Preface: By integrating the chip inside future Intel, AMD and Qualcomm central processor units, or CPUs, it makes it far more difficult for hackers with physical access to a computer to launch hardware attacks and extract sensitive data, Microsoft said.
Pluton Security Processor can emulate TPM using APIs, making the integration seamless, thus basically removing the need for TPM. So, for example, encryption keys, user profiles, users’ identities, credentials, etc., can all be secured by Pluton now.

Background: UEFI and BIOS are two different types of motherboard firmware. UEFI replaces the traditional BIOS on PCs. There’s no way to switch from BIOS to UEFI on an existing PC. You need to buy new hardware that supports and includes UEFI, as most new computers do.
The new features for Windows 11 22H2 will be capable to the following features.

• Pluton Security Processor employs cloud-to-chip technology where Microsoft will have the ability to update the chip.
• When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety.

Reminder: Disable BitLocker protection before starting the conversion process. With BitLocker protection turned on, Windows cannot convert your drive from Legacy BIOS to UEFI.

1. By pressing Win + X.
2. Go to “Shut down or sign out” and click on the “Restart” button while holding the Shift key.
3. Go to “Troubleshoot -> Advanced Options” and select the option “Command Prompt.”
4. Type command: mbr2gpt /validate and press Enter
   If you see the “Validation completed successfully” message, proceed to the next step.
5. After validating the disk, execute the command: mbr2gpt /convert
6. Restart your system, launch your motherboard firmware settings screen and change it from legacy BIOS to UEFI.
   Example: Hot keys to access the motherboard firmware.

• Dell: F2 or F12.
• HP: ESC or F10.
• Acer: F2 or Delete.
• ASUS: F2 or Delete.
• Lenovo: F1 or F2.
• MSI: Delete.
• Toshiba: F2.
• Samsung: F2.
• Surface: Press and hold volume up button.

7. After booting into Windows, the above conversion is complete.

About the title – Are the protection controls of Windows 11 22H2 ready for different countries’ cyber laws and cyber security protection mechanisms?

Compared to the hot topic, businesses face privacy laws in global regions. But the situation will be bigger for cybersecurity service providers than for enterprise companies. Since cybersecurity vendors track millions of IoT and/or a huge number of computers. In fact. It is equal to one million nodes. Also, they are located in different areas. As a result, technological gaps are encountered between cyber laws or data protection regulations in different countries.
Therefore, traditional cloud area distribution may not be effective for classification of data. So, this has to rely on the AI architecture. According to technical details provided by Microsoft, the overall operation will be handled by AI mechanisms running on top of its cloud architecture.
Some people, including me, worry that AI will manipulate the world. With the digital age approaching, the use of artificial intelligence technology is inevitable. Maybe this is the reality.

Preface: Do I need to install drivers in Linux? That’s the vision of Linux — the drivers are open-source and integrated into the kernel and other pieces of software. You don’t have to install them or tweak them — the system automatically detects your hardware and uses the appropriate drivers. If you’ve installed Linux, your hardware should just work.

Background: The smscufx[.]c is a Framebuffer driver for SMSC UFX USB controller.The Kernel drivers are present in the Kernel from a long time.
A lot of USB-display output adapters uses DisplayLink chipsets. There are Linux drivers for older USB2 chipsets but no support for USB3 chipsets SMSC adapters are less popular or explicitly marked that they use SMSC chipset.
To configure for 16 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 2. And use xorg[.]conf[.]16bit as your xorg[.]conf file. Your start up screen will be green. To configure for 32 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 4.And use xorg[.]conf[.]32bit as your xorg[.]cong file.Your start up screen will be white.

Vulnerability details: The smscufx[.]c driver in Linux kernel has a race condition and resultant use-after-free design weakness. if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect occurs.
Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.
But such design weakness includes a local physical action to trigger the vulnerability. Perhaps the risk rating will be step down since it will become a local attack. There are unknown matter since Gembird USB3 to HDMI adapter is one of SMSC based and with attached X.org drivers it works with Ubuntu 10.04 LTS. Whether it will be impacted of this design weakness. This is unconfirmed in the moment.

Remedy: Add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race condition of krefs.

Official announcement – Please refer to the link for details – https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/

Preface: This design weakness was fixed on earlier June 2022. As we know, there is no mandatory policy on vendor side when should be disclosed the vulnerability details. It all depends on vendor analysis and judgement. So, as a user we only take the action to do the patching.

Background: By default, Redshift stores data in a raw, uncompressed format, and you can choose whether to compress data. Each column within a table can use a different type of compression. It is possible to let Redshift automatically select encoding for column compression, or select it manually when creating a table.

Data Warehousing and Analytics Using Amazon Redshift
To access a Redshift data store using the Amazon Redshift JDBC Driver, you need to configure the following:

• Referencing JDBC Driver Libraries
• Registering the Driver Class
• The connection URL for the driver

Vulnerability details: In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

Remedy: upgrade to 2.1.0.8

Official detail: Please refer to the link for details – https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5

Foreword: A vulnerability published a few months ago (CVE-2022-22071) intrigued me due to a design flaw in snapdargon’s memory management. Therefore written down my gather information on the subject.
CVE-2022-22071 – Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music. Perhaps there is no proof of concept how to exploit this flaw. As an Android lover, it allowed me to learn and gain understanding.

Background: In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). The SMMU is a hardware component that performs address translation and access control for bus initiators outside of the CPU. An SMMU can perform two stages of address translation.

1. usually controlled by the CPU OS, maps the virtual addresses visible to applications and the OS kernel to intermediate physical addresses visible to a virtual machine.
2. maps intermediate physical addresses to physical addresses.

Vulnerability details: Memory Corruption during wma file playback due to integer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
See the diagram for details on my research on such vulnerabilities.

Official announcement: See the link for details – https://www.qualcomm.com/company/product-security/bulletins/september-2022-bulletin

Preface: The vmalloc() function works in a similar fashion to kmalloc(), except it allocates memory that is only virtually contiguous and not necessarily physically contiguous.

Background: In the kernel, ION supports multiple clients, one for each driver that uses the ION functionality. A kernel driver calls the following function to obtain an ION client handle:

struct ion_client *ion_client_create(struct ion_device *dev, unsigned int heap_mask, const char *debug_name)

ION usage on Snapdragon is slightly different from the standard linux implementation.

Heaps are listed in the order they will be allocated. Do not swap the order unless you know what you are doing, said Qualcomm.

Vulnerability details: Memory corruption due to use after free issue in kernel while processing ION handles in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.

Reference:

• A use-after-free vulnerability is an issue related to incorrect use of dynamic memory during program operation, according to MITRE.
• “Heap” memory, also known as “dynamic” memory, is an alternative to local stack memory. Local memory is quite automatic. Local variables are allocated automatically when a function is called, and they are deallocated automatically when the function exits.

Remedy: Waiting for vendor provide the solution.

Preface: The term vanilla script is used to refer to the pure JavaScript (or we can say plain JavaScript) without any type of additional library.

Background: Pure JS implementation of secp256k1 signing, verification, recovery ECDSA. The code works as-is both in browsers and NodeJS, without the need of a bundler. See this link for details – https://github.com/lionello/secp256k1-js

Vulnerability details: The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. See this link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-41340

Ref: Signature forgery – a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret.

Design defect: The ecverify function does not check sig[.]r = sig[.]s = 0, which leads an attacker can construct a malicious signature (0, 0) that passes arbitrary checks.

Remedy: Upgrading to version 1.1.0 resolved the issue

Current possibility of exploitation: No technical details available. The vulnerability is less known than average, and there are no exploits available.

Observation: Can hacker crack the private key from the public key”? Well, the answer is always, “No”, unless there’s a weakness in the implementation.

Preface: Companies like SlideShare, Airbnb, CrunchBase, Bloomberg, Dribble, Shopify, and GitHub have trusted Ruby on Rails and used the framework in their applications.

Background: Ruby is an open source, object oriented language that was developed in the mid-90s. Since it is a scripting language. Ruby doesn’t talk to the hardware directly. Rather, it is written in a text file and parsed by an interpreter before it can be turned into code.
The library (arr-pm) allows to you to read and write rpm packages. It is written in pure ruby because librpm is not available on all systems.
This programming language is also used in automation, website deployment, and DevOps.

Vulnerability details: Vulnerability details: Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious “payload compressor” field. This vulnerability impacts the extract and files methods of the RPM::File class of this library.

Additional: The vulnerability may impact fpm only when using the flag -s rpm or –input-type rpm to convert a malicious rpm to another format. It does not impact creating rpms.

gem is a command provided by a the Ruby packaging system called rubygems. This allows you to install, and later upgrade, fpm.
So when you do the installation : gem install -no-ri –nordoc fpm
You can see the installation process fetching arr-pm-.0.0.xx[.]gem

This is the problem that arises in this design weakness.

Solution: It is recommended to upgrade your arr-pm to 0.0.12.

09/02/2022 CVE reserved
09/22/2022 +20 days Advisory disclosed

Preface: In 2021, Linux has been one of the most popular software packages for client devices. According to Digital TV Europe, 800 million set-top boxes are powered by this platform worldwide.

Background: The LinuxTV project is an informal group of volunteers who develop software regarding digital television for the Linux kernel-based operating systems. The community develops and maintains the Digital Video Broadcasting (DVB) driver subsystem which is part of the Linux kernel since version 2.6. x.

Vulnerability details: In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

Ref: In computer world, reference counting is a programming technique of storing the number of references, pointers, or handles to a resource, such as an object, a block of memory, disk space, and others.
Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
An invalid pointer reference occurs when a pointer’s value is referenced even though the pointer doesn’t point to a valid block.

My observation:
The reference counting is a programming technique of storing the number of references, pointers, or handles to a resource. Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed. The vulnerability will occurs a use-after-free caused by refcount races. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The driver is located in ring 0 (kernel). If attacker know how to exploit this bug in user space. Therefore, the risk will be significant higher.

Solution and official details: Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2022-41218

Preface: Bounds checking is a compiler-based technique that adds run-time bounds information for each allocated block of memory, and checks all pointers against those at run- time. For C and C++, bounds checking can be performed at pointer calculation time or at dereference time.

Background: The calloc () function allocates memory for an array of nmemb elements of size bytes each and returns a pointer to the allocated memory. The memory is set to zero. If nmemb or size is 0, then calloc () returns either NULL, or a unique pointer value that can later be successfully passed to free ().
The Difference Between Malloc and Calloc is that calloc allocates the memory and initializes every byte in the allocated memory to 0. In contrast, malloc allocates a memory block of a given size and doesn’t initialize the allocated memory.
Mach Kernel Abstractions:
Mach provides a small set of abstractions that have been designed to be both simple and powerful. These are the main kernel abstractions:

• Tasks. The units of resource ownership; each task consists of a virtual address space, a port right namespace, and one or more threads. (Similar to a process.)
• Threads. The units of CPU execution within a task.
• Address space. In conjunction with memory managers, Mach implements the notion of a sparse virtual address space and shared memory.
• Memory objects. The internal units of memory management. Memory objects include named entries and regions; they are representations of potentially persistent data that may be mapped into address spaces.
• Ports. Secure, simplex communication channels, accessible only via send and receive capabilities (known as port rights).
• IPC. Message queues, remote procedure calls, notifications, semaphores, and lock sets.
• Time. Clocks, timers, and waiting.

Vulnerability details:
CVE-2022-32917 The issue was addressed with improved bounds checks – https://nvd.nist.gov/vuln/detail/CVE-2022-32917
CVE-2022-32912 An out-of-bounds read was addressed with improved bounds checking – https://www.tenable.com/cve/CVE-2022-32912
CVE-2022-32788 A buffer overflow was addressed with improved bounds checking – https://nvd.nist.gov/vuln/detail/CVE-2022-32788

Quote: A technical discussion on devblogs.microsoft.com – https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322
This is not a vulnerability. In Windows, you can put a file in a directory that the user does not have access to, but if the user can produce the name of the file, they can still access it. This works because Windows by default enables “bypass traversal checks”, which means that you can access anything you can name.

Background: Trend Micro Apex One as a Service is a centrally managed anti-malware solution that protects endpoints (servers, desktops, and portable endpoints) from a wide variety of Internet threats.
– CVE-2022-40139: Improper Validation of Rollback Mechanism Components RCE Vulnerability
– CVE-2022-40140: Origin Validation Error Denial-of-Service Vulnerability
– CVE-2022-40141: Information Disclosure Vulnerability
– CVE-2022-40142: Agent Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40143: Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40144: Login Authentication Bypass Vulnerability
On this discussion, I am focusing on CVE-2022-40144. On 2019, Directory Traversal Vulnerability discovered in Trend Micro Apex One, OfficeScan and Worry-Free Business Security. Since the vulnerability details annouce by vendor lure my interested. Perhaps there is no offical details annonucment. However, it might have Directory Traversal Vulnerability awaken again in CVE-2022-40144. The design weakness will be on web console.

Vulnerability details: CVE-2022-40144 – A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product’s login authentication by falsifying request parameters on affected installations.

Remark: Trend Micro has released a new Service Pack for Trend Micro Apex One (On Premise) and Critical Patches for Apex One as a Service (SaaS) that resolve multiple vulnerabilities in the product.
Zero-Day-Initiative – CVE-2022-40140, CVE-2022-40142 and CVE-2022-40143

Remedy: To address multiple vulnerabilities in their product, follow their recommendations for fixes. For details, please refer to the following link for reference.
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US