Category Archives: Security

Gamified Learning: Using Capture the Flag Challenges to Supplement Cybersecurity Training [Guest Diary], (Sun, Mar 17th)

This post was originally published on this site

[This is a Guest Diary by Joshua Woodward, an ISC intern as part of the SANS.edu BACS program]

Just listening to a lecture is boring. Is there a better way?

I recently had the opportunity to engage in conversation with Jonathan, a lead analyst at Rapid7, where our discussion led to the internal technical training that he gives to their new analysts. He saw a notable ineffectiveness in the training sessions and was "dissatisfied with the new analysts' ability to remember and apply the knowledge when it was time to use it." The new analysts struggled to recall and apply the knowledge from the classroom training and often "had to be retaught live," resulting in inefficiencies and frustration. After reflecting on the root cause of this issue, Jonathan suspected that the traditional approach to learning, such as classroom lectures and workshops, was at the heart of the problem. These more passive learning approaches failed to engage the participants, leading to disinterest in the training and lower knowledge retention. Drawing inspiration from a method that was effective for him, Jonathan decided to adopt a more active and engaging approach: Capture the Flag (CTF) competitions.

Capture the Flag (CTF) Competitions

Capture the Flag competitions can offer exposure to a wide range of cybersecurity concepts or drill into a particular skill set through carefully crafted puzzles. CTFs foster an active learning environment by encouraging participants to apply their critical thinking skills and knowledge in a practical context. The gamified nature of CTFs leads to more excitement and motivation to participate, and active engagement and problem-solving allows a deeper understanding and retention of cybersecurity concepts.

Considerations

Traditional training excels at comprehensively covering topics in a structured matter, while CTFs offer a better environment to apply skills practically and can be built to mimic real-world scenarios. However, the nature of CTFs may not be suitable for teaching specific skills in a predetermined manner, as participants may creatively approach challenges from various angles. Participants will only learn what is needed to solve the challenge. Carefully crafted challenges can offset this disadvantage to some extent, but they may not fully address this drawback. Despite the limitations, CTFs shine at getting participants to retain knowledge because they foster active learning. Participants are effectively teaching themselves in a hands-on manner that will help them remember and gain experience in the topic.

How puzzles are designed greatly influences the effectiveness of CTFs. Developing good challenges is a very time-consuming process. A senior analyst can teach a lecture in an ad-hoc matter, but all CTFs require a large preparation time. Jonathan mentioned that there are "a lot of competing requirements that are hard to balance" when designing a new challenge. The puzzle must be balanced and give participants a good starting point and prompt to prevent a knowledge blockade or feel overwhelming, but it still must be challenging and teach a specific skill set. Jonathan stated that when designing a challenge to target specific knowledge, a common trap is that it can easily start feeling like a trivia game rather than something fun, and "then you just have a quiz rather than a CTF." Well-designed challenges are the make-or-break linchpin for the successful implementation of CTFs in technical training.

Effectiveness

After introducing CTFs into his training plan, Jonathan noted that he witnessed a significant improvement in the analysts' ability to recall and apply the new knowledge. Being able to use the skills practically in an engaging and rewarding context seemed to give the participants a deeper understanding of the concepts and how to employ them when problem-solving.

I was able to interview an individual who had taken both types of training methods, and they noted that "CTF challenges were far more enjoyable and memorable" when compared to their original training. In terms of retaining and applying learning objectives, they found "CTF challenges to be significantly more effective." They were able to remember bits and pieces better from the CTF than from classroom training, which allowed them to have a starting place to research when solving situations in their work.

Jonathan comments that debating why the traditional classroom training failed is a discussion unto itself and has merit in researching it further. However, he did ultimately find that CTFs provided a workable alternative that helped fix the retention issue he was facing.

Integrating Capture the Flag challenges into internal training can give tangible improvements to participants' ability to retain and apply the knowledge being covered in training sessions. Combining CTFs with traditional training methods can help cover the drawbacks of either methodology at the cost of more preparation time.


* This article was written with the assistance of AI tools, including ChatGPT.
* Permission has been given by the interviewed sources to use their names and answers in this article. Full names have been redacted for privacy.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Obfuscated Hexadecimal Payload, (Sat, Mar 16th)

This post was originally published on this site

This PE file contains an obfuscated hexadecimal-encoded payload. When I analyze it with base64dump.py searching for all supported encodings, a very long payload is detected:

It's 2834443 characters long, and matches base85 encoding (b85), but this is likely a false positive, as base85 uses 85 unique characters (as its name suggests), but in this particular encoded content, only 23 unique characters are used (out of 85).

Analyzing the PE file with my strings.py tool (calculating statistics with option -a) reveals it does indeed contain one very long string:

Verbose mode (-V) gives statistics for the 10 longests strings. We see that 2 characters (# and %) appear very often in this string, more than 75% of this long string is made up of these 2 characters:

These 2 characters are likely inserted for obfuscation. Let's use base64dump.py and let it ignore these 2 characters (-i #%"):

Now we have a hex encoded payload that decodes to a PE file (MZ), and most likely a Cobalt Strike beacon (MZARUH).

 

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

5Ghoul Revisited: Three Months Later, (Fri, Mar 15th)

This post was originally published on this site

About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.

Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th)

This post was originally published on this site

Credential-stealing phishing is constantly evolving, nevertheless, some aspects of it – by necessity – stay the same. One thing, which is constant, is the need for a credential gathering mechanism, and although threat actors have come up with a number of alternatives to simply hosting a fake login page somewhere (e.g., using a third-party “forms” service[1] or attaching an entire phishing page to an e-mail[2]), the old approach of placing a phishing page on an internet-connected server and linking to it from e-mail messages is commonly used to this day.

Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th)

This post was originally published on this site

Today, most of the malicious scripts in the wild are heavily obfuscated. Obfuscation is key to slow down the security analyst's job and to bypass simple security controls. They are many techniques available. Most of the time, your trained eyes can spot them in a few seconds but it remains a pain to process manually. How to handle them? For soe of them, you have tools like numbers-to-strings.py[1], developed by Didier, to convert classic encodings back to strings. Sometimes, you can write your own script (time consuming) or use a Cyberchef recipe. To speed up the analysis, why not ask some help to AI tools? Let's see a practical example with ChatGPT.

What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th)

This post was originally published on this site

[This is a Guest Diary by Noah Pack, an ISC intern as part of the SANS.edu BACS program]

As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. I created a script that emailed companies and asked for free swag, knowing that most conferences that year had been canceled due to the COVID-19 pandemic. I wrote my script, made a new email account for the script to use, created a list of ten companies it would email, and it worked flawlessly. To celebrate my achievement, I uploaded my code to GitHub. The next thing I knew, I was getting login attempts to the email address I set up for my script to use. I had hardcoded the email address and password into my code, and my computer science class didn’t teach us safe programming practices.

My situation had no ill consequences, but it could have if I had used my actual email for the script or if my project was bigger and I had used AWS or another cloud provider and hardcoded those credentials. In a later class I did learn how to safely pass credentials to my scripts without fear of leaking them on GitHub, but leaked credentials remained on my mind. This led me to the question “What happens when you leak your AWS API keys?”
In this article, I will share some research, resources, and real-world data related to leaked AWS API keys. I won’t get into scenarios where credentials are stored properly but stolen via a vulnerability, only where a developer or other AWS user hardcodes their credentials into a GitHub repository or a website.

Canary Tokens 

To collect data, I used Canary Tokens. Canary Tokens are honeypots that, when opened or used, send an alert to their owner informing them of a breach. Canary Tokens can be a word document, QR code, AWS API key, or many other file types to suit various needs. The AWS API key token is a file that looks like this:

(This is an actual Canary Token)

It looks exactly the same as how a developer would store this information and contains everything needed to make a successful connection to the AWS API. Nothing beyond that works to prevent an attacker from actually abusing these keys. 

I left a Canary Token on a decently trafficked e-commerce website I help maintain, hardcoded into the website’s source. I also posted one on my GitHub account in an obvious repository with a name that any researcher would recognize as a test.  

All the Canary Tokens I created were used.

Research

The token I added to the source code of a website took three days before an attacker tested it, generating this alert:

The traffic came from a Proton VPN user. It is likely that they were using a crawler to scan websites for credentials or vulnerabilities but could have been testing the collected credentials manually. This was the only time this canary was tested. Because the person who tested it was using a VPN, it would be nearly impossible to find exactly where this attacker is from. The IP used to test this key has been seen doing other attacks, but because of the anonymity associated with a shared VPN IP address, it would not be possible to tie this to any other reported incidents involving this IP.

The user-agent information that the Canary Token includes is very interesting. We know that the attacker is using a Python script to check if the credentials are valid with the Boto3 library. We also know the script is running on the Windows Subsystem for Linux. This information helped me to create a script [2] that tests AWS API keys to see if they are valid.

My data is not large enough to say definitively that if you hardcode credentials into your decently trafficked e-commerce website you will have a couple days to fix them before they are used. In this case too, a crawler may have picked up the keys much earlier, and they were not tested until days later. 

The AWS API keys I posted to GitHub were tested much sooner. Within minutes, I was receiving email alerts like the one pictured below:

I soon became overwhelmed with alerts and turned them off to preserve my email inbox. The interesting difference with these attempts to use my canary was that they were almost all coming from what turned out to be one company. 

Clearly, if you post your AWS credentials, they will be picked up and used by someone, whether it is a security company, researcher, or attacker. So, what can you do to resolve this problem if you find yourself in it? The first thing you should do is generate new AWS API keys and deactivate the ones you leaked. There is no way to undo posting credentials when things like the wayback machine exist. The best solution is to prevent this from happening in the first place.

Luckily, there are tools like GitGuardian [3], GitLeaks, TruffleHog [4], and RepoSupervisor that can be integrated into your Continuous Integration and Continuous Deployment (CICD) pipeline and scan for hardcoded credentials before the code goes into production. Some of those tools require subscriptions, like GitGuardian, while others, like truffleHog, are free and open source. I created a script that can verify if an AWS API key works; you can find it at the end of this article in my GitHub account. My reasoning for creating my own script was that many of these tools include features that would not be useful if your goal is only to verify whether the keys work, while some tools that can do this are made for exploiting that access. I wanted to create a simple script that anyone in IT could look at and understand so QA, junior developers, interns, and new analysts who find an AWS API key can quickly verify it without putting it into a tool they do not fully understand. 

Why does this matter?

Hardcoding credentials happen more often than you might think. There are lots of new developers, and in my experience, secure coding practices are not taught to university students until the upper-level classes. Even then, experienced developers make mistakes, unintended files get committed, and code left in place to test can sometimes make its way to production. There is a reason that entire companies exist to scan for these credentials. 

Conclusion

If you are writing code, do your best not to hardcode credentials; someone will find them. The allure of free swag may distract you, but remediation is more time-consuming than doing it the right way in the first place. Implementing tools in your CICD pipeline to scan for these mistakes is a great preventative measure, but it is not perfect. Use IAM permissions in AWS to limit each API key to only the permissions it needs.

[1] Canary Tokens: https://docs.canarytokens.org/guide/
[2] My Script: https://github.com/npackt/Simple-AWS-API-Key-tester
[3] Git guardian: https://www.gitguardian.com/
[4] TruffleHog: https://trufflesecurity.com/trufflehog
[5] More on AWS API keys: https://aws.amazon.com/what-is/api-key/
[6] https://www.sans.edu/cyber-security-programs/bachelors-degree/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

MacOS Patches (and Safari, TVOS, VisionOS, WatchOS), (Fri, Mar 8th)

This post was originally published on this site

 

After patching iOS and iPadOS a few days ago, Apple patched the rest of its lineup today, most notably macOS. These updates include the two 0-days patched for iOS. Interestingly, we also see three vulnerabilities addressed specifically for VisionOS, Apple's latest operating system. One of the VisionOS vulnerabilities affects Personas, a feature only available in VisionOS.

NOTE: Apple amended its list of vulnerabilities for iOS/iPadOS. Many of the vulnerabilities below also affect iOS. The initial release only noted four different vulnerabilities.

Apple security bulletin URL: https://support.apple.com/en-us/HT201222

Safari 17.4 macOS Sonoma 14.4 macOS Ventura 13.6.5 macOS Monterey 12.7.4 watchOS 10.4 tvOS 17.4 visionOS 1.1
CVE-2024-23273 [moderate] Safari Private Browsing
This issue was addressed through improved state management.
Private Browsing tabs may be accessed without authentication
x x          
CVE-2024-23252 [moderate] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to a denial-of-service
x x          
CVE-2024-23254 [moderate] WebKit
The issue was addressed with improved UI handling.
A malicious website may exfiltrate audio data cross-origin
x x     x x x
CVE-2024-23263 [other] WebKit
A logic issue was addressed with improved validation.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23280 [moderate] WebKit
An injection issue was addressed with improved validation.
A maliciously crafted webpage may be able to fingerprint the user
x x     x x  
CVE-2024-23284 [other] WebKit
A logic issue was addressed with improved state management.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23291 [moderate] Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
A malicious app may be able to observe user data in log entries related to accessibility notifications
  x     x x  
CVE-2024-23276 [moderate] Admin Framework
A logic issue was addressed with improved checks.
An app may be able to elevate privileges
  x x x      
CVE-2024-23227 [important] Airport
This issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information
  x x x      
CVE-2024-23233 [moderate] AppleMobileFileIntegrity
This issue was addressed with improved checks.
Entitlements and privacy permissions granted to this app may be used by a malicious app
  x          
CVE-2024-23269 [important] AppleMobileFileIntegrity
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23288 [moderate] AppleMobileFileIntegrity
This issue was addressed by removing the vulnerable code.
An app may be able to elevate privileges
  x     x x  
CVE-2024-23277 [moderate] Bluetooth
The issue was addressed with improved checks.
An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard
  x          
CVE-2024-23247 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to unexpected app termination or arbitrary code execution
  x x x      
CVE-2024-23248 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23249 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23250 [moderate] CoreBluetooth – LE
An access issue was addressed with improved access restrictions.
An app may be able to access Bluetooth-connected microphones without user permission
  x     x x  
CVE-2024-23244 [moderate] Dock
A logic issue was addressed with improved restrictions.
An app from a standard user account may be able to escalate privilege after admin user login
  x x x      
CVE-2024-23205 [moderate] ExtensionKit
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
  x          
CVE-2022-48554 [moderate] file
This issue was addressed with improved checks.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x     x x  
CVE-2024-23253 [moderate] Image Capture
A permissions issue was addressed with additional restrictions.
An app may be able to access a user's Photos Library
  x          
CVE-2024-23270 [important] Image Processing
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
  x x x   x  
CVE-2024-23257 [important] ImageIO
The issue was addressed with improved memory handling.
Processing an image may result in disclosure of process memory
  x x x     x
CVE-2024-23258 [critical] ImageIO
An out-of-bounds read was addressed with improved input validation.
Processing an image may lead to arbitrary code execution
  x         x
CVE-2024-23286 [critical] ImageIO
A buffer overflow issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
  x x x x x x
CVE-2024-23234 [important] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges
  x x x      
CVE-2024-23266 [important] Kerberos v5 PAM module
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23235 [important] Kernel
A race condition was addressed with additional validation.
An app may be able to access user-sensitive data
  x     x x x
CVE-2024-23265 [important] Kernel
A memory corruption vulnerability was addressed with improved locking.
An app may be able to cause unexpected system termination or write kernel memory
  x x x x x x
CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x x x x x x
CVE-2024-23278 [important] libxpc
The issue was addressed with improved checks.
An app may be able to break out of its sandbox
  x     x x  
CVE-2024-0258 [moderate] libxpc
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
  x     x x  
CVE-2024-23279 [important] MediaRemote
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x          
CVE-2024-23287 [important] Messages
A privacy issue was addressed with improved handling of temporary files.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23264 [important] Metal
A validation issue was addressed with improved input sanitization.
An application may be able to read restricted memory
  x x x   x x
CVE-2024-23285 [moderate] Music
This issue was addressed with improved handling of symlinks.
An app may be able to create symlinks to protected regions of the disk
  x          
CVE-2024-23283 [important] Notes
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x x x      
CVE-2023-48795 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51384 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51385 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2022-42816 [important] PackageKit
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system
  x          
CVE-2024-23216 [moderate] PackageKit
A path handling issue was addressed with improved validation.
An app may be able to overwrite arbitrary files
  x x x      
CVE-2024-23267 [moderate] PackageKit
The issue was addressed with improved checks.
An app may be able to bypass certain Privacy preferences
  x x x      
CVE-2024-23268 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2024-23274 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2023-42853 [important] PackageKit
A logic issue was addressed with improved checks.
An app may be able to access user-sensitive data
  x          
CVE-2024-23275 [moderate] PackageKit
A race condition was addressed with additional validation.
An app may be able to access protected user data
  x x x      
CVE-2024-23255 [moderate] Photos
An authentication issue was addressed with improved state management.
Photos in the Hidden Photos Album may be viewed without authentication
  x          
CVE-2024-23294 [moderate] QuartzCore
This issue was addressed by removing the vulnerable code.
Processing malicious input may lead to code execution
  x          
CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x     x x x
CVE-2024-23259 [moderate] Safari
The issue was addressed with improved checks.
Processing web content may lead to a denial-of-service
  x          
CVE-2024-23238 [moderate] Sandbox
An access issue was addressed with improved access restrictions.
An app may be able to edit NVRAM variables
  x          
CVE-2024-23239 [important] Sandbox
A race condition was addressed with improved state handling.
An app may be able to leak sensitive user information
  x     x x  
CVE-2024-23290 [important] Sandbox
A logic issue was addressed with improved restrictions.
An app may be able to access user-sensitive data
  x     x x  
CVE-2024-23232 [moderate] Screen Capture
A privacy issue was addressed with improved handling of temporary files.
An app may be able to capture a user's screen
  x          
CVE-2024-23231 [important] Share Sheet
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23230 [moderate] SharedFileList
This issue was addressed with improved file handling.
An app may be able to access sensitive user data
  x x x      
CVE-2024-23245 [moderate] Shortcuts
This issue was addressed by adding an additional prompt for user consent.
Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent
  x x x      
CVE-2024-23292 [moderate] Shortcuts
This issue was addressed with improved data protection.
An app may be able to access information about a user's contacts
  x          
CVE-2024-23289 [moderate] Siri
A lock screen issue was addressed with improved state management.
A person with physical access to a device may be able to use Siri to access private calendar information
  x     x    
CVE-2024-23293 [moderate] Siri
This issue was addressed through improved state management.
An attacker with physical access may be able to use Siri to access sensitive user data
  x     x x  
CVE-2024-23241 [important] Spotlight
This issue was addressed through improved state management.
An app may be able to leak sensitive user information
  x       x  
CVE-2024-23272 [moderate] Storage Services
A logic issue was addressed with improved checks.
A user may gain access to protected parts of the file system
  x x x      
CVE-2024-23242 [moderate] Synapse
A privacy issue was addressed by not logging contents of text fields.
An app may be able to view Mail data
  x          
CVE-2024-23281 [moderate] System Settings
This issue was addressed with improved state management.
An app may be able to access sensitive user data
  x          
CVE-2024-23260 [important] TV App
This issue was addressed by removing additional entitlements.
An app may be able to access user-sensitive data
  x          
CVE-2024-23246 [important] UIKit
This issue was addressed by removing the vulnerable code.
An app may be able to break out of its sandbox
  x     x x x
CVE-2024-23226 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
  x     x x x
CVE-2024-23218 [moderate] CoreCrypto
A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.
An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key
    x x      
CVE-2024-23201 [important] libxpc
A permissions issue was addressed with additional restrictions.
An app may be able to cause a denial-of-service
    x x      
CVE-2023-28826 [moderate] MediaRemote
This issue was addressed with improved redaction of sensitive information.
An app may be able to access sensitive user data
    x x      
CVE-2024-23204 [moderate] Shortcuts
The issue was addressed with additional permissions checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user
    x x      
CVE-2024-23297 [moderate] MediaRemote
The issue was addressed with improved checks.
A malicious application may be able to access private information
        x x  
CVE-2024-23262 [moderate] Accessibility
This issue was addressed with additional entitlement checks.
An app may be able to spoof system notifications and UI
            x
CVE-2024-23295 [moderate] Persona
A permissions issue was addressed to help ensure Personas are always protected
An unauthenticated user may be able to use an unprotected Persona
            x
CVE-2024-23220 [moderate] Safari
The issue was addressed with improved handling of caches.
An app may be able to fingerprint the user
            x


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.