in back-end systems. When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine.”

However, the diversity of applications vulnerable to the exploit, and range of possible delivery mechanisms, mean that firewall protection alone does not eliminate risk. Theoretically, the exploit could even be carried out physically by hiding the attack string in a QR code that was scanned by a package delivery company, making its way into the system without having been sent directly over the internet.

An update to the log4j library has already been released to mitigate against the vulnerability, but given the time taken to ensure that all vulnerable machines are updated, Log4Shell remains a pressing threat.

Repost: Original Source and Author Link


Microsoft Azure cloud vulnerability is the ‘worst you can imagine’

Microsoft has warned thousands of its Azure cloud computing customers, including many Fortune 500 companies, about a vulnerability that left their data completely exposed for the last two years.

A flaw in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

A listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few.

“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

Despite the severity and risk presented, Microsoft hasn’t seen any evidence of the vulnerability leading to illicit data access. “There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.” Microsoft paid Wiz $40,000 for the discovery, according to Reuters. In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher activity,” said Microsoft.

In a detailed blog post, Wiz says that the vulnerability introduced by Jupyter Notebook allowed the company’s researchers to gain access to the primary keys that secured the Cosmos DB databases for Microsoft customers. With said keys, Wiz had full read / write / delete access to the data of several thousand Microsoft Azure customers.

Wiz says that it discovered the issue two weeks ago and Microsoft disabled the vulnerability within 48 hours of Wiz reporting it. However, Microsoft can’t change its customers’ primary access keys, which is why the company emailed Cosmos DB customers to manually change their keys in order to mitigate exposure.

Today’s issue is just the latest security nightmare for Microsoft. The company had some of its source code stolen by SolarWinds hackers at the end of December, its Exchange email servers were breached and implicated in ransomware attacks in March, and a recent printer flaw allowed attackers to take over computers with system-level privileges. But with the world’s data increasingly moving to centralized cloud services like Azure, today’s revelation could be the most troubling development yet for Microsoft.

Updated August 27th, 6:49PM ET: Added update from the MSRC.

Repost: Original Source and Author Link


Microsoft Warns Windows Users of Printing Vulnerability

Microsoft might have patched PrintNightmare in Windows, but for the second time this month, there’s yet another printer-themed vulnerability in the wild.

Just detailed is a new vulnerability in the Windows Print Spooler service that could allow hackers to install programs; view, change, or delete data; and create new accounts on your PC.

Though that might sound scary, it is important to note that to leverage this new vulnerability, hackers will need to execute code on a victim system. Basically, it means that a hacker would need physical access to your PC. Microsoft mentions this in the support guide for the new vulnerability, going by the name of CVE-2021-34481.

It is there where Microsoft labels the vulnerability with a score of 7.8 and “important” severity, meaning it is a high-security risk. However, Microsoft does also mention that though CVE-2021-34481 was made public, it hasn’t been exploited — though another note details exploitation is “more likely.”

Microsoft hasn’t yet mentioned when a patch for this new vulnerability will be released. Instead, the company says it is investigating and “developing a security update.” Importantly, Microsoft points out that this new issue wasn’t caused by the July 2021 security update, which initially patched PrintNightmare.

Still worried? There is a temporary workaround for those who might be concerned. The workaround involves opening Powershell on Windows and determining if the Print Spooler Service is running, then stopping and disabling the service. The downside of this workaround is that stopping and disabling the Print Spooler service disables the ability to print both locally and remotely.

The last time, Microsoft was quick to release a patch for PrintNightmare. It happened within four days of Microsoft first discovering the issue. It’s unknown if a similar patch for this exploit could come at a similar time. Seeing as though the situation is a little less urgent, with hackers needing local access to a PC, it could be a while.

Microsoft credited the security researcher Jacob Baines for discovering this issue and reporting it to Microsoft. Baines notes on his Twitter page that he doesn’t believe this new vulnerability to be a variant of PrintNightmare.

Editors’ Choice

Repost: Original Source and Author Link


Microsoft issues emergency Windows patch to fix critical ‘PrintNightmare’ vulnerability

Microsoft has started rolling out an emergency Windows patch to address a critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was revealed last week, after security researchers accidentally published proof-of-concept (PoC) exploit code. Microsoft has issued out-of-band security updates to address the flaw, and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.

As the Print Spooler service runs by default on Windows, Microsoft has had to issue patches for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and a variety of supported versions of Windows 10. Microsoft has even taken the unusual step of issuing patches for Windows 7, which officially went out of support last year. Microsoft has not yet issued patches for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607, though. Microsoft says “security updates for these versions of Windows will be released soon.”

It took Microsoft a couple of days to issue an alert about a 0-day affecting all supported versions of Windows. The PrintNightmare vulnerability allows attackers to use remote code execution, so bad actors could potentially install programs, modify data, and create new accounts with full admin rights.

“We recommend that you install these updates immediately,” says Microsoft. “The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as ‘PrintNightmare’, documented in CVE-2021-34527.”

Repost: Original Source and Author Link

Tech News

Microsoft: Windows PrintNightmare vulnerability is being actively exploited

Microsoft has issued an urgent warning over a Windows vulnerability, known as “PrintNightmare,” which could allow hackers to remotely run code on your PC. The exploit relies on a flaw in the Windows Print Spooler service, and Microsoft says it’s already aware of active exploits taking advantage of it in the wild.

PrintNightmare – or CVE-2021-34527, as Microsoft has assigned it – is still being assessed, with the company describing it as “an evolving situation.” Security researchers at Sangfor had identified the vulnerability, and published a proof of concept exploit, apparently on the assumption that a different patch had addressed the issue.

In fact, Microsoft had actually patched a different vulnerability, which also relied on a bug in printer services, with that similarity seemingly leading to the researchers’ confusion. The security team subsequently pulled down their exploit code, but by then the genie was already out of the bottle.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Unfortunately, there’s still no definitive patch to install yet. Instead, Microsoft’s advice is to make sure your system is running the security updates it released on June 8, 2021, and to follow its workaround advice for the time being.

Those workarounds include disabling the Print Spooler service altogether, or disabling inbound remote printing through changes to the system’s Group Policy. Neither is, frankly, an ideal – or long-term – fix. By turning off the Print Spooler service altogether, you’ll unsurprisingly lose the ability to print both locally or remotely; changing the Group Policy to block inbound remote printing will mean local printing still works, but the system no longer functions as a print server.

Still, those headaches may be worth it, given the potential scale of the vulnerability. With full system privileges, hackers could use their access to run code or delete programs, do pretty much whatever they want with data, and create new accounts that also have full user-rights on the system. In the process, they could easily lock out legitimate users.

Repost: Original Source and Author Link


Microsoft Acknowledges Windows Print Spooler Vulnerability

Microsoft has updated its documentation around the “PrintNightmare” vulnerability that is impacting Windows PCs across the world. The company now says it is aware of the issue, which officially involves cases where the Windows Print Spooler service may perform privileged file operations and allow hackers into your device.

Though it’s not clear if all versions of Windows are impacted by this vulnerability, Microsoft says that the print spooler code that has the vulnerability is in all versions of Windows. The print spooler is what usually handles print jobs in Windows. Specifically, hackers can exploit that code to run arbitrary code with system privileges.

This can then be used to install programs, view, change, or delete data, or create new accounts with full user rights. Microsoft’s documentation makes it clear that the vulnerability has also been actively exploited, which means it is out in the wild and in use by hackers.

As a result, Microsoft is investigating if all versions of Windows are exploitable. If you’re worried, Microsoft urges uses who are concerned to stay tuned to a support page for updates. Microsoft also mentions that the vulnerability originated before this month’s June 2021 security update. It’s not clear if the update can patch this vulnerability, but it is still best to install the June 8 security updates just to be safe.

There are some workarounds for this matter, but most are up to system administrators to enable. The first workaround is to disable the print spooler service using Powershell. However, this might end up disabling the ability to print from a PC as well as through the network. A second temporary fix involves using Group Policy to disable remote printing, which will actually prevent the remote aspect of the vulnerability by preventing inbound remote printing operations. The U.S. Cybersecurity & Infrastructure Security Agency also recommends following these steps as well.

It’s not very uncommon for hackers to try and target printers and the printing service in Windows. Back in 2018, hackers were able to use old-school printers to invade home networks. PewDiePie supporters also hacked printers at the end of 2018 to send out messages of support for the YouTuber after a battle with another YouTube channel, T-Series.

Editors’ Choice

Repost: Original Source and Author Link

Tech News

Dell BIOSConnect vulnerability threatens millions of PCs

Dell is one of the world’s biggest PC vendors and its laptops number in the millions. That means that there are also millions of potential victims ripe for the picking should hackers get hold of a security exploit that affects almost all of them. That opportunity might have finally come up when Dell’s own software in charge of keeping users safe the moment a computer boots is itself compromised, opening the door for hackers to get in without being detected.

At the heart of this latest vulnerability report is Dell’s BIOSConnect, a part of its SupportAssist software that’s pre-installed on almost all Dell computers running Windows. BIOSConnect itself has only one task and that’s to provide remote firmware updates and OS recovery functionality. Given how computers startup at the BIOS level, getting control of this stage of the bootup process means getting control of the entire system in the long run.

That’s exactly the case that Bleeping Computer is reporting, where a hacker can intercept BIOSConnect’s communication and trigger overflow exploits. This can happen when users try to use remote OS recovery or when trying to update the Dell computer’s firmware. A compromised BIOS or UEFI firmware could then masquerade as legit software to Dell’s and Windows’ security systems.

Security researchers from Eclypsium who reported the vulnerabilities recommend that Dell users avoid using BIOSConnect entirely. There are multiple ways to update the computer’s BIOS or UEFI firmware and the utility only offers conveniences that may not be worth the security risk. Dell is issuing BIOS/UEFI updates on its website for affected models.

Bleeping Computer notes that this isn’t the first time a part of Dell’s SupportAssist is revealed to have some critical security flaw. Dell’s pre-installed software has been reported to have one vulnerability or another but such a situation is sadly common among many OEM’s utilities, even those designed to protect users.

Repost: Original Source and Author Link


API vulnerability detection firm Salt Security raises $70M

Elevate your enterprise data technology and strategy at Transform 2021.

API discovery and vulnerability detection platform Salt Security today raised $70 million in a series C funding round led by Advent International. The Palo Alto, California-based startup says it plans to use the capital to expand its global operations across R&D, sales and marketing, and customer success.

Application programming languages (APIs) dictate the interactions between software programs. They define the kinds of calls or requests that can be made, how they’re made, the data formats that should be used, and the conventions to follow. As over 80% of web traffic becomes API traffic, APIs are coming under increasing threat. Gartner predicts that by 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web apps.

Salt’s platform aims to prevent these attacks with a combination of AI and machine learning technologies. It analyzes a copy of the traffic from web, software-as-a-service, mobile, microservice, and internet of things app APIs and uses this process to gain an understanding of each API and create a baseline of normal behavior. From these baselines, Salt identifies anomalies that might be indicators of an attack during reconnaissance, eliminating the need for things like signatures and configurations.

“I’m a former elite cybersecurity unit veteran that led development of high-end security systems to protect the largest network in Israel of the Israel Defense Forces and the government,” cofounder and CEO Roey Eliyahu told VentureBeat via email. “During my service and afterwards in different roles, I consistently found that APIs were surprisingly simple to hack and that existing security technologies could not identify API attacks. I joined forces with my cofounder and COO, Michael Nicosia, to build Salt Security on the premise that we needed to take a fundamentally different approach — to use big data and AI to solve the problem of securing APIs, a problem traditional security tools cannot solve because of their legacy architectures.”

Salt Security

Above: The web dashboard for the Salt Security platform.

Image Credit: Salt Security

Salt leverages dozens of behavioral features to identify anomalies. Its machine learning models are trained to detect when an attacker is probing an API, for instance, because this deviates from typical usage. They analyze the “full communication,” taking into consideration factors like how an API responds to malicious calls. And they correlate attacker activity, enabling Salt to connect probing attempts performed over time to a single attacker, even if the perpetrator attempts to conceal their identity by rotating devices, API tokens, IP addresses, and more.

Confirmed anomalies trigger a single alert to security teams with a timeline of attacker activity.

“APIs connect all of today’s vital data and services. Organizations rely on the Salt Security API Protection Platform to identify API security vulnerabilities ahead of launching them in production,” Eliyahu said. “These remediation insights enable companies to move fast in their application development while still reducing risk by finding security gaps before they can be exploited. The Salt platform provides runtime protection, blocking attacks such as credential stuffing, data exfiltration, account misuse, and fraud. Salt also helps companies meet compliance needs, providing documentation of all APIs as well as where they expose sensitive data.”

Upward trajectory

Salt takes an approach similar — but not identical — to that of Elastic Beam, an API cybersecurity startup that was acquired by Denver, Colorado-based Ping Identity in June 2018. Other rivals include Spherical Defense, which adopts a machine learning-based approach to web application firewalls, and Wallarm, which provides an AI-powered security platform for APIs, as well as websites and microservices.

But Salt is doing brisk business, with customers like Equinix, Finastra, TripActions, Armis, and DeinDeal. The company, which was founded in 2016, claims to have driven 400% growth in revenue, 160% growth in employees (to more than 65), and 380% growth in the API traffic it secures.

“We have high double-digit numbers of enterprise customers in financial, fintech, insurance, retail, software-as-a-service, ecommerce, and other verticals … For most Salt customers, the pandemic accelerated their digital transformation and cloud migration journeys. Digital transformation depends heavily on APIs, so most of our customers were writing APIs at a much more rapid rate,” Eliyahu said. “Our customer, Armis, for example, had to integrate with many more device types in its internet of things security offering to serve its customers, whose employees were now working from home. Instead of having dozens of APIs to write and protect, the company suddenly had hundreds, and manual testing and documentation efforts simply could not scale, so they needed to deploy Salt earlier and more broadly than originally expected. Several Salt customers experienced a similar acceleration, and our revenue grew faster as a result.”

This latest financing round had participation from Alkeon Capital and DFJ Growth along with investors Sequoia Capital, Tenaya Capital, S Capital VC, and Y Combinator. It brings Salt’s total raised to $131 million to date following a $30 million round in December 2020.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link