Preface: The Android Neural Networks API (NNAPI) is an Android C API designed for running computationally intensive operations for machine learning on Android devices. NNAPI is designed to provide a base layer of functionality for higher-level machine learning frameworks, such as TensorFlow Lite and Caffe2, that build and train neural networks. The API is available on all Android devices running Android 8.1 (API level 27) or higher.

Background: The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Valhall family. What is Mali driver? This driver enables support for Mali Bifrost and Midgard GPUs in Android NNAPI. The files are provided under an MIT software license.
The Android Neural Networks API (NNAPI) is an Android C API designed for performing computationally intensive tasks on Android devices for machine learning. Pickle is a useful Python tool that allows you to save your ML models, to minimize lengthy re-training and allows you to share, commit, and re-load pre-trained machine learning models.
Furthermore, Midgard architecture Mali GPUs are typically used in a mobile or embedded environment to accelerate 2D graphics, 3D graphics, and computations.

Vulnerability details: CVE-2022-46394 – An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. The vulnerability is identified as CVE-2022-46394 and requires local access to exploit. Please refer to the url for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Observation:A shared pointer makes it almost impossible to track the owner of objects. If this is the way, it give a way for attacker gain access to already freed memory.

Impact:This affects Valhall r39p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.

Preface: Google Chrome employ a feature, Async DNS. The objective is avoid traditional way using public DNS function. When google (Chrome) running, all the resolving domain name activities will be point to google DNS server.In Security point of view, it is good. At least it reduced unknown trap intend to hunting victim. It benefits to chrome reduce attack by threata actors detect the vulnerabilities. This is true, statistic shown that cyber attack require compromised or black list domain server.
It can be enabled or disabled (see below):
Open “chrome://flags/#enable-async-dns” Change option to “Disabled” Click “Relaunch Now” at the bottom of the page. After relaunch open “chrome://net-internals/#dns”

Background:For some asynchronous DNS requests, Node.js uses a C library called c-ares. It is exposed through the DNS module in JavaScript as the resolve() family of functions. The lookup() function, which is what the rest of core uses, makes use of threaded getaddrinfo(3) calls in libuv.
c-ares is a C library for asynchronous DNS requests (including name resolves)

Vulnerability details: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Official details: Please refer to the url for details – https://www.tenable.com/cve/CVE-2022-4904

Additional: It is a stack overflow, however the risk level (whether it is severity), it depends on the design structure of product when it use. Therefore it is better to follow the recommendation by the product which involves this vulnerability.

Preface:
HTTP/1.1 – The current resource must finish downloading before making another request; each has a delay of one round-trip-time (RTT).
HTTP/2 solves the HOL Blocking problem with multiplexing that uses streams which can be prioritized.

Background: Curl attempts to provide a unified model through which applications belonging to different platforms and languages can communicate. The simple content layout uses HTML tags, the scripting features of JavaScript and the object oriented features of C, C++ and Java, which are merged in a common framework defined by Curl.
Case Study: Assumptions
Whether your programming development will involve curl.
One situation occurs when an application server communicates with other peers. Adjacent peer web servers are vulnerable to CSRF. An attacker impersonates a malicious site to exploit the curl vulnerability. Exploit the CSRF weakness on adjacent web server and then redirects the connection to the malicious site. Finally, it causes a denial of service on web servers where curl is installed. Just like the vulnerability description, similar to malloc bombs.

Vulnerability details: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the “chained” HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable “links” in this “decompression chain” was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a “malloc bomb”, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-23916

Preface: In Android 11, its automatically resetting permissions for apps you haven’t used for an extended period of time.
In Android 13, app makers can go above and beyond in removing permissions even more proactively on behalf of their users.
How do I stop Android from removing app permissions? Go into your system settings, go to app settings, find the app, go to permissions. There should be a toggle option named “Remove permissions if app isn’t used”. Turn that option off.
The above function is one of the preventive controls in Android. Vulnerabilities occur because outdated applications may have design flaws.

Background: Which component of an Android application allows users to interact with the app?
Broadcast Receivers – They handle communication between Android OS and applications.
A broadcast receiver is typically only a gateway to other components that perform minimal work.
public abstract class BroadcastReceiver
extends Object
java.lang.Object
↳ android.content.BroadcastReceiver
Apart from system-generated events, an application can also generate custom broadcast intents for which a receiver can be registered. If the developer does not enforce restrictions . For example, if the receiver receives broadcasts from untrustworthy sources, the system may be at risk.

Vulnerability details: The most severe of the CVE-2023-20951 and CVE-2023-20954 issues is a critical vulnerability in a system component that could lead to remote code execution without additional execution privileges. Development requires no user interaction. As the supplier does not provide details! Therefore, it should be patched according to the vendor instructions.

Official details: For more information on this topic, see url – https://source.android.com/docs/security/bulletin/2023-03-01

Preface: Windows 10’s market share jumped from 68.86% in January 2023 to 73.31% in February 2023. Windows 11’s market share increased as well, but only by 1.01% to 19.13% in February 2023, said ghacks[.]net.
Remark: Windows 10 continues to be supported by Microsoft until October 2025.

Background: Some said, Intel microprocessors use direct I/O. Yes, Direct IO is talking about Data Direct I/O Technology. With Intel DDIO, Intel Ethernet Server Adapters and controllers talk directly to the processor cache without a detour via system memory. Intel DDIO makes the processor cache the primary destination and source of I/O data rather than the main memory. Traditionally, inbound PCIe transactions target the main memory, and data movement from the I/O device to the consuming core requires multiple DRAM accesses. For I/O-intensive use cases, such as software data planes, this scheme becomes inapplicable. But the design weakness is not another matter than above.
Below vulnerability is focusing to the following concept. The default thing is to have a device driver in the OS that does the actual I/O reads and writes while running with kernel privileges. User programs ask for I/O by doing system calls. The driver is trusted to check the calls for validity.
The Memory Mapped design objective. It stores program instructions and data that are used repeatedly in the operation of programs or information that the CPU is likely to need next. The computer processor can access this information more quickly from the cache than from the main memory.

Vulnerability details: Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities that can expose data. When a processor core reads or writes MMIO, the transaction is normally done with uncacheable or write-combining memory types and is routed through the uncore, which is a section of logic in the CPU that is shared by physical processor cores and provides several common services. Malicious actors may use uncore buffers and mapped registers to leak information from different hardware threads within the same physical core or across cores.

Related vulnerabilities: CVE-2022-21166, CVE-2022-21127), CVE-2022-21123 & CVE-2022-21125

Official announcement: KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10. The related official article and advisory can be found in follow link – https://support.microsoft.com/en-us/topic/kb5019180-security-vulnerabilities-exist-in-memory-mapped-i-o-for-some-intel-processors-for-windows-10-version-20h2-21h2-and-22h2-march-2-2023-f8c174f1-ce5c-469f-9eac-21f8af66b8ea

Preface: It’s always easy to forget things. Forget even your girlfriend’s birthday. So, whatever security alerts, after more than a year, become worthless. It seems nothing. Maybe not for you. But I totally agree.

Background: If Android phone OS taken unofficial modified (ROOTED) . Users can install and run applications that can only be done with special permissions. Perhaps you will say, if such procedure taken. It is hard to garantee is there any malware implanted. So, run any mobile apps on top will be in risk. As a result. What is the actual meanings wriiten by VMware described in their security advisory?
Do you remember the following news?
The four security vulnerabilities discovered by Microsoft in 2021 affect programs developed by telecommunications companies such as AT&T using the mce Systems framework, as well as other Android and iOS programs that use the mce Systems framework, and affect many Android programs. mce Systems and telecommunications companies have completed patching.

Vulnerability details: A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode.
For official information, see url – https://www.vmware.com/security/advisories/VMSA-2023-0006.html

Preface: A NUMA system is a computer platform that comprises multiple components or assemblies each of which may contain 0 or more CPUs, local memory, and/or IO buses.

Background: On new design Systems servers running Linux, a set of the PCIe slots support a unique feature called 64-bit direct memory access (DMA). DMA improves I/O operations, and, therefore, system performance.
The DMA engine is a generic kernel framework for developing a DMA controller driver. The main goal of DMA is offloading the CPU when it comes to copy memory. A pointer variable whose value is under kernel control and guaranteed by the kernel to always point into the kernel’s memory space, and hence is trustworthy. User pointers should always be verified to refer to user-level memory before being dereferenced.

Vulnerability details: In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
alloc_memory_type() returns error pointers on error instead of NULL. Use IS_ERR() to check the return value to fix this.

Official details: For details, see the link for reference – https://nvd.nist.gov/vuln/detail/CVE-2023-23005

Preface: Top Programming Languages for Android App Development in 2023 · Most Popular Programming Languages for Android · Kotlin · Java · C# · C++/C · Python. What is C language use-after-free. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: The Trusty OS runs on the same processor as the Android OS, but Trusty is isolated from the rest of the system by both hardware and software.Trusty provides APIs for developing two classes of applications/services: Trusted applications or services that run on the TEE processor.
Android uses the concept of user-authentication-gated cryptographic keys that requires cryptographic key storage and service provider and user authenticators. Android 9 and higher includes Protected Confirmation, which gives users a way to formally confirm critical transactions, such as payments.

Vulnerability details: In several functions of the Android Linux kernel, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Observation: A pointer in C is a variable that points to a memory location that stores a value as opposed to a variable that stores a value in memory. This distinction is important in C programming as developers can change a value in memory for a specific variable even if that variable is out of scope.
I predicted above matter caused the problem happen in shared memory environment.

Official details: See url links for details – https://nvd.nist.gov/vuln/detail/CVE-2023-20937

Preface: Sandbox evasion techniques. Common evasion techniques include the use of specific assembly instructions, and looking for specific registry keys or file names.

Background: iOS and iPadOS help ensure runtime security by using a “sandbox,” declared entitlements, and Address Space Layout Randomization (ASLR).
All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. Sandboxing is designed to prevent apps from gathering or modifying information stored by other apps. Each app has a unique home directory for its files, which is randomly assigned when the app is installed. If a third-party app needs to access information other than its own, it does so only by using services explicitly provided by iOS and iPadOS.
System files and resources are also shielded from the users’ apps. Most iOS and iPadOS system files and resources run as the nonprivileged user “mobile,” as do all third-party apps. The entire operating system partition is mounted as read-only. Unnecessary tools, such as remote login services, aren’t included in the system software, and APIs don’t allow apps to escalate their own privileges to modify other apps or iOS and iPadOS.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Official announcement: For details, please refer to the url for reference – https://support.apple.com/en-us/HT213605