Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th)

This post was originally published on this site

Credential-stealing phishing is constantly evolving, nevertheless, some aspects of it – by necessity – stay the same. One thing, which is constant, is the need for a credential gathering mechanism, and although threat actors have come up with a number of alternatives to simply hosting a fake login page somewhere (e.g., using a third-party “forms” service[1] or attaching an entire phishing page to an e-mail[2]), the old approach of placing a phishing page on an internet-connected server and linking to it from e-mail messages is commonly used to this day.

Anthropic’s Claude 3 Haiku model is now available on Amazon Bedrock

This post was originally published on this site

Last week, Anthropic announced their Claude 3 foundation model family. The family includes three models: Claude 3 Haiku, the fastest and most compact model for near-instant responsiveness; Claude 3 Sonnet, the ideal balanced model between skills and speed; and Claude 3 Opus, the most intelligent offering for top-level performance on highly complex tasks. AWS also announced the general availability of Claude 3 Sonnet in Amazon Bedrock.

Today, we are announcing the availability of Claude 3 Haiku on Amazon Bedrock. The Claude 3 Haiku foundation model is the fastest and most compact model of the Claude 3 family, designed for near-instant responsiveness and seamless generative artificial intelligence (AI) experiences that mimic human interactions. For example, it can read a data-dense research paper on arXiv (~10k tokens) with charts and graphs in less than three seconds.

With Claude 3 Haiku’s availability on Amazon Bedrock, you can build near-instant responsive generative AI applications for enterprises that need quick and accurate targeted performance. Like Sonnet and Opus, Haiku has image-to-text vision capabilities, can understand multiple languages besides English, and boasts increased steerability in a 200k context window.

Claude 3 Haiku use cases
Claude 3 Haiku is smarter, faster, and more affordable than other models in its intelligence category. It answers simple queries and requests with unmatched speed. With its fast speed and increased steerability, you can create AI experiences that seamlessly imitate human interactions.

Here are some use cases for using Claude 3 Haiku:

  • Customer interactions: quick and accurate support in live interactions, translations
  • Content moderation: catch risky behavior or customer requests
  • Cost-saving tasks: optimized logistics, inventory management, fast knowledge extraction from unstructured data

To learn more about Claude 3 Haiku’s features and capabilities, visit Anthropic’s Claude on Amazon Bedrock and Anthropic Claude models in the AWS documentation.

Claude 3 Haiku in action
If you are new to using Anthropic models, go to the Amazon Bedrock console and choose Model access on the bottom left pane. Request access separately for Claude 3 Haiku.

To test Claude 3 Haiku in the console, choose Text or Chat under Playgrounds in the left menu pane. Then choose Select model and select Anthropic as the category and Claude 3 Haiku as the model.

To test more Claude prompt examples, choose Load examples. You can view and run examples specific to Claude 3 Haiku, such as advanced Q&A with citations, crafting a design brief, and non-English content generation.

Using Compare mode, you can also compare the speed and intelligence between Claude 3 Haiku and the Claude 2.1 model using a sample prompt to generate personalized email responses to address customer questions.

By choosing View API request, you can also access the model using code examples in the AWS Command Line Interface (AWS CLI) and AWS SDKs. Here is a sample of the AWS CLI command:

aws bedrock-runtime invoke-model 
     --model-id anthropic.claude-3-haiku-20240307-v1:0 
     --body "{"messages":[{"role":"user","content":[{"type":"text","text":"Write the test case for uploading the image to Amazon S3 bucket\nCertainly! Here's an example of a test case for uploading an image to an Amazon S3 bucket using a testing framework like JUnit or TestNG for Java:\n\n...."}]}],"anthropic_version":"bedrock-2023-05-31","max_tokens":2000}" 
     --cli-binary-format raw-in-base64-out 
     --region us-east-1 
     invoke-model-output.txt

To make an API request with Claude 3, use the new Anthropic Claude Messages API format, which allows for more complex interactions such as image processing. If you use Anthropic Claude Text Completions API, you should upgrade from the Text Completions API.

Here is sample Python code to send a Message API request describing the image file:

def call_claude_haiku(base64_string):

    prompt_config = {
        "anthropic_version": "bedrock-2023-05-31",
        "max_tokens": 4096,
        "messages": [
            {
                "role": "user",
                "content": [
                    {
                        "type": "image",
                        "source": {
                            "type": "base64",
                            "media_type": "image/png",
                            "data": base64_string,
                        },
                    },
                    {"type": "text", "text": "Provide a caption for this image"},
                ],
            }
        ],
    }

    body = json.dumps(prompt_config)

    modelId = "anthropic.claude-3-haiku-20240307-v1:0"
    accept = "application/json"
    contentType = "application/json"

    response = bedrock_runtime.invoke_model(
        body=body, modelId=modelId, accept=accept, contentType=contentType
    )
    response_body = json.loads(response.get("body").read())

    results = response_body.get("content")[0].get("text")
    return results

To learn more sample codes with Claude 3, see Get Started with Claude 3 on Amazon Bedrock, Diagrams to CDK/Terraform using Claude 3 on Amazon Bedrock, and Cricket Match Winner Prediction with Amazon Bedrock’s Anthropic Claude 3 Sonnet in the Community.aws.

Now available
Claude 3 Haiku is available now in the US West (Oregon) Region with more Regions coming soon; check the full Region list for future updates.

Claude 3 Haiku is the most cost-effective choice. For example, Claude 3 Haiku is cheaper, up to 68 percent of the price per 1,000 input/output tokens compared to Claude Instant, with higher levels of intelligence. To learn more, see Amazon Bedrock Pricing.

Give Claude 3 Haiku a try in the Amazon Bedrock console today and send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.

Channy

Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th)

This post was originally published on this site

Today, most of the malicious scripts in the wild are heavily obfuscated. Obfuscation is key to slow down the security analyst's job and to bypass simple security controls. They are many techniques available. Most of the time, your trained eyes can spot them in a few seconds but it remains a pain to process manually. How to handle them? For soe of them, you have tools like numbers-to-strings.py[1], developed by Didier, to convert classic encodings back to strings. Sometimes, you can write your own script (time consuming) or use a Cyberchef recipe. To speed up the analysis, why not ask some help to AI tools? Let's see a practical example with ChatGPT.

AWS Weekly Roundup — Claude 3 Sonnet support in Bedrock, new instances, and more — March 11, 2024

This post was originally published on this site

Last Friday was International Women’s Day (IWD), and I want to take a moment to appreciate the amazing ladies in the cloud computing space that are breaking the glass ceiling by reaching technical leadership positions and inspiring others to go and build, as our CTO Werner Vogels says.Now go build

Last week’s launches
Here are some launches that got my attention during the previous week.

Amazon Bedrock – Now supports Anthropic’s Claude 3 Sonnet foundational model. Claude 3 Sonnet is two times faster and has the same level of intelligence as Anthropic’s highest-performing models, Claude 2 and Claude 2.1. My favorite characteristic is that Sonnet is better at producing JSON outputs, making it simpler for developers to build applications. It also offers vision capabilities. You can learn more about this foundation model (FM) in the post that Channy wrote early last week.

AWS re:Post – Launched last week! AWS re:Post Live is a weekly Twitch livestream show that provides a way for the community to reach out to experts, ask questions, and improve their skills. The show livestreams every Monday at 11 AM PT.

Amazon CloudWatchNow streams daily metrics on CloudWatch metric streams. You can use metric streams to send a stream of near real-time metrics to a destination of your choice.

Amazon Elastic Compute Cloud (Amazon EC2)Announced the general availability of new metal instances, C7gd, M7gd, and R7gd. These instances have up to 3.8 TB of local NVMe-based SSD block-level storage and are built on top of the AWS Nitro System.

AWS WAFNow supports configurable evaluation time windows for request aggregation with rate-based rules. Previously, AWS WAF was fixed to a 5-minute window when aggregating and evaluating the rules. Now you can select windows of 1, 2, 5 or 10 minutes, depending on your application use case.

AWS Partners – Last week, we announced the AWS Generative AI Competency Partners. This new specialization features AWS Partners that have shown technical proficiency and a track record of successful projects with generative artificial intelligence (AI) powered by AWS.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Other AWS news
Some other updates and news that you may have missed:

One of the articles that caught my attention recently compares different design approaches for building serverless microservices. This article, written by Luca Mezzalira and Matt Diamond, compares the three most common designs for serverless workloads and explains the benefits and challenges of using one over the other.

And if you are interested in the serverless space, you shouldn’t miss the Serverless Office Hours, which airs live every Tuesday at 10 AM PT. Join the AWS Serverless Developer Advocates for a weekly chat on the latest from the serverless space.

Serverless office hours

The Official AWS Podcast – Listen each week for updates on the latest AWS news and deep dives into exciting use cases. There are also official AWS podcasts in several languages. Check out the ones in FrenchGermanItalian, and Spanish.

AWS Open Source News and Updates – This is a newsletter curated by my colleague Ricardo to bring you the latest open source projects, posts, events, and more.

Upcoming AWS events
Check your calendars and sign up for these AWS events:

AWS Summit season is about to start. The first ones are Paris (April 3), Amsterdam (April 9), and London (April 24). AWS Summits are free events that you can attend in person and learn about the latest in AWS technology.

GOTO x AWS EDA Day London 2024 – On May 14, AWS partners with GOTO bring to you the event-driven architecture (EDA) day conference. At this conference, you will get to meet experts in the EDA space and listen to very interesting talks from customers, experts, and AWS.

GOTO EDA Day 2022

You can browse all upcoming in-person and virtual events here.

That’s all for this week. Check back next Monday for another Week in Review!

— Marcia

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th)

This post was originally published on this site

[This is a Guest Diary by Noah Pack, an ISC intern as part of the SANS.edu BACS program]

As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. I created a script that emailed companies and asked for free swag, knowing that most conferences that year had been canceled due to the COVID-19 pandemic. I wrote my script, made a new email account for the script to use, created a list of ten companies it would email, and it worked flawlessly. To celebrate my achievement, I uploaded my code to GitHub. The next thing I knew, I was getting login attempts to the email address I set up for my script to use. I had hardcoded the email address and password into my code, and my computer science class didn’t teach us safe programming practices.

My situation had no ill consequences, but it could have if I had used my actual email for the script or if my project was bigger and I had used AWS or another cloud provider and hardcoded those credentials. In a later class I did learn how to safely pass credentials to my scripts without fear of leaking them on GitHub, but leaked credentials remained on my mind. This led me to the question “What happens when you leak your AWS API keys?”
In this article, I will share some research, resources, and real-world data related to leaked AWS API keys. I won’t get into scenarios where credentials are stored properly but stolen via a vulnerability, only where a developer or other AWS user hardcodes their credentials into a GitHub repository or a website.

Canary Tokens 

To collect data, I used Canary Tokens. Canary Tokens are honeypots that, when opened or used, send an alert to their owner informing them of a breach. Canary Tokens can be a word document, QR code, AWS API key, or many other file types to suit various needs. The AWS API key token is a file that looks like this:

(This is an actual Canary Token)

It looks exactly the same as how a developer would store this information and contains everything needed to make a successful connection to the AWS API. Nothing beyond that works to prevent an attacker from actually abusing these keys. 

I left a Canary Token on a decently trafficked e-commerce website I help maintain, hardcoded into the website’s source. I also posted one on my GitHub account in an obvious repository with a name that any researcher would recognize as a test.  

All the Canary Tokens I created were used.

Research

The token I added to the source code of a website took three days before an attacker tested it, generating this alert:

The traffic came from a Proton VPN user. It is likely that they were using a crawler to scan websites for credentials or vulnerabilities but could have been testing the collected credentials manually. This was the only time this canary was tested. Because the person who tested it was using a VPN, it would be nearly impossible to find exactly where this attacker is from. The IP used to test this key has been seen doing other attacks, but because of the anonymity associated with a shared VPN IP address, it would not be possible to tie this to any other reported incidents involving this IP.

The user-agent information that the Canary Token includes is very interesting. We know that the attacker is using a Python script to check if the credentials are valid with the Boto3 library. We also know the script is running on the Windows Subsystem for Linux. This information helped me to create a script [2] that tests AWS API keys to see if they are valid.

My data is not large enough to say definitively that if you hardcode credentials into your decently trafficked e-commerce website you will have a couple days to fix them before they are used. In this case too, a crawler may have picked up the keys much earlier, and they were not tested until days later. 

The AWS API keys I posted to GitHub were tested much sooner. Within minutes, I was receiving email alerts like the one pictured below:

I soon became overwhelmed with alerts and turned them off to preserve my email inbox. The interesting difference with these attempts to use my canary was that they were almost all coming from what turned out to be one company. 

Clearly, if you post your AWS credentials, they will be picked up and used by someone, whether it is a security company, researcher, or attacker. So, what can you do to resolve this problem if you find yourself in it? The first thing you should do is generate new AWS API keys and deactivate the ones you leaked. There is no way to undo posting credentials when things like the wayback machine exist. The best solution is to prevent this from happening in the first place.

Luckily, there are tools like GitGuardian [3], GitLeaks, TruffleHog [4], and RepoSupervisor that can be integrated into your Continuous Integration and Continuous Deployment (CICD) pipeline and scan for hardcoded credentials before the code goes into production. Some of those tools require subscriptions, like GitGuardian, while others, like truffleHog, are free and open source. I created a script that can verify if an AWS API key works; you can find it at the end of this article in my GitHub account. My reasoning for creating my own script was that many of these tools include features that would not be useful if your goal is only to verify whether the keys work, while some tools that can do this are made for exploiting that access. I wanted to create a simple script that anyone in IT could look at and understand so QA, junior developers, interns, and new analysts who find an AWS API key can quickly verify it without putting it into a tool they do not fully understand. 

Why does this matter?

Hardcoding credentials happen more often than you might think. There are lots of new developers, and in my experience, secure coding practices are not taught to university students until the upper-level classes. Even then, experienced developers make mistakes, unintended files get committed, and code left in place to test can sometimes make its way to production. There is a reason that entire companies exist to scan for these credentials. 

Conclusion

If you are writing code, do your best not to hardcode credentials; someone will find them. The allure of free swag may distract you, but remediation is more time-consuming than doing it the right way in the first place. Implementing tools in your CICD pipeline to scan for these mistakes is a great preventative measure, but it is not perfect. Use IAM permissions in AWS to limit each API key to only the permissions it needs.

[1] Canary Tokens: https://docs.canarytokens.org/guide/
[2] My Script: https://github.com/npackt/Simple-AWS-API-Key-tester
[3] Git guardian: https://www.gitguardian.com/
[4] TruffleHog: https://trufflesecurity.com/trufflehog
[5] More on AWS API keys: https://aws.amazon.com/what-is/api-key/
[6] https://www.sans.edu/cyber-security-programs/bachelors-degree/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

MacOS Patches (and Safari, TVOS, VisionOS, WatchOS), (Fri, Mar 8th)

This post was originally published on this site

 

After patching iOS and iPadOS a few days ago, Apple patched the rest of its lineup today, most notably macOS. These updates include the two 0-days patched for iOS. Interestingly, we also see three vulnerabilities addressed specifically for VisionOS, Apple's latest operating system. One of the VisionOS vulnerabilities affects Personas, a feature only available in VisionOS.

NOTE: Apple amended its list of vulnerabilities for iOS/iPadOS. Many of the vulnerabilities below also affect iOS. The initial release only noted four different vulnerabilities.

Apple security bulletin URL: https://support.apple.com/en-us/HT201222

Safari 17.4 macOS Sonoma 14.4 macOS Ventura 13.6.5 macOS Monterey 12.7.4 watchOS 10.4 tvOS 17.4 visionOS 1.1
CVE-2024-23273 [moderate] Safari Private Browsing
This issue was addressed through improved state management.
Private Browsing tabs may be accessed without authentication
x x          
CVE-2024-23252 [moderate] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to a denial-of-service
x x          
CVE-2024-23254 [moderate] WebKit
The issue was addressed with improved UI handling.
A malicious website may exfiltrate audio data cross-origin
x x     x x x
CVE-2024-23263 [other] WebKit
A logic issue was addressed with improved validation.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23280 [moderate] WebKit
An injection issue was addressed with improved validation.
A maliciously crafted webpage may be able to fingerprint the user
x x     x x  
CVE-2024-23284 [other] WebKit
A logic issue was addressed with improved state management.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23291 [moderate] Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
A malicious app may be able to observe user data in log entries related to accessibility notifications
  x     x x  
CVE-2024-23276 [moderate] Admin Framework
A logic issue was addressed with improved checks.
An app may be able to elevate privileges
  x x x      
CVE-2024-23227 [important] Airport
This issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information
  x x x      
CVE-2024-23233 [moderate] AppleMobileFileIntegrity
This issue was addressed with improved checks.
Entitlements and privacy permissions granted to this app may be used by a malicious app
  x          
CVE-2024-23269 [important] AppleMobileFileIntegrity
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23288 [moderate] AppleMobileFileIntegrity
This issue was addressed by removing the vulnerable code.
An app may be able to elevate privileges
  x     x x  
CVE-2024-23277 [moderate] Bluetooth
The issue was addressed with improved checks.
An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard
  x          
CVE-2024-23247 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to unexpected app termination or arbitrary code execution
  x x x      
CVE-2024-23248 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23249 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23250 [moderate] CoreBluetooth – LE
An access issue was addressed with improved access restrictions.
An app may be able to access Bluetooth-connected microphones without user permission
  x     x x  
CVE-2024-23244 [moderate] Dock
A logic issue was addressed with improved restrictions.
An app from a standard user account may be able to escalate privilege after admin user login
  x x x      
CVE-2024-23205 [moderate] ExtensionKit
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
  x          
CVE-2022-48554 [moderate] file
This issue was addressed with improved checks.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x     x x  
CVE-2024-23253 [moderate] Image Capture
A permissions issue was addressed with additional restrictions.
An app may be able to access a user's Photos Library
  x          
CVE-2024-23270 [important] Image Processing
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
  x x x   x  
CVE-2024-23257 [important] ImageIO
The issue was addressed with improved memory handling.
Processing an image may result in disclosure of process memory
  x x x     x
CVE-2024-23258 [critical] ImageIO
An out-of-bounds read was addressed with improved input validation.
Processing an image may lead to arbitrary code execution
  x         x
CVE-2024-23286 [critical] ImageIO
A buffer overflow issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
  x x x x x x
CVE-2024-23234 [important] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges
  x x x      
CVE-2024-23266 [important] Kerberos v5 PAM module
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23235 [important] Kernel
A race condition was addressed with additional validation.
An app may be able to access user-sensitive data
  x     x x x
CVE-2024-23265 [important] Kernel
A memory corruption vulnerability was addressed with improved locking.
An app may be able to cause unexpected system termination or write kernel memory
  x x x x x x
CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x x x x x x
CVE-2024-23278 [important] libxpc
The issue was addressed with improved checks.
An app may be able to break out of its sandbox
  x     x x  
CVE-2024-0258 [moderate] libxpc
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
  x     x x  
CVE-2024-23279 [important] MediaRemote
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x          
CVE-2024-23287 [important] Messages
A privacy issue was addressed with improved handling of temporary files.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23264 [important] Metal
A validation issue was addressed with improved input sanitization.
An application may be able to read restricted memory
  x x x   x x
CVE-2024-23285 [moderate] Music
This issue was addressed with improved handling of symlinks.
An app may be able to create symlinks to protected regions of the disk
  x          
CVE-2024-23283 [important] Notes
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x x x      
CVE-2023-48795 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51384 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51385 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2022-42816 [important] PackageKit
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system
  x          
CVE-2024-23216 [moderate] PackageKit
A path handling issue was addressed with improved validation.
An app may be able to overwrite arbitrary files
  x x x      
CVE-2024-23267 [moderate] PackageKit
The issue was addressed with improved checks.
An app may be able to bypass certain Privacy preferences
  x x x      
CVE-2024-23268 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2024-23274 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2023-42853 [important] PackageKit
A logic issue was addressed with improved checks.
An app may be able to access user-sensitive data
  x          
CVE-2024-23275 [moderate] PackageKit
A race condition was addressed with additional validation.
An app may be able to access protected user data
  x x x      
CVE-2024-23255 [moderate] Photos
An authentication issue was addressed with improved state management.
Photos in the Hidden Photos Album may be viewed without authentication
  x          
CVE-2024-23294 [moderate] QuartzCore
This issue was addressed by removing the vulnerable code.
Processing malicious input may lead to code execution
  x          
CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x     x x x
CVE-2024-23259 [moderate] Safari
The issue was addressed with improved checks.
Processing web content may lead to a denial-of-service
  x          
CVE-2024-23238 [moderate] Sandbox
An access issue was addressed with improved access restrictions.
An app may be able to edit NVRAM variables
  x          
CVE-2024-23239 [important] Sandbox
A race condition was addressed with improved state handling.
An app may be able to leak sensitive user information
  x     x x  
CVE-2024-23290 [important] Sandbox
A logic issue was addressed with improved restrictions.
An app may be able to access user-sensitive data
  x     x x  
CVE-2024-23232 [moderate] Screen Capture
A privacy issue was addressed with improved handling of temporary files.
An app may be able to capture a user's screen
  x          
CVE-2024-23231 [important] Share Sheet
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23230 [moderate] SharedFileList
This issue was addressed with improved file handling.
An app may be able to access sensitive user data
  x x x      
CVE-2024-23245 [moderate] Shortcuts
This issue was addressed by adding an additional prompt for user consent.
Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent
  x x x      
CVE-2024-23292 [moderate] Shortcuts
This issue was addressed with improved data protection.
An app may be able to access information about a user's contacts
  x          
CVE-2024-23289 [moderate] Siri
A lock screen issue was addressed with improved state management.
A person with physical access to a device may be able to use Siri to access private calendar information
  x     x    
CVE-2024-23293 [moderate] Siri
This issue was addressed through improved state management.
An attacker with physical access may be able to use Siri to access sensitive user data
  x     x x  
CVE-2024-23241 [important] Spotlight
This issue was addressed through improved state management.
An app may be able to leak sensitive user information
  x       x  
CVE-2024-23272 [moderate] Storage Services
A logic issue was addressed with improved checks.
A user may gain access to protected parts of the file system
  x x x      
CVE-2024-23242 [moderate] Synapse
A privacy issue was addressed by not logging contents of text fields.
An app may be able to view Mail data
  x          
CVE-2024-23281 [moderate] System Settings
This issue was addressed with improved state management.
An app may be able to access sensitive user data
  x          
CVE-2024-23260 [important] TV App
This issue was addressed by removing additional entitlements.
An app may be able to access user-sensitive data
  x          
CVE-2024-23246 [important] UIKit
This issue was addressed by removing the vulnerable code.
An app may be able to break out of its sandbox
  x     x x x
CVE-2024-23226 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
  x     x x x
CVE-2024-23218 [moderate] CoreCrypto
A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.
An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key
    x x      
CVE-2024-23201 [important] libxpc
A permissions issue was addressed with additional restrictions.
An app may be able to cause a denial-of-service
    x x      
CVE-2023-28826 [moderate] MediaRemote
This issue was addressed with improved redaction of sensitive information.
An app may be able to access sensitive user data
    x x      
CVE-2024-23204 [moderate] Shortcuts
The issue was addressed with additional permissions checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user
    x x      
CVE-2024-23297 [moderate] MediaRemote
The issue was addressed with improved checks.
A malicious application may be able to access private information
        x x  
CVE-2024-23262 [moderate] Accessibility
This issue was addressed with additional entitlement checks.
An app may be able to spoof system notifications and UI
            x
CVE-2024-23295 [moderate] Persona
A permissions issue was addressed to help ensure Personas are always protected
An unauthenticated user may be able to use an unprotected Persona
            x
CVE-2024-23220 [moderate] Safari
The issue was addressed with improved handling of caches.
An app may be able to fingerprint the user
            x


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Amazon RDS now supports io2 Block Express volumes for mission-critical database workloads

This post was originally published on this site

Today, I am pleased to announce the availability of Provisioned IOPS (PIOPS) io2 Block Express storage volumes for all database engines in Amazon Relational Database Service (Amazon RDS). Amazon RDS provides you the flexibility to choose between different storage types depending on the performance requirements of your database workload. io2 Block Express volumes are designed for critical database workloads that require high performance and high throughput at low latency.

Lower latency and higher availability for I/O intensive workloads
With io2 Block Express volumes, your database workloads will benefit from consistent sub-millisecond latency, enhanced durability to 99.999 percent over io1 volumes, and drive 20x more IOPS from provisioned storage (up to 1,000 IOPS per GB) at the same price as io1. You can upgrade from io1 volumes to io2 Block Express volumes without any downtime, significantly improving the performance and reliability of your applications without increasing storage cost.

“We migrated all of our primary Amazon RDS instances to io2 Block Express within 2 weeks,” said Samir Goel, Director of Engineering at Figma, a leading platform for teams that design and build digital products. “Io2 Block Express has had a profound impact on the availability of the database layer at Figma. We have deeply appreciated the consistency of performance with io2 Block Express — in our observations, the latency variability has been under 0.1ms.”

io2 Block Express volumes support up to 64 TiB of storage, up to 256,000 Provisioned IOPS, and a maximum throughput of 4,000 MiB/s. The throughput of io2 Block Express volumes varies based on the amount of provisioned IOPS and volume storage size. Here is the range for each database engine and storage size:

Database engine Storage size Provisioned IOPS Maximum throughput
Db2, MariaDB, MySQL, and PostgreSQL Between 100 and 65,536 GiB 1,000–256,000 IOPS 4,000 MiB/s
Oracle Between 100 and 199 GiB 1,000–199,000 IOPS 4,000 MiB/s
Oracle Between 200 and 65,536 GiB 1,000–256,000 IOPS 4,000 MiB/s
SQL Server Between 20 and 16,384 GiB 1,000–64,000 IOPS 4,000 MiB/s

Getting started with io2 Block Express in Amazon RDS
You can use the Amazon RDS console to create a new RDS instance configured with an io2 Block Express volume or modify an existing instance with io1, gp2, or gp3 volumes.

Here’s how you would create an Amazon RDS for PostgreSQL instance with io2 Block Express volume.

Start with the basic information such as engine and version. Then, choose Provisioned IOPS SDD (io2) from the Storage type options:

Use the following AWS CLI command to create a new RDS instance with io2 Block Express volume:

aws rds create-db-instance --storage-type io2 --db-instance-identifier new-db-instance --db-instance-class db.t4g.large --engine mysql --master-username masteruser --master-user-password <enter password> --allocated-storage 400 --iops 3000

Similarly, to modify an existing RDS instance to use io2 Block Express volume:

aws rds modify-db-instance --db-instance-identifier existing-db-instance --storage-type io2 --allocated-storage 500 --iops 3000 --apply-immediately

Things to know

  • io2 Block Express volumes are available on all RDS databases using AWS Nitro System instances.
  • io2 Block Express volumes support an IOPS to allocated storage ratio of 1000:1. As an example, With an RDS for PostgreSQL instance, the maximum IOPS can be provisioned with volumes 256 GiB and larger (1,000 IOPS × 256 GiB = 256,000 IOPS).
  • For DB instances not based on the AWS Nitro System, the ratio of IOPS to allocated storage is 500:1. In this case, maximum IOPS can be achieved with 512 GiB volume (500 IOPS x 512 GiB = 256,000 IOPS).

Available now
Amazon RDS io2 Block Express storage volumes are supported for all RDS database engines and are available in US East (Ohio, N. Virginia), US West (N. California, Oregon), Asia Pacific (Hong Kong, Mumbai, Osaka, Seoul, Singapore, Sydney, Tokyo), Canada (Central), Europe (Frankfurt, Ireland, London, Stockholm), and Middle East (Bahrain) Regions.

In terms of pricing and billing, io1 volumes and io2 Block Express storage volumes are billed at the same rate. For more information, see the Amazon RDS pricing page.

Learn more by reading about Provisioned IOPS SSD storage in the Amazon RDS User Guide.

Abhishek