So last night my daughter texted me, Hey, Dad, can you call me a taxi at seven am?

And I said sure.

So this morning at seven am, a texted, or you're a taxi?

Ah?

The dead jokes keeper.

Up.

All right, Well, welcome back to Security this week.

I'm Carl Franklin.

That's Dwayne Laflotte and Patrick Hines.

Hey guys, Yey, how you doing?

Not bad considering all the bad news that we're about to smack down here.

That's not all bad news.

I know, this is all great.

Yeah, it's awesome, right, yeah, this one actually is awesome.

Microsoft patches fifty seven vulnerabilities, including three zero days.

I like that.

I mean that's just a Tuesday Yeah, right now, it is just a Tuesday rank.

Last week we had talked about Google patching one hundred and seven and Android or something like that.

So it's yeah, it's just just normal now at this point.

Yeah.

So we do have a story later on that's going to show that this is important and life is changing a little bit.

I mean, all things are important.

So it's yeah.

So it says three of the bugs are zero days, but only one is under active exploitation, and that is cve to twenty five.

Here's what I would like to say, though.

Six two two two one score of seven point eight is described as a use after free issue in the Windows Cloud Files mini filter driver.

Here's what I would like to say.

Okay, you know when they say only one is actively being exploited, that means that means they only know that that one.

They only know.

We've only caught that has been actively exploded.

It's the ones that they don't know about, Yeah, that I would worry about.

Yeah.

Absolutely.

If the attackers are good at their job, they're not showing up on the known vulnerability list, And.

How can they be zero days?

Right?

Well, I guess they can be zero days?

But they were Yeah, they were unpatched, I mean undiscovered, unpatched, unknown in the world.

Yep.

Yeah, And then the vendor got notified and they fixed them, and so there's still a zero day until they patch them.

Yea.

And then microsoftle patch them and the attackers will read the patch and create a new exploit and that's called the one day.

Yeah.

Things you learned by listening to security this week?

All right?

So apatche teak of vulnerability.

Critical vulnerability leads to XXe injection.

What the heck is that.

XXC is actually really kind of cool.

And we've used this to attack sites in many different ways that you might not think about.

And xx is an external entity, so it's exploiting XML.

So XML, all right, let's go back to what is XML?

Car, Yeah, okay, what is xml'?

It's sort of a text description of hierarchical data, complete with schemas and links in all all of that stuff.

And yeah, we used to use that too, oh I don't know, send messages through firewalls and get data back.

And until Doug Crockford discovered Jason, that's what everybody used.

And we still use it for configuration.

Yeah, and it allows the data to carry its formatting with it, just like HTML.

Let's data data or or interface carry its formatting with it.

So what's really neat about XML though, is there's it's very convenient.

There's tons of attributes, right, there's tons of things you can do.

It's not just right, so it's not just like text in a notepad whatever.

It doesn't do anything.

Like Carl had said, there's a hierarchy to it.

And in that.

Hierarchy, each of the tags has the ability to have attribute right and those attributes can be local information.

Hey, this should be considered this type of class, or it can be I need you to go do something right like I need you to go out to the file system and grab this file for me and put whatever's that file in between these tags, right, and you go okay, cool.

I mean that's dangerous in and of itself if you can manipulate the XML.

So a lot of times people will put the XML response to a server in JavaScript, and when you click submit to server or change my preferences, whatever, if you catch that request, you'll see the XML, the raw XML going to the back end server.

And in this particular case, you can go, okay, well, I see this raw XML.

What if instead of you know, this particular attribute, I add an entity which is loading a file off the filesystem.

And in this particular case you can you can just hey, I'm going I'm gonna load of you know, file off the filesystem, which might be sensitive information, environment information, keys, it could be passwords, that sort of stuff.

But the other thing that's that you can do typically is you also have the ability to do what's called an SSRF attack, and a server side request forging attack is an attack where I am going to reach back to the web server, right, So we hit web server A from the outside from the Internet.

But webserver A may have multiple sites on it.

It may have an administrative site that's only accessible locally, like the administrator logs in remote desktop to the web server and opens up this website and it's only accessible locally.

You can't get access to it any other way.

Or there might be an API site on there that adds users and removes users and it's only accessible locally.

So when you go to the website and you do something, it makes a call to itself to another web interface that's only accessible locally.

Well, with an SSRF, I can tell that XML document, Hey, mister web server, can you reach back to yourself and do something for me like add a new user or do whatever.

So they can turn into some pretty powerful attacks that most people don't think about.

So in this case, you go f yourself.

Yeah right, pretty much.

Yeah, I mean the web server thinks that all of this is legit traffic.

I hadn't heard of apatche tika before, and apparently kind of sounds like a little biztalky thing like it's a content detection and analysis framework written in Java and detects and extracts metadata and texts from over a thousand different file types and as well providing a Java library has server and command line editions.

So yeah, it sounds like one of those central or you know, mid level business tools.

Oh, I'm going to ask, is BizTalk still a thing like all of us used to actually implement and teach BizTalk?

Is bistalk still a thing?

Is it?

Yeah?

It is.

Bistok is still a thing.

Wow, damn, that's kind of cool.

But yeah, you're absolutely right, Carl.

I mean, and there's a lot of power in there, right, there's ocr where it can take PDFs and turn them into text.

I mean, there's all sorts of really neat things that it can do.

But what it also can do apparently is give attackers access to your webserver.

So that's nice too, nice.

Yeah, that's nice.

Okay, it's a nice handy feature.

Forew, it's good.

It's a remote control for your web server.

If you lose access, they.

Are just announcing upgrade called massala.

Okay, note of that.

Fava beans, fava beans.

Yeah, all right.

So in the Hacker News Chrome targeted by Active in the wild exploit tied to undisclosed high severity flaw.

Yikes.

Yeah, Google is aware that an exploit for four six six four to four exists in the wild.

Okay, that doesn't really mean anything, but that's actually the issue ID of the chromium issue.

If you were tracking this by issue ID, which only Google is.

Ye, I don't know.

You don't even know why they listened in the article, but it's interesting.

But if we break it down, there are actually two CVEs associated with this.

One is a US after free in the password manager, which is horrifying.

Yeah.

Yeah, and one is an inappropriate implementation in the toolbar.

So the use after free I think we we've talked about this on the show, right use actually support, I'm pretty sure.

It's where you allocate memory and then the program believes that it has deleted that memory, but there's a dangling pointer to it, and I can actually access that pointer and reference the memory even though the application thinks that the memory is gone.

Why does that matter?

Because then I can actually populate that memory space with with attack code, and when I call that dangling pointer, it's going to run that attack code.

And it's just poor memory management, is what it is.

If you can use after free.

So that's that's what they discover.

But the problem that I see is it's in the password manager.

That's probably one of the only places you don't want to have an exploit of some sort.

I mean, let's let's talk about this for a second.

You really, we've the world has moved on.

You know, first we had passwords.

You have to have passwords.

Then we had to have better passwords.

Then we had to have more you know, diverse passwords, and then we got to two factor authentication, and then we got to password management to prevent multi use of passwords or your use of passwords.

Well, now we're in that stage of you need a good password manager, and the browser is a convenient password manager.

Yeah, but it's convenient for you, but it's also convenient for the hackers because if they get you to click on the wrong thing, they own it because all it takes is like you to click on the wrong thing to give them permission, and they have access all the passwords.

So I think this is it's time we finally, you know, start telling people that password management in the browser is flawed, fundamentally flawed in this case, and really isn't the way forward.

You have to have a real password manager.

Yeah.

And one of the things I will tell you though is although this says this is a use after free and the password manager, if you dig through the issue associated that Google has associated here and look through all all of what they're talking about, attackers did not have access to your passwords.

They didn't have access to the encrypted password list that the browser keeps.

They just exploited the manager itself so that they could run code.

So that's why they said, like you may see, oh my god, it's password manager thing, and that's important, right.

A little bit more playing around, maybe they get access to things they shouldn't, but there's there's no evidence that.

I have an idea to make this a little more secure, and that is to use OCR in a Windows app.

So if you have a Windows app sidecar sitting along your browser, right, he knows what page you're on, and it can look at the URL and the bar and then look up and be your password manager.

And it could then look it up and just have a copy button copy the password into the clipboard, and then you completely circumvent all of the browser stuff, you know, for your password manager.

I can think of a couple of ways that we might exploit that.

So it is an arms race.

We are, We're definitely an arms race.

But what I think we really need is like a free password manager that is fully featured.

I think Bitwarden comes the closest is does does one password have a free version?

Oh?

No, one password does not.

They have a free trial.

But that's bitwarden is a dot net based, open source Yeah, password manager.

Didn't Microsoft recall Carl Train do that where they took pictures of your screen?

That's so, Yeah, there's a feature RCRD things.

I'm pretty sure.

If you have a co pilot plus PC I think that's what they call them.

Yeah.

Yeah, with Windows eleven.

We can say, hey, have I ever searched for.

Yeah, but I don't think it's on by default.

I think we.

Should code name that NSA exactly right, that's the NSA feature.

I like that, right, No security anymore?

Yep, that's what it stands for.

That was Christian Weier.

Yes, after the NSA started snooping people's and demanding people's phone numbers and stuff after nine to eleven.

So this one came across my desk and this, well, I'll just read that.

I'll just read it.

UK MP's face rise in phishing attacks on messaging apps.

So it's not just us over here in the United States.

The UK is getting you know, the MPs, the members of Parliament, our Congress and senators basically that they're equivalent, are getting phished and it's working.

And these are state actors right Russia, base actors targeting What's app and Signal accounts, so they're all on these.

Now this is a phish so they're not exploiting code in either of those platforms.

They're exploring the people exactly.

It's a pure social engineering thing.

Yeah.

Now, we just recently created a group in Signal and you had to accept membership to that group.

When you looked at that, did it give you enough information to make a wise choice that we were trustworthy even though we're not.

Well, yeah, it says it was from you and STW Crew is the name of it.

And you told me here in just before starting that you had created this.

So that's why I felt.

Out of Banded communications is the key, it's the ultimate security.

Yes, so sorry, UK MPs, just be careful, don't click on stuff.

What else can I tell you?

Well, Members of legislatures are are known worldwide for their intelligence and their savviness.

Okay, good believe it doesn't take that.

You're not going to let take your.

Tongue out of your cheek right now?

Okay, you man, Holy moly, cease fire.

On that happy note.

Let's take a break and we'll be right back after these very important messages, and we're back at security this week.

I'm Karl, that's Patrick and Dwayne, and uh, this is an interesting one that I'm going to make fun of.

Adobe Acrobat Reader flaws allow code execution, critical updates, urge.

I got an update for you.

Don't use Adobe Acrobat Reader.

Why are you using that?

The browsers show pdf files?

Is there anything that this is going to do that the browser doesn't already do?

Ah, except not that I need.

Yeah, And from what I remember, an Acrobat Reader always tried to install other things that I didn't like.

And you know, things in my and whatever you call that the console control panel, not the what do you call the thing at the toolbar?

Stuff in the toolbar, right, yeah, this stuff in the toolbar, quick control pan.

Well, the quick links Act reader.

Has always been known to be a really trustworthy Oh wait, I'm on the other side.

No, Acrobat.

Since its inception, Acrobat Reader has had one one, seven hundred and seventy two cvees attached to it.

Wow, not security vulnerabilities, actual cvees associated with Acrobat readers.

So yeah, from my side, it's great.

It's like it's like the universal backdoor exactly is a reader, which is nice.

No, I don't use it nice because you know, ever since the browsers started showing PDFs, there's just no need.

I mean, I don't use it either.

I'm sure there's features in there that somebody uses.

I'd love to see it.

If you're on the discord and use Acrobat Reader, by all means, let me know the features that you use that are vital that you can't do in a brown.

And is it worth the risks.

So one of the things that I think is needed is a PDF browser that can be that has Digital Rights Management DRM in it so that I can share like a term sheet.

Let's say I was going to sell a company to Carl and I didn't really want him sharing that further.

If I could put DRM on that document so he can't share it further, that would be handy or you know, and no own good trusted browser so that like if I have if I had a way to read PDFs that I knew was absolutely secure because it was just a reader and it didn't have any active content capabilities, that would be valuable as well, because I get PDFs all the time and I won't open them.

I'm not going to open them unless I have a conversation with the person who sent them.

Right, I know what it is.

So you send me an email that says, hey, check this out.

I don't care if it's Dwayne, Carl, my mother, it doesn't matter.

I'm calling them up and saying, what is this?

Yeah, do you send me this?

Why didn't you explain it to me?

Yeah?

Or I'll hit them up in signal.

But it's always a second channel.

The second channel is the is the key to not getting owned.

Great.

So there are some drms out there for pdf Specifically, you can use Adobe's document Cloud, although that costs money.

Typically, Microsoft Purview is another one, and then there's a couple other smaller ones out there.

But I agree like just just sending these things out willy nilly.

We had it all the time.

Although I will tell you sometimes it's easier to identify if it's an exploit because they might not send it in a PDF.

They might send it as like an archive format like a ZIP or a RAR or an ISO or something along those lines.

Yeah.

True, so our advice don't use.

It, but still risky.

There is one other thing I want to talk about with this story, which is I think that that the AI is starting to bite as far as expanding how many exploits are going after people.

I had a day.

A day earlier this week where they like thirty emails in the same minute.

Many of them proposed to be from discord, you know, with a with a code for me to log in.

They were all the same code.

There's no way that's going to happen.

Yeah, they were word tune dot com logins.

I don't use that.

I don't know what it is.

So I got a ton of messages all in the same minute.

And what I think happened is it might have found an old password and tried to figure out like what kind of sites I might be using, what kind of things I might be doing, and it just spammed me.

And the noise of it was enough to trigger even if I wasn't savvy.

The noise of it was enough to trigger if they had sent me one discord note if you know, if I wasn't savvy enough, I might have clicked on it, but they sent me six with the same code.

Wow.

So yeah, that's pretty amateur hour.

So we don't even need to play the music for that.

But I also had a credit card where I got to notice that a email was a phone number was added to the account.

Well, that means they socially engineered the bank.

They didn't social engine to me, and so I instantly went logged and killed that changed the password.

So you have to be aware that people are out to get you.

You have to be aware.

And so while these MPs are a higher value target, it's coming for all of us because the AI is just gonna some kid or guy is gonna just set up an AI that says just go in the dark web, find some sample passwords, and then just go after these people with their against their email.

See what you get.

And if they get point zero zero one percent, they're still going to get tens of thousands of people.

So, speaking of AI, cyber criminals exploit chat, ChiPT and grock platforms to spread mac os a Moss Steeler via AI driven deception tactics.

I wonder if this is what you got, and they.

Might be maybe maybe.

I mean, it's certainly in that class of you know, it wasn't a person who did this, It was an automated.

System that did this.

Yeah, and then we're going to see a lot more of this.

So what happened here in this story, On.

This next story, this cyber criminals to exploited chat, GPT, and GROCK platforms to spread mac os amos stealer.

This one's actually neat this This is it feels very click fixing, right, And we've talked about clickfix in the past, where it's like, oh, you have a problem, you search for the solution and you get some sort of result.

It looks like it's on stack overfloor, something along those lines, and they say, oh, I know what the problem is.

You need to fix this.

You hit windows are and paste this command in, or sometimes it's you know, hey, verify that you're a human.

Here's a command.

Hit Windows are and paste this command in, and you're downloading the virus for the for the for the hackers.

That's click fix.

This is very similar.

What people are doing is they're going into chat, GPT, You're going into grock creating an article on you know things.

In this particular example, it says like how to clear system data on an iMac, And obviously there's gonna be commands running in there, right, You're gonna be like somebody's gonna say, oh, this is how you clear the memory.

You have to drop to a terminal, you need to run this command, you need this thing and whatever, and you're good to go, right.

So it's it'd be like me going into my chat GPT telling jat chat GPT to create an article for me on how to do it, but injecting bad commands that would you know, people would paste in and I would get access to their computer over this credential stealer.

I might still fix their problem maybe, And then I share that chat.

So when I go to share that chat, it gives me a link a URL that I can share to share it to anybody I want.

Right then I go put out Google ads for that link, saying this is for anybody searching for mac os or macOS system clear or whatever.

And when they go search for it, it looks like this is a legitimate site because it is chat gpt dot com, it is grock dot com.

Right, so they go, Okay, I can trust this site.

It's just an answer off that site, right, and then people click on it and then they infect themselves.

Yeah.

So it's like I said, it's very click fixie.

But it's the attackers are now using the reputation of chat, GPT and grock and other sites that you can share chats on, right, and just putting together Google ads.

I think the big winner here is Google because I'm they have to pay for those.

So yeah, Google, I don't know.

Oh yeah, yeah, so interesting attack.

Just be careful if you're searching for something on Google if it looks like it's a chat, GPT or rock site.

If everyone may be.

But the problem is you may be putting commands in your system.

You should not that.

Actually, this brings me back to a very basic blocking and tackling cybersecurity e thing that I tell people all the time, and I've heard Carl talk about it for developers.

I've heard Patrick talk about it for system you know, system troubleshooting and that sort of stuff.

If you see a command on the Internet, whether somebody says it's fixing a line of code or it's going to fix your system, or it's gonna install it the right driver or whatever it is.

If you don't understand it, don't run it.

It harkens back to Patrick's analogy of you can't walk around in New York and find free gum if you don't know where it came from.

You.

If you don't know where it came from and you don't know what it is, don't put it in your mouth.

Ye.

Yeah, same type of thing.

All nice our lead story.

Now who wants it?

This one's actually really serious?

Like yeah to react?

Yeah, So first thing is first, what's funny about this article?

Let's talk about the article for a second before we get into the technical says.

It says a debate over actual exploitation is muddying response efforts.

Multiple researchers say they've observed working proof of concepts, while others a certain evidence is of a taxes lacking the ladder.

Of those they've provided no examples.

Right, I read the article, Maybe I misread it, Maybe I had a stroke in the middle of it.

I don't know what happened.

I didn't see any reference to people who said no, no, this is overblown, and if they did list those people, they would be wrong.

Well, the headline says attacker hit React defect as researchers quibble overproof.

So you got the quibbling overproof, but we didn't have the big picture there.

So the fundamental stories about a React defect.

React is a JavaScript framework that Facebook built and is very popular among developers, and so what is the supposed defect.

So the defect here is in the React server components.

There's a framework like next dot js where attackers can actually send specifically crafted HTTP requests to that server.

And when they do that, so imagine JavaScript, right, javascrip's running on your browser.

Yeah, and your JavaScript is then when you're typing and doing whatever you're doing on the browser, or you're clicking or you're hovering or whatever, right, that React is actually going back to the server and it's communicating over you know, post commands back to the web server.

Right, so you don't have to refresh the page or do anything.

Word like that.

That JavaScript is handy handling the communications.

So in this particular case, attackers actually found a de serialization bug where if they created an object and sent it back to the server, the server would de serialize it.

The server doesn't understand what it is, so it inspects it and says, hey, what type of object are you?

And it's like, oh, I'm a system object and I'm able to run commands.

But is this a published CVE, the published TV the CVE twenty twenty five five five two.

So shouldn't it be easy to prove?

Uh?

Yeah, absolutely, I think it is.

I think so, yeah, it is legitimate, Like there's a patch for this.

Yeah, I don't.

I don't understand why people are like muddying resipt.

My pipe is there is no quibbling.

No, they basically just showed a bunch of really credible like Unit forty two saying this is definitely a thing.

Absolutely.

I think that the quibbling is not that it's an exploit.

The quibbling is how do we fix it properly?

Okay, that makes sense.

Because imagine the back end framework is very flexible, right and react.

There's a lot of different ways to communication in the back and there's a lot of different objects I can send back that sort of stuff.

So how do you fix that communication without hampering functionality?

I think that's the quibbling, right, Although there are patches out there that will fix this, you do need to go update next JS and there's version numbers in this article and that sort of stuff.

The upgrade will will affect the React dash server, dash dom dash Star, So really anything under that library is going to get affected, which is.

Just about everything it sounds like, which is just a dot star exactly, is all of it.

It's all of it.

But this was huge.

This was like we saw probably ten or fifteen articles about it just day one.

And this was December fifth, right after actually sadly right after we had recorded the last podcast that dropped, so it's been out there for almost a week now.

You definitely want to make sure you go go Pash.

Actually usually I hit discord up and let let the Discord people know early if there's something that's really serious.

Yeah, and I think this one I did remember correctly, so.

So another good reason to be on our discord.

Yeah.

Absolutely, we have those late hitting security breaches, like hey, listen, you guys got to fix this podcast isn't coming out for a couple of days, but this is important.

All right, Well, you guys got plans for the holidays.

Just the same thing.

Fifteen people coming over the house, fifteen probably maybe all the Germans.

We had eighteen last time.

You gonna have some spine hawk and some red cabbage.

No, we we do.

We order in for for Christmas, working on Thanksgiving.

No worsts, no no.

The worst of the worst, the worst you love the worst.

I do, I do, I do well.

We have one more show before things start happening holiday wise, so we'll see you next week on Security.

This week, thanks bye, bye bye goys.

O.

T.