Feb 23, 2024NewsroomData Privacy / iOS Security

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.

The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

“A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”

Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.

Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reporting the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.

TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.

Specifically, the flaw is rooted in a shortcut action called “Expand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.

“By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Alnazi Jabin explained.

“The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.

“Shortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”

Dec 18, 2023NewsroomEmail Security / Vulnerability

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction.

“An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News.

The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below –

• CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
• CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims’ accounts within Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently remediated by Redmond as part of May 2023 security updates.

“We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.

CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by the MapUrlToZone function that could be exploited by sending an email containing a malicious file or a URL to an Outlook client.

“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft noted in its advisory.

In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook’s reminder sound feature, can lead to a zero-click code execution on the victim machine.

CVE-2023-36710 impacts the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework that’s used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.

“Finally, we managed to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB.”

To mitigate the risks, it’s recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it also advised to either disable NTLM, or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.