Preface: Perhaps this isn’t the first time this year we’ve heard of Safari and iOS having design flaws. Since both elements are close to each other. It is inevitable that it may have an impact. In addition, Safari includes open source code. So when a design flaw is discovered, sometimes the results look similar. The reason is that it happens in the same component, but that component is composed of other open source software.
In accordance with Apple’s Vulnerability Management Policy. Due to commercial reasons, technical details are not disclosed. But if anyone is interested in what happened. Increases the difficulty of analysis. But no harm. Bold assumptions and careful verification are the definition of science.
Background: On iOS and related software operating system products (macOS and iPadOS), Safari is built into the operating system (OS). Furthermore, it uses Apple’s open source browser engine WebKit, which is derived from KHTML. WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all web browsers on iOS and iPadOS. Removing Safari is not recommended as it may damage the operating system and cause your Apple device to malfunction. Technically, If you don’t use Safari, it doesn’t accumulate caches or other service files.
Vulnerability details: The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
My observation: Vendor not disclose the details, do you think point b will be trigger similar design weakness (processing web content may lead to arbitrary code execution)!
Universal links let users open your app when they tap links to your website within WKWebView and UIWebView views and Safari pages. The UIWebView uses UIKit framework while WKWebView uses WebKit. framework. in addition to links that result in a call to openURL:, such as those that occur in Mail, Messages, and other apps.
How to Creating and Uploading the Association File?
a.To create a secure connection between your website and your app, you establish a trust relationship between them. You establish this relationship in two parts:
i.An apple-app-site-association file that you add to your website
ii.A com.apple.developer.associated-domains entitlement that you add to your app
b.If your app runs in iOS 9 or later and you use HTTPS to serve the apple-app-site-association file, you can create a plain text file that uses the application/json MIME type and you don’t need to sign it.
Official announcement: Please refer to the following link for details –
Preface: The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable, connectionless protocol for delivering datagrams. It is developed by Oracle Corporation. It was included in the Linux kernel 2.6.30 which was released on 9th of June, 2009.
Background: Based on TCP handshake definition: SYN > SYN/ACK > ACK: When the SYN is sent, the remote peer sends back a SYN/ACK. In traditional RDS module, syn-ack at this point would end up marking the conn as RDS_CONN_UP, and would again permit rds_send_xmi() threads through, so ideally we would synchronize on RDS_CONN_UP after lock_sock(), but cannot do that.
Because waiting on !RDS_IN_XMIT after lock_sock() may end up deadlocking with tcp_sendmsg(), and the RDS_IN_XMIT would not get set.
As a result, we set c_state to RDS_CONN_RESETTTING, to ensure that rds_tcp_state_change cannot mark rds_conn_path_up() in the window before lock_sock().
Vulnerability details: In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can use this to crash the kernel.
Preface: A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate. A SAN certificate may also be called a Unified Communication Certificate (or UCC), a multi-domain certificate, or an Exchange certificate.
A Subject Alternative Name (SAN) certificate is capable of supporting multiple domains and multiple host names with domains. SANS certificates are more flexible than Wildcard certificates since they are not limited to a single domain.
Vulnerability Description: An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers’ apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.
Ref: An issue was found in K3s where an attacker with network access to K3s servers’ apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate’s Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an excessive message size error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443).
Preface: This vulnerability published on September 12, 2023. It had CVSS V3 base score 5.3. But based on the vulnerability details described, it seems it is unknown causes. But why does it happen?
Background: The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
The Name Service Switch (NSS) configuration file, /etc/nsswitch[.]conf, is used by the GNU C Library to determine the sources from which to obtain name-service information in a range of categories, and in what order.
Vulnerability details: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash.
This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook.
The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
Therefore, it triggers a use-after-free vulnerability.
What I added during my observation: When malloc hooks is enabled, then the hook pointers are set to the current default allocation functions. It is expected that if an app does intercept the allocation/free calls, it will eventually call the original hook function to do allocations.
Software developers have figured out why: For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free.
Preface: What is the difference between WebP and JPEG files? Both file types compress the image, making it easier to share and store. However, WebP files are typically much smaller than traditional JPEGs.
Background: Microsoft Edge (Chromium), it was first released in 2015 as the successor to Internet Explorer and is based on Google’s Chromium. If the Chromium version of Edge isn’t available through Windows Update, you can install it manually using these steps: 1. Open Microsoft Edge download website. 2. Click the Download button. 3. Double-click the file to launch the wizard and install Microsoft Edge Chromium.
The following two components have a functional relationship required by Microsoft Edge.
WebP codec is a library to encode and decode images in WebP format. This package contains the library that can be used in other programs to add WebP support, as well as the command line tools ‘cwebp’ and ‘dwebp’ to compress and decompress images respectively.
What is WebView Windows 11? A web view control embeds a view into your app that renders web content using the Microsoft Edge Legacy rendering engine. Hyperlinks can also appear and function in a web view control. The WebView2 control is available as part of the Windows UI Library 3 (WinUI3).
Vulnerability details: Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Such design weakness was caused by a WebP code library (libwebp) heap buffer overflow weakness whose impact ranges from crashes to arbitrary code execution.
Remedy: The Stable and Extended stable channels has been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows
Official announcement: Please refer to the link for details of Microsoft announcement –
Preface: Any matters would have two different angle (positive and negative). If you stand on negative side, even facts in front of you. Perhaps you still questioning. On Sep 2023, there is other new round of aliens corpses discover news. But this time look special, it goes during Mexico’s congress meeting, politicians held their first ever hearing on UFOs.
Ref: The two remains were discovered by workers at a diatom mine in Cusco, Peru.
What if this Alien corpses is not a counterfeit. However, how do we know what they are? And where they belong. The truth is we have no information traceability. Perhaps we only relies so called myth or oral information passed down through the ages.
Background: Juan Diez de Betanzos wrote one of the most important sources on the conquest of the Inca civilization, Narrative of the Incas. Mainstream archeologists think this is myth. According to his description, Viracocha rose from Lake Titicaca (sometimes the cave of Paqariq Tampu) to bring light during dark times. He created the sun, moon and stars. He created humans by blowing air into stones, but his first creations were mindless giants, much to his displeasure. Viracocha is the god of Incan. Similarly to Jesus Christ in our modern religious.
Remark: This scenario of this descriptions look similar Bible, ancient myth from China and Babylonian cuneiform tablets.
Is it a god or an advanced civilization?
Ancient civilizations did not have the basic concept of airplanes. When they see something flying in the sky. They will think it is God.
The above argument can be confirmed by previous European newspaper reports.
In 14th April,1561, an unidentified flying objects (UFO) above Nuremberg, Germany. Above diagram shown a broadsheet news article printed in April 1561. Is it a coincidence? A pillar shape unknown flying object shown on the picture. As we know, in 1903 the Wright brothers had invented the first successful airplane. Talking about three hundred and fifty years ago, human being do not have airplane concept. As a result, when they seen similar shape of UFO. Perhaps they will only draw or use the key word pillar for description.
Who taught the Incas to mine gold?
The Incas were an agricultural society. From some perspectives, this is unbelievable! Besides, the water supply and drainage system setup in Machu Picchu is remarkable. Why did the Inca civilization like gold? Did they saw an advanced civilization come to earth do the gold mining on earth?
Quote: Obsessed with a treasure city, conquistador Francisco Pizarro captured the Inca emperor Atahualpa. To spare his life, the emperor offered up the largest cache of gold the Spanish ever acquired in the Americas, National Geographic Magazine said.
The above set of questions will make you think about whether the mainstream historical information written in books may miss some details. But those missing details may not be something people think about yet.
Travel through mysterious ruins in between Peru and Bolivia
A brief introduction to the mysterious ruins
a. Tiwanaku (Gateway of the sun) – Tiwanaku is a Pre-Columbian archaeological site in western Bolivia, near Lake Titicaca, about 70 kilometers from La Paz, and it is one of the largest sites in South America. Viracocha was actually worshiped by the pre-Incas of Peru before being included in the Inca pantheon. In Inca mythology, the god gave the headdress and battle ax to Manco Capac, the first Inca ruler. The god’s name was also taken by the Inca king Viracocha Inca (died 1438 AD), which may also be when the god officially joined the Inca clan.
b. Lake Titicaca – the beginning of the Inca Empire according to the legend, it was in this place where the Andean world began, when the god Viracocha emerged from the lake and created the sun (Inti), the moon (Mama Killa), the stars and the first people. A team of Belgian and Bolivian archaeologists has found more than 2,000 pieces of ceramic, gems and gold objects at an apparent ceremonial site beneath the waters of Lake Titicaca.
c. Six Monoliths of the Sun Temple – The Wall of the Six Monoliths in the Temple of the Sun, which weigh about 50 tons apiece. The monoliths are notable because they didn’t originate from this hill. Archaeologists are unable to explain how the rocks, which weigh about 50 tons each pieces, was transported up the hillside. Besides, the advance and precises stone cutting technology unavailable at that period of time. And rock to rock connected structure also shocked by scientists.
d. Nazca Lines – Nazca Linesextend over an area of nearly 190 square miles (500 square km). Most of the Nazca Lines were constructed more than 2,000 years ago by the people of the Nazca culture (c. 200 bce–600 ce), though some clearly predate the Nazca and are considered to be the work of the earlier Paracas culture. But only from the air can you tell what the painting is. There were no flying tools at that time. So who is the audience?
e. Mexican UAP experts display 2 alien remains at hearing (Sep 2023) – The two remains were discovered by workers in a diatom mine in Cusco, Peru. DNA identification results show that these remains neither belong to humans nor evolved from any known species on earth. Carbon 14 testing confirmed that these remains contain one-third of unknown DNA and are thousands of years old. history. Mawson also showed X-rays of alien corpses at the meeting. One of the corpses contained three egg-like objects, and another contained rare metals.
Summary: From a technical perspective, there is no knowledge base of historical details, race. It’s hard to tell what the alleged alien corpse is. But so far, ancient ruins belonging to Peru and Bolivia are popular places for people to explore advance civilization mysteries. Perhaps this time, we provide hints and empower Artificial Intelligence to find out the final answer. I am looking forward to hearing from you soon.
Preface: On 13th Sep 2023, There is another new development in the cyberport hacker incident, said wepro180[.]com. The 400GB of stolen data was disclosed on the dark web on Tuesday (12/9), including employee salaries, applicant resumes, credit card information and other sensitive documents. Cyberport said it has directly contacted those who may be affected.
Think about it after you know it
About the Computer Functional Footprint – Business users are storing some data in SharePoint lists. Perhaps enterprise firm operation management need to do report and analytic. So, it is common to select popular solution. ETL processes extract data from different sources, transforms it, and loads it into data warehouse (MSSQL).
By default the CLR is not enabled in SQL Server. When you use SQL server CLR function, you can code stored procedures, triggers, user-defined functions, user-defined aggregates, and user-defined types using Microsoft .NET code; e.g. Visual Basic .NET or C#.
For example: table-value function (TVF) written using the CLR function.
The rise of the ransomware power
In April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials through brute-force methods, according to observations by cybersecurity experts. But the group began operating actively on the Internet around late October 2022.
Trigona’s operators use CLR shell on attacks launched against MS-SQL servers. Perhaps their aim of targeting SQL servers which contains design weakness. All versions of Trigona employ TDCP_rijndael (AES) to encrypt the target files currently.
My comment: Any software and hardware design is to help people improve operating efficiency. In theory we all know about protection, defense and mitigation. However, when dealing with today’s demanding business world and multi-solution environments. Talk about cybersecurity should be accompanied by practical support. However, the market is highly competitive and the establishment of any new project will bring the burden of network security. Sometimes it’s a trade-off on the part of the business owner or management team.
Preface: Ubuntu Server 22.04 ships with NVIDIA BlueField DPUs as commercial-grade Linux distribution with continuous OS and security updates. DOCA software is available on every leading operating system as a standalone package without a bundled OS for Arm® and x86 architectures.
Background: The NVIDIA cloud-native supercomputing platform leverages the NVIDIA BlueField DPU architecture with high-speed, low-latency. The DPU enables native cloud services that let multiple users securely share resources without loss in application performance. HPC and AI communication frameworks and libraries play a critical role in determining application performance. Due to their latency and bandwidth-sensitive nature, offloading the libraries from the host CPU or GPU to the BlueField DPU creates the highest degree of overlap for parallel progression of communication and computation.
Vulnerability details: NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit contains a vulnerability where a restricted host may cause an incorrect user management error. A successful exploit of this vulnerability may lead to escalation of privileges.
CWE-286 Incorrect User Management
Official announcement: For details, please refer to the link –
Preface: Technicians tend to focus on zero-day vulnerability status. Makes sense. However, the computer world expands from workstations and intranets into the IoT world. The Internet of Things master put the workstation project into the IoT catalog early on. At the same time, software includes operating system platform and programming language design, and is not limited to Microsoft software product platforms. Therefore, any alleged vulnerability will be exploited by cybercriminals against real situations. Today, my focus in this brief topic is not on the severity of design flaws. The case was discovered in March last year. But there are still status updates today.
Background: The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
The /etc/nsswitch[.] conf file is used to configure which services are to be used to determine information such as hostnames, password files, and group files.
The Name Service Switch (NSS) configuration file, /etc/nsswitch[.]conf, is used by the GNU C Library.
Vulnerability details: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch[.]conf is configured with SUCCESS=continue or SUCCESS=merge.
Preface: Apple releases new iOS 15.7.9 and 16.6.1update for iPhone. iOS 15.7.9 and 16.6.1 like many of its predecessors, is a point upgrade and it patches up a security issue. But it doesn’t provides bug fixes technical details!
Background: The Core Graphics framework is based on the Quartz advanced drawing engine. It provides low-level, lightweight 2D rendering with unmatched output fidelity. You use this framework to handle path-based drawing, transformations, color management, offscreen rendering, patterns, gradients and shadings, image data management, image creation, and image masking, as well as PDF document creation, display, and parsing.
In macOS, Core Graphics also includes services for working with display hardware, low-level user input events, and the windowing system.
Vulnerability details: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.9, macOS Big Sur 11.7.10, macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, iOS 15.7.9 and iPadOS 15.7.9. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
My speculation about this vulnerability: I observe that design weakness might happens when Quartz handle the CGdata. What is Quartz? The Core Graphics framework is based on the Quartz advanced drawing engine. Quartz handle path-based drawing, antialiased rendering, gradients, images, color management, PDF documents, and more.
When the CGDataProvider is finished using the memory buffer, it will call the routine pointer, giving your application the opportunity to release that buffer. In addition to the routine pointer, CGDataProviderCreateWithData accepts a pointer value that the computer will pass to the routine. If your application does not want to use the routine pointer, you can simply pass NULL for both of these parameters.
However, core services itself have the following guideline. after you’re finished with buffers that have have their own memory allocation, it’s important that you free the memory allocated to them:
sourceBuffer[.]free() destinationBuffer[.]free()
So, whether the weakness happen in this function. Refer to point 5 and 6 in attached diagram? Since the core service (point 6) buffer require define syntax to clear up. If not defined, a buffer overflow issue might occur!
Ref: There are a number of services in the operating system that can return CGImages to your application. The most obvious source is Core Graphics, which offers a number of routines for creating CGImages from various data sources. However, in addition to Quartz, you can obtain CGImages from other operating system services. For example, QuickTime provides the routine GraphicsImportCreateCGImage, which can create a CGImage from a QuickTime Graphics importer.
