Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code

Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code

When Atlassian Companion is installed on macOS, a vulnerability has been detected that enables remote code execution on users’ computers when they click the Edit button on a Confluence page.

With the Atlassian Companion app, users can edit Confluence files in their chosen desktop app and have the changes instantly saved back to Confluence.

Read moreBuilding cyber skills and roles from CyBOK foundations

The Atlassian Companion software, which must be installed on each user’s computer, manages the download and re-upload of files.

An attacker can remotely execute malicious code on a computer via remote code execution (RCE) assaults. An RCE vulnerability can result in malware execution or an attacker acquiring complete control of a vulnerable system.

Read moreAccessibility as a cyber security priority

This flaw was discovered by blogger and app security expert WOJCIECH REGUA.

Remote Code Execution On MacOS Machine

The security expert says that documents saved in Confluence may be edited on macOS using the Atlassian Companion App. When the user presses the Edit button, the following happens:

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

The file is downloaded locally on the computer.

The app validates extensions

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

The app opens the downloaded document

When the document is updated, it is posted back to Confluence.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

The issue here is that Atlassian was aware that some of the extensions needed to be disabled. A blocklist may be found in the app’s sources.

Blocklist present in the app’s sources

He mentions that the class extension is only on the windowsDangerous blocklist in this case; therefore, it is an allowed extension on macOS.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

The researcher created a malicious Hello.java file when the researcher’s Hello.class file gets uploaded to Confluence and then clicks edit, the code is performed, and the Calculator is launched.

Malicious Hello.java file created

Finally, the mentioned. class file extension is now also blocked on macOS. Reports say Atlassian received the issue report in 2021, fixed the flaw in 90 days, and awarded a reward.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code appeared first on Cyber Security News.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

   Read More 

Cyber Security News 

Related Posts

GenAI Bots Can Be Tricked by Anyone To Leak Company Secrets

GenAI Bots Can Be Tricked by Anyone To Leak Company Secrets

The introduction and widespread use of generative AI technologies such as ChatGPT has shown a new era for the world but comes with some unexplored cybersecurity risks.

Prompt injection attacks are one form of manipulation that can happen with LLMs, wherein threat actors can manipulate bots into giving away sensitive data, generating offensive content, or generally disrupting computer systems. 

Such threats will rise as more GenAIs are adopted before fully understanding their cyber-security.

If nothing is done about it, widespread exploitation similar to botnets could occur, just as what happened with IoT default password exploitation, leading to new attack types. 

Cybersecurity researchers at Immersive Labs recently discovered that anyone can trick GenAI bots into leaking company secrets.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

GenAI Bots Leak Company Secrets

The research was based on anonymized, aggregated data from an interactive experience where users attempted prompt injection attacks to trick a GenAI bot into disclosing passwords through 10 progressively difficult levels. 

This challenge tested the ability to outwit the AI system by exploiting vulnerabilities through carefully crafted prompts.

Levels (Source – Immersive Labs)

The interactive prompt injection challenge, which lasted from June to September 2023, saw a total of 316,637 submissions by 34,555 participants.  

Researchers used descriptive statistics on prompt counts and duration, sentiment analysis across difficulty levels, manual content analysis coding on 10% for technique identification, and vector embeddings with KNN on the full dataset using ChatGPT4 to analyze prompting techniques comprehensively. 

Shockingly, as many as 88% manipulated the GenAI bot to expose at least one level of sensitive information, implying how manipulative the system is in various skills among the generations.

Level 1 had no restrictions. Level 2 saw 88% bypass the simple “not reveal password” instruction. 

Level 3 added system commands denying password knowledge, but 83% still tricked the bot. After introducing Data Loss Prevention (DLP) checks in Level 4, 71% could bypass. 

Levels 5-10 showed linear performance drops as difficulty increased with multiple DLP checks – 51% succeeded at Level 5, reducing to 17% by the most difficult Level 10.

Commonly Used Prompt Techniques

Here below, we have mentioned all the commonly used prompt techniques:-

Ask for a hint

Use emojis

Ask for the password directly

Query or request to change GenAI instructions

Ask the bot to write the password backwards

Encourage the bot to use the password as part of a sentence, story, or poem

Query details about the password itself

Ask about the password context

Encode the password

Leverage role play

Prompt the bot to add or replace characters

Obfuscate with linguistics

Users try to be creative in making the GenAI bots do things differently by persistently changing tactics through questioning, storytelling, and obfuscation.

Again, there are still signs of “Theory of mind” as users comprehend AI’s capabilities and manipulate responses strategically to convey specific information. 

Even though people can psychologically manipulate bots, the worrying concern is whether they will eventually learn to manipulate humans.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The post GenAI Bots Can Be Tricked by Anyone To Leak Company Secrets appeared first on Cyber Security News.

 Read More 

 

Google Chrome Patches Six High-Severity Vulnerabilities

Google Chrome Patches Six High-Severity Vulnerabilities

Google has released a critical security update for its Chrome browser, addressing six high-severity vulnerabilities that could potentially lead to browser crashes and other serious security issues.

The update, version 126.0.6478.114/115 for Windows and Mac and 126.0.6478.114 for Linux is part of Google’s ongoing efforts to enhance the security of its widely-used web browser.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Details of the Vulnerabilities

The six vulnerabilities patched in this update include:

CVE-2024-6100: Type Confusion in V8

Severity: High

Reported by: Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure’s TyphoonPWN 2024 on June 4, 2024

Reward: $20,000

Description: This vulnerability involves type confusion in the V8 JavaScript engine, which could allow attackers to execute arbitrary code within the browser’s sandbox.

CVE-2024-6101: Inappropriate Implementation in WebAssembly

Severity: High

Reported by: @ginggilBesel on May 31, 2024

Reward: $7,000

Description: This flaw is due to inappropriate implementation in WebAssembly, potentially leading to unexpected behavior or crashes.

CVE-2024-6102: Out of Bounds Memory Access in Dawn

Severity: High

Reported by: wgslfuzz on May 7, 2024

Reward: TBD

Description: This vulnerability involves out-of-bounds memory access in Dawn, a web graphics library, which could be exploited to cause crashes or execute arbitrary code.

CVE-2024-6103: Use After Free in Dawn

Severity: High

Reported by: wgslfuzz on June 4, 2024

Reward: TBD

Description: This issue is a use-after-free vulnerability in Dawn, which could allow attackers to execute arbitrary code or cause the browser to crash.

Google has emphasized the importance of applying this update as soon as possible to mitigate the risks associated with these vulnerabilities.

The company has credited several external researchers for their contributions to identifying and reporting these issues, highlighting the collaborative nature of cybersecurity efforts.

How to Update Chrome

Users can update their Chrome browser by following these steps:

Open Google Chrome.

Click the three vertical dots in the top right corner of the window.

Select “Settings.”

Scroll down and click on “About Chrome.”

Chrome will automatically check for updates. If an update is available, it will be downloaded and installed automatically.

After the update is installed, restart your Chrome browser to apply the changes.

This latest update is part of Google’s regular security maintenance schedule, which aims to address vulnerabilities promptly and keep users safe from potential threats.

By following these steps, users can ensure that their Chrome browser is up to date, which is crucial for maintaining security and accessing the latest features.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post Google Chrome Patches Six High-Severity Vulnerabilities appeared first on Cyber Security News.

 Read More