Ibm 4863

[Pascua Gomer]

Yepso this is where our recurring coverage is a pretty handy place to start: Recurring vulnerability coverage InsightVM Documentation

For any vendor/software under the recurring coverage that acknowledges and provides remediation for CVE-2023-4863, we would create vulnerability content for. There are of course somtimes some exceptions but this mostly holds true.

Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined below:

Additional updates will be documented in the MSRC Security Update Guide CVE-2023-4863 and CVE-2023-5217 accordingly. You can register for the security notifications mailer to be alerted when updates are available, and when content changes are made to the CVEs. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System.

Merchants who receive a chargeback for a transaction placed with a Mastercard card may encounter reason code 4863, which indicates an improperly authorized transaction that the cardholder does not believe they should be responsible for paying. The actual underlying cause of this chargeback may be true fraud, friendly fraud, or merchant error. Merchants who believe they have received an invalid chargeback under reason code 4863 may be able to represent the transaction and reverse the chargeback with the right compelling evidence.

Mastercard specifies 21 reason codes under the categories of Fraud, Authorization, Point-of-Interaction Error, and Cardholder Disputes. Mastercard uses a four-digit numbering scheme for its chargeback reason codes.

Understanding chargeback reason codes is one of the most essential parts of effective chargeback management. Identifying the chargeback reason code and the evidence required to fight it is the first step in chargeback representment, and analyzing your chargeback reason codes can provide you with insights into what types of disputes are causing you the most trouble. With this information, you can determine the root causes of your chargebacks and take action to prevent them from reoccurring.

On September 6th, 2023 Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto reported a critical vulnerability affecting an image compression library used in Chromium and other software solutions that support WebP images.

WebP is an image format that offers superior lossless and lossy compression for images on the Web. Thanks to WebP, developers and webmasters have the ability to generate more compact, high-quality images, which leads to a significant improvement in the loading speed of web pages.

The CVE-2023-4863 vulnerability can be found in this library, specifically in the BuildHuffmanTable function used to validate the input data. The problem lies in the fact that this function allocates extra memory if the existing table is not large enough for the input data, allowing arbitrary data to be written outside of the bounds set in memory, when processing a malicious WebP image, which can lead to arbitrary code execution.

Most of the affected products have automatic updates enabled by default, so a restart of the application is the only requirement. Otherwise, the patch should be applied manually as soon as possible.

The details of the CVE-2023-463 vulnerability are complex, so it is recommended to trust on the patch released by the manufacturer that fixes the vulnerability and to verify that our affected applications/browsers have an equal or higher version.

Beyond macOS, iOS, iPadOS, watchOS, and Google Chrome, the vulnerabilities cited here affect every application using a vulnerable version of the open source libwebp library, which encodes and decodes images in the WebP format. Major Linux distros, including Debian, Ubuntu, SUSE, and RedHat have released security fixes for the libwebp and chromium packages.

According to Citizen Lab, CVE-2023-41064 was used by the NSO Group to compromise iPhones without user interaction since at least early-September 2023. In a security bulletin we published on September 8th, we detailed the zero-click exploitation chain (BLASTPASS) for the Apple vulnerability. Although limited details have been made available about exploitation of this vulnerability, it is important to update all products that leverage the library as additional exploitation scenarios could be possible.

We have not identified a public proof of concept (PoC) exploit that allows for code execution; however, we have identified a PoC exploit for a DoS condition. Threat actors could leverage the DoS PoC exploit as a starting point to develop a PoC exploit that leads to arbitrary code execution.

The vulnerability has been patched in the latest version of libwebp; however, the security patch is not automatically applied to software products that use the library under the hood of their code, such as electron-based applications and Chromium-based browsers. Remediating CVE-2023-4863 in third-party software products is only possible by applying the official security updates from vendors as they patch their products.

Arctic Wolf also recommends ensuring that iPhone and iPad devices with company data are updated with their respective updates to iOS 16.6.1 and iPadOS 16.6.1 by going to Settings > General > Software Update.

I understand it is probably more trouble than it is worth, but I am keen on using my 4863 IBM monitor as a second display for my x230. So far I've looked into converting its VGA signal to a CGA output, then using the CGA adapter for the 4863, but not sure how feasible this is as a solution. Any help?

You would first have to capture that VGA signal - how exactly depends on how do you want the result to look like, but either with a real video ADC or just some comparators to turn analog RGB signals into three RGB on/off bits.

The second problem is that the CGA monitor only shows a 60 Hz signal with 200 active lines at 15 kHz. You likely can't make the modern video adapter to output CGA resolutions and timings. So for getting any VGA signal to CGA timings, you need a video processing or a scaling chip.

It is unclear also how this can be useful, as VGA outputs have 16 million colours and the CGA only has 16, so the result would be pretty unusable. Unless you again use video processing magic and use temporal dithering, similarly how 24-bit (8-bit) colours are converted to 18-bit (6-bit) TFT panels.

At Cloudflare, we're constantly vigilant when it comes to identifying vulnerabilities that could potentially affect the Internet ecosystem. Recently, on September 12, 2023, Google announced a security issue in Google Chrome, titled "Heap buffer overflow in WebP in Google Chrome," which caught our attention. Initially, it seemed like just another bug in the popular web browser. However, what we discovered was far more significant and had implications that extended well beyond Chrome.

The vulnerability, tracked under CVE-2023-4863, was described as a heap buffer overflow in WebP within Google Chrome. While this description might lead one to believe that it's a problem confined solely to Chrome, the reality was quite different. It turned out to be a bug deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images.

The vulnerability allows an attacker to create a malformed WebP image file that makes libwebp write data beyond the buffer memory allocated to the image decoder. By writing past the legal bounds of the buffer, it is possible to modify sensitive data in memory, eventually leading to execution of the attacker's code.

WebP, introduced over a decade ago, has gained widespread adoption in various applications, ranging from web browsers to email clients, chat apps, graphics programs, and even operating systems. This ubiquity meant that this vulnerability had far-reaching consequences, affecting a vast array of software and virtually all users of the WebP format.

WebP is a combination of two different image formats: a lossy format similar to JPEG using VP8 codec, and a lossless format using WebP's custom lossless codec. The bug was in the lossless codec's handling of Huffman coding.

Image files contain compact information about the shape of the Huffman tree, which the decoder uses to reconstruct the tree, and build lookup tables for the codes. The bug in libwebp was in the code building the lookup tables. A specially crafted WebP file can contain a very unbalanced Huffman tree that contains codes much longer than any normal WebP file would have, and this made the function generating lookup tables write data beyond the buffer allocated for the lookup tables. Libwebp had checks for validity of the Huffman tree, but it would write the invalid lookup tables before the consistency check.

The buffer for lookup tables is allocated on the heap. Heap is an area of memory where most of the data of the application is stored. Code that writes data past its buffer allows attackers to modify and corrupt data that happens to be adjacent in memory to the buffer. This can be exploited to make the application misbehave, and eventually start executing code supplied by the attacker.

Libwebp is a mature library, maintained by seasoned professionals. But it's written in the C language, which has very few safeguards against programming errors, especially memory use. Despite the care taken in the library's development, a single erroneous assumption led to a critical vulnerability.

Google was initially perplexed about the true source of the problem. They did not release a patched version of libwebp before announcing the vulnerability. We discovered the yet-unreleased patch for libwebp in its repository, and used it to update libwebp in our services. libwebp officially released the patch a day later.

3a8082e126