CYBERSECURITY NEWS V. September – 15-year-old Python vulnerability, Apple patches, TikTok vulnerability on Android

News FYI

Apple patches holes in iOS and iPadOS

Apple urgently fixed two zero-day vulnerabilities in the iOS and iPadOS kernel and browser engine that allowed arbitrary code to run on the target device. Both bugs belonged to the class of zero-day vulnerabilities, that is, the vendor found out about them after their active exploitation began. It is known that hackers have already begun to actively exploit these flaws.

Vulnerability CVE-2022-32893 was present in the WebKit component (browser engine) and allowed arbitrary code to run when processing specially crafted web content. In other words, the victim had to be lured to a specially created website.

The second vulnerability, CVE-2022-32894, was found directly in the core of Apple's operating systems and also allowed arbitrary code to run on the system. To exploit it, it was necessary to create a special malicious application and ensure that the victim installs it on his device. Probably, the idea was to attack in this way smartphones that have already been jailbroken, opening up the possibility of installing applications from sources other than the AppleStore.

15-year-old Python vulnerability affects 350,000 projects

It turned out that the vulnerability identified in 2007 under the identifier CVE-2007-4559 in the Python tarfile module now affects more than 350,000 open source projects. The flaw is related to the extract and extractall functions in the tarfile module, allowing hackers to carry out a path traversal attack and overwrite arbitrary files by adding the sequence '..' to filenames in a tar archive.

Simply put, an attacker could exploit the vulnerability by downloading a tarball in such a way that they can move out of the directory where the file is to be extracted, and then execute arbitrary code and take control of the victim's device.

Microsoft fixes 63 vulnerabilities as part of September Patch Tuesday

Of the 63 problems, five received the status of critical - they allow you to execute the code remotely. By classification, vulnerabilities were distributed as follows:

18 Holes That Lead to Elevation

1 security solution bypass problem

30 remote code execution vulnerabilities

7 bugs that allow disclosure of information

7 DoS problems

16 vulnerabilities in the Chromium version of the Microsoft Edge browser

In addition, two zero-day vulnerabilities were fixed, one of which is actively exploited in the wild. We are talking about a vulnerability under the identifier CVE-2022-37969, which allows an attacker to obtain the highest privileges. It stands on its own and is not used as part of a chain of attacks.

The other 0-day is being tracked as CVE-2022-23960 and bypasses existing hardware speculative execution protections in modern Intel, AMD, and Arm computer processors.

Google has released an emergency patch for a dangerous vulnerability in the Chrome browser

On September 2, 2022, Google released an emergency security update for the Chrome browser. The update fixes a high-risk vulnerability (CVE-2022-3075) that is exploited in real attacks. The vulnerability is related to "Insufficient Data Validation" in Mojo, a collection of libraries used by the Chromium engine. Other details were not disclosed for security reasons.

Chrome users need to restart the browser to enable automatic updates to version 105.0.5195.102.

TikTok vulnerability on Android could give access to user accounts

The exploit required the sharing of several vulnerabilities and they have already been closed. There is no evidence of its use in practice. Potentially, hackers could gain access to other people's accounts without their owners noticing.

The vulnerabilities allowed bypassing an application's deep link check by forcing an arbitrary URL to be loaded into the application's web view. This allowed access to connected JavaScript bridges.

Vulnerability in browsers allows websites to overwrite clipboard content

Google Chrome 104 contains a bug that allows websites to write data to the clipboard without the user's permission. The problem is relevant not only for the browser from Google, the bug affects Safari and Firefox. Google developers acknowledged the existence of a gap, but the corresponding fix has not yet been prepared. The bug is present not only in the desktop, but also in the mobile version of the browser.

Such a vulnerability could cause a malicious site to get from one site to another. This can lead to the theft of personal information and similar unpleasant consequences. Another vulnerability provides attackers with the opportunity to replace the copied addresses of cryptocurrency wallets with addresses of other wallets, which will lead to loss of money. If you do not notice the substitution and send the cryptocurrency to the wrong address, it is usually impossible to cancel it.