[Error updating Browser Guard]

I was only able to capture a single screenshot that seems to indicate an issue from the CloudFront CDN's direction, the episode seems to have passed. I apologize for not being fast enough to secure an MBG log.

Both Chrome & Edge v3.0.8 MBG extensions seem okay as of this posting.

Chrome version displayed is 128.0.6613.120.

Please confirm and update this thread.

Thank you.

@gatortail

[Spyware that stole my discord info, my search history and site passwords]

Hello @-JustAguy- and :

Thank you for the attachments.

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

[Microsoft PowerToys for Windows 10/11]

Home | Downloads, Hashes, and Release Notes | Introduction to PowerToys Video | What's Happening |

Microsoft PowerToys v0.84.0 has been released as of 03-September-2024.

Quote

Highlights

• New utility: PowerToys Workspaces - this utility can launch a set of applications to a custom layout and configuration on the desktop. App arrangements can be saved as a workspace and then relaunched with one click from the Workspaces Editor or from a desktop shortcut. In the editor, app configuration can be customized using CLI arguments and "launch as admin" modifiers, and app window sizes and positions can be updated as desired. This is our first public version of Workspaces and we are excited for you to try it out for yourself! Make sure to file issues you encounter on our GitHub so the team can continue to improve the utility.
  • Known issues - the team is actively working on fixing these:
    • Apps that launch as admin are unable to be repositioned to the desired layout.
    • Border of "Remove" / "Add Back" app button in editor is not clearly visible on light themes.
• Added Awake --use-parent-pid CLI argument to attach to parent process. Thanks @dend!
• Added custom actions - user-specified pre-defined prompts for the AI model. Additionally, actions (both standard and custom) are now searchable from prompt box and Ctrl + number in-app shortcuts are now applicable for first 9 search results.
• Ported all C++/CX code to C++/WinRT as part of a refactor and upgrade series aimed at enabling AOT (Ahead of Time) compilation for enhanced performance and reduced disk footprint.

General

• Added DSC support for ImageResizer resize sizes property.

Advanced Paste

• Added custom actions - user-specified pre-defined prompts for the AI model. Additionally, actions (both standard and custom) are now searchable from prompt box and Ctrl + number in-app shortcuts are now applicable for first 9 search results.

Awake

• Added --use-parent-pid CLI argument to attach to parent process and fixed issue causing tray icon to disappear. Thanks @dend!

Hosts File Editor

• Fixed save failure when the hosts file is hidden. Thanks @davidegiacometti!

File Explorer add-ons

• Fixed multiple preview form positioning issues causing floating, detached windows, CoreWebView2 related exception and process leak. Thanks @davidegiacometti!

Keyboard Manager

• Convert RemapBufferRow to a struct with descriptive field names. Thanks @masaru-iritani!
• Fixed issue causing stuck Ctrl key when shortcuts contain AltGr key.

Peek

• Added long paths support. Thanks @davidegiacometti!

Quick Accent

• Moved number superscripts and subscripts from Portuguese to all languages definition. Thanks @octastylos-pseudodipteros!

PowerRename

• Updated the tooltip text of the replace box info button. Thanks @Agnibaan!

PowerToys Run

• Fixed window positioning on start-up introduced in 0.83.
• Improved default web browser detection. Thanks @davidegiacometti!
• Fixed volume ounces conversion to support both imperial and metric. Thanks @GhostVaibhav!
• Fixed thread-safety issue causing results not to be shown on first launch.

Screen Ruler

• Added multiple measurements support for all measuring tools.

Settings

• Improved disabled animations InfoBar in Find My Mouse page. Thanks @davidegiacometti!

Workspaces

• New utility: PowerToys Workspaces - this utility can launch a set of applications to a custom layout and configuration on the desktop. App arrangements can be saved as a workspace and then relaunched with one click from the Workspaces Editor or from a desktop shortcut. In the editor, app configuration can be customized using CLI arguments and "launch as admin" modifiers, and app window sizes and positions can be updated as desired. This is our first public version of Workspaces and we are excited for you to try it out for yourself! Make sure to file issues you encounter on our GitHub so the team can continue to improve the utility.

Documentation

• Added ChatGPTPowerToys plugin mention to thirdPartyRunPlugins.md. Thanks @ferraridavide!

Development

• Ported all C++/CX code to C++/WinRT.
• Moved Version.props import to Directory.Build.props.
• Extracted self-containment related .csproj properties to src/Common.SelfContained.props.
• Unused and obsolete dependencies cleanup. Thanks @davidegiacometti!
• Extracted CSWinRT related .csproj properties to src/Common.Dotnet.CsWinRT.props.
• Upgraded Microsoft.Windows.CsWinRT to 2.0.8 and updated verifyDepsJsonLibraryVersions.ps1 to unblock PRs.
• Explicitly Set NuGet Audit Mode to Direct in Directory.Build.props to revert changes made with VS 17.12 update. Thanks @snickler!
• Upgraded UnitsNet to 5.56.0.

 

[Bitwarden Password Manager]

Bitwarden | Home Page | Download | FAQ | Release Notes | Blog |

The updated Bitwarden Password Manager v2024.8.2 has been released.  (05-September-2024)

Release notes & downloads for all editions

Quote

Disable cipher key encryption

 

[Windows Command Processor high memory use]

Hello @Keesdejongens and :

Thank you for the valuable diagnostic attachments. However, your helper will require the following be carefully followed and run with the important specified options.

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[Mullvad Browser]

 

Mullvad Browser 13.5.3 extended support release has been made. (05-September-2024)

Mullvad Browser Homepage | Autoupdate or Downloads | Repository | GPG Verifying | Mullvad Blog | Release Notes | Help/FAQ

Quote

Mullvad Browser 13.5.3 Latest

All Platforms

    Updated Firefox to 115.15.0esr
    Updated NoScript to 11.4.35
    Bug 332: Rebase Mullvad Browser Stable onto 115.15.0esr [mullvad-browser]
    Bug 40056: Ensure that the lazy loading attribute is ignored on script-disabled documents [tor-browser]
    Bug 42686: Backport Mozilla 1885101 [tor-browser]
    Bug 42829: Prevent CSS-based scriptless interaction tracking [tor-browser]
    Bug 43100: Backport security fixes from Firefox 130 [tor-browser]

Linux

    Bug 43064: Make copy/paste and drag/drop file filtering more specific [tor-browser]

Build System
All Platforms

    Bug 41218: Use new Tor Browser gpg subkey for signing stable releases [tor-browser-build]
    Bug 41222: link_old_mar_filenames still referenced in torbrowser-incrementals-{release,alpha}-unsigned [tor-browser-build]

 

 

[1Password]

 

Wiki | 1Password | Downloads | Support | Release Notes | Blog | Newsletter | Password Generator | Username Generator |

1Password 8.10.44-34 for Windows has been released. (03-September-2024)

Quote

September 3, 2024

1Password for Windows 8.10.44

We’re excited to share that we’ve updated the release number formatting for the 1Password browser extension! This change aligns our browser extension with the 1Password apps, so you’ll now see the same release number across all platforms. Plus, both the extension and apps will be released on the same date, for a consistent and streamlined experience.

• We’ve enhanced search capabilities to help you find items faster than ever.
• You can now search within a list of items, such as a vault or category.
• We’ve made improvements to the item sharing experience.
• We’ve updated the preview image you see when you receive a shared item link.
• Pending invitations are now included in the invite count shown by the Invite People banner.
• You’ll now see a message in Settings > Security if your app’s auto-lock settings are managed by an account administrator.
• We now save fields more reliably for credit cards and identity items.
• The “Grant access to your account” message will now display the device name instead of the operating system when enrolling a trusted device.
• If you’re a Guest user, you’ll no longer see the banner in the sidebar that prompts you to import your passwords or migrate data.
• You can now import login items with encrypted URLs from LastPass.
• We’ve made visual improvements to the Autofill Behavior options.
• We’ve made accessibility improvements to the found accounts list on the Sign in modal.
• We’ve made accessibility improvements to the contrast of the close button for the Sign-In page.
• You’ll now see the correct message on the unlock screen when you’ve been locked out after multiple failed biometric sign-in attempts.
• We’ve fixed an issue that prevented shared items from loading if there was content in the Notes field.
• We’ve fixed a visual issue when you opened shared items, where elements on the page were spaced too far apart.
• We’ve fixed an issue in the search results where you’d see a dash in an item’s subtitle.
• We’ve fixed an issue that prevented certain proxy types from connecting in 1Password.

 

 

[Tor Browser]

 

The Tor Browser 13.5.3 (All Platforms) has been released. (04-September-2024)
Tor Browser 13.5.3 is now available from the Tor Browser download page and also from our distribution directory.

Blog/Announcement | Full Changelog | 

Quote

Full changelog

The full changelog since Tor Browser 13.5.2 is:

• All Platforms
  • Updated NoScript to 11.4.35
  • Bug tor-browser#40056: Ensure that the lazy loading attribute is ignored on script-disabled documents
  • Bug tor-browser#42686: Backport Mozilla 1885101
  • Bug tor-browser#42829: Prevent CSS-based scriptless interaction tracking
  • Bug tor-browser#43084: Rebase Tor Browser Stable onto 115.15.0esr
  • Bug tor-browser#43100: Backport security fixes from Firefox 130
  • Bug tor-browser-build#41207: Upgrade lyrebird to 0.3.0
• Windows + macOS + Linux
  • Updated Firefox to 115.15.0esr
  • Bug tor-browser#42596: Several console errors: Console.maxLogLevelPref used with a non-existing pref:
  • Bug tor-browser#42622: Offline state is unreachable in about:torconnect (first bootstrap attempt)
  • Bug tor-browser#42642: Downloads button warning no longer announced on Orca
  • Bug tor-browser#42661: Re-run update_emojis.py and update locales
  • Bug tor-browser#42691: Simplified bridge cards prevent censored users from modifying built-in bridges
  • Bug tor-browser#42696: Update mail icon used in "Find more bridges"
  • Bug tor-browser#42697: Remove padding to left of tor-bridges-provider-list under "Find more bridges"
  • Bug tor-browser#43059: Drag and Drop issue in new update 13.5.2
  • Bug tor-browser#43066: about:torconnect no longer changes the title icon on errors
• Linux
  • Bug tor-browser#43064: Make copy/paste and drag/drop file filtering more specific
• Android
  • Updated GeckoView to 115.15.0esr
• Build System
  • All Platforms
    • Updated Go to 1.21.13
    • Bug tor-browser-build#41213: Update the update_manual.py script to notify when no changes needed
    • Bug tor-browser-build#41218: Use new Tor Browser gpg subkey for signing stable releases
    • Bug tor-browser-build#41222: link_old_mar_filenames still referenced in torbrowser-incrementals-{release,alpha}-unsigned
  • Android
    • Bug tor-browser-build#41206: GeckoView ignores the number of processors

 

 

[Side-Channel Attack on the YubiKey 5 Series]

CVE-2024-45678

If the author's well-written paper is substantiated by respected peer review, this is a remarkable discovery.

In the case of enterprise/personal computers, I hope something like an effective YARA ruleset can be applied for at least partial protection.

Thank you.

[Firefox 130.0.1 release now available]

Version 130.0, first offered to Release channel users on September 3, 2024

Quote

New

• Firefox now allows translating selected text portions to different languages after a full-page translation.

  

• Firefox now offers an easy way to try experimental features with a new Firefox Labs page in Settings.

  • AI Chatbot feature lets you add the chatbot of your choice to the sidebar, for quick access as you browse.
  • Picture-in-Picture auto-open experiment enables PiP on active videos when switching tabs.

  

• Overscroll animations are now enabled as the default behavior for scrollable areas on Linux.

Fixed

• Various security fixes.

• Fixed an issue where Copy and Paste context menu items intermittently were not enabled when expected.

Changed

• The following languages are now supported by Firefox translation:

  • Catalan
  • Croatian
  • Czech
  • Danish
  • Indonesian
  • Latvian
  • Lithuanian
  • Romanian
  • Serbian
  • Slovak
  • Vietnamese

 

Mozilla Foundation Security Advisory 2024-39

Quote

Security Vulnerabilities fixed in Firefox 130

Announced

September 3, 2024

Impact

high

Products

Firefox

Fixed in

• Firefox 130

#CVE-2024-8385: WASM type confusion involving ArrayTypes

Reporter

Seunghyun Lee

Impact

high

Description

A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability.

References

• Bug 1911909

#CVE-2024-8381: Type confusion when looking up a property name in a "with" block

Reporter

Nils Bars

Impact

high

Description

A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment.

References

• Bug 1912715

#CVE-2024-8388: Fullscreen notice on Android could be hidden under various panels and OS prompts

Reporter

Shaheen Fazim, Raphael Saniyazov, Rifa'i Rejal Maynando, James Lee, P Umar Farooq, Hafiizh

Impact

moderate

Description

Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This could lead to spoofing the browser UI if the sudden appearance of the prompt distracted the user from noticing the visual transition happening behind the prompt. These notifications now use the Android Toast feature.
This bug only affects Firefox on Android. Other operating systems are unaffected.

References

• Bug 1902996
• Bugs describing ways to abuse specific prompts

#CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran

Reporter

Gregory Pappas

Impact

moderate

Description

Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console.

References

• Bug 1906744

#CVE-2024-8383: Firefox did not ask before openings news: links in an external application

Reporter

D7

Impact

moderate

Description

Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will.

References

• Bug 1908496

#CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions

Reporter

the Mozilla Fuzzing Team

Impact

moderate

Description

The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption.

References

• Bug 1911288

#CVE-2024-8386: SelectElements could be shown over another site if popups are allowed

Reporter

Shaheen Fazim, Hafiizh

Impact

low

Description

If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack.

References

• Bug 1909529
• Bug 1907032
• Bug 1909163

#CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2

Reporter

Yury Delendik, the Mozilla Fuzzing Team

Impact

high

Description

Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2

#CVE-2024-8389: Memory safety bugs fixed in Firefox 130

Reporter

the Mozilla Fuzzing Team, Andrew McCreight

Impact

high

Description

Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 130

 

 

[Riskware pop-up, everytime I open new chrome Tab]

Hello @nikhil_ and :

Thank you for the valuable attachments. However, your helper will require you run a specific set of diagnostics, in the order given and with specific options.

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[Wireshark]

Wireshark Announcement / News stable version 4.4.0 has been released. (28-August-2024)

Autoupdate or Download | Release Notes | 

Quote

What's New

Wireshark 4.4.0 Released

August 28, 2024

What’s New

Many improvements and fixes to the graphing dialogs, including I/O Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

Wireshark now supports automatic profile switching. You can associate a display filter with a configuration profile, and when you open a capture file that matches the filter, Wireshark will automatically switch to that profile.

Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1 and 5.2 has been removed. The Windows and macOS installers now ship with Lua 5.4.6.

Improved display filter support for value strings (optional string representations for numeric fields).

Display filter functions can be implemented as plugins, similar to protocol dissectors and file parsers.

Display filters can be translated to pcap filters using Edit › Copy › Display filter as pcap filter if each display filter field has a corresponding pcap filter equivalent.

Custom columns can be defined using any valid field expression, such as display filter functions, packet slices, arithmetic calculations, logical tests, raw byte addressing, and protocol layer modifiers.

Custom output fields for tshark -e can also be defined using any valid field expression.

Wireshark can be built with the zlib-ng instead of zlib for compressed file support. Zlib-ng is substantially faster than zlib. The official Windows and macOS packages include this feature.

Many other improvements have been made. See the “New and Updated Features” section below for more details.

New and Updated Features

The following features are either new or have been significantly updated since version 4.2.0:

• The Windows installers now ship with Npcap 1.79. They previously shipped with Npcap 1.78.

• Improvements to the "I/O Graphs" dialog:

  • A number of crasher bugs have been fixed.

  • The protocol tree context menu can open a I/O graph of the currently selected field. Issue 11362

  • Smaller intervals can be used, down to 1 microsecond. Issue 13682

  • A larger number of I/O Graph item buckets can be used, up to 2²⁵ (33 million) items. Issue 8460

  • The size of individual graph items has been reduced, which reduces memory utilization.

  • When the Y field or Y axis changes, the graph displays the new graph correctly, retapping if necessary, instead of displaying information based on stale data.

  • The graph is smarter about choosing whether to retap (expensive), recalculate (moderately intensive), or replot (cheap) in order to display the newly chosen options correctly with the least amount of calculations. For instance, a graph that has previously been plotted and is disabled and then reenabled without any other changes will not require a new retap. Issue 15822

  • LOAD graphs are graphed properly again. Issue 18450

  • Y axes have human readable units with SI prefixes. Issue 12827

  • Bar widths are scaled to the size of the interval.

  • Bar border colors are a slightly darker color than that of the graph itself, instead of always black. Issue 17422

  • Time values have the correct width when axes are automatically reset.

  • The precision of the interval time shown in the hint message depends on the interval.

  • The tracer follows the currently selected row on the table of graphs, and does not appear on an invisible graph.

  • The tracer moves to the frame selected in the main window. Issue 12909

  • Pending graph changes are saved when changing profiles when the I/O Graphs dialog is open.

  • I/O Graph dialog windows for closed capture files are no longer affected by changing the list of graphs (either in that dialogs or in other dialogs for the currently open file.)

  • Newly created temporary graphs, which will not be saved unless the configuration has changed, are more clearly marked with italics.

  • When "Time of Day" is selected for a graph, the absolute time will be saved to CSV exports instead of the relative time. Issue 13717

  • Graphs can be reordered by dragging and dropping their list entries. Issue 13855

  • The graph layer order and legend order always matches the order in the graph list. Legends also appear properly. Issue 13854

  • The legend can be moved to other corners of the graph by right-clicking on it and selecting its new location from a menu.

  • For purposes of displaying zero values, graphs with both lines and data point symbols are treated as line graphs, not scatter plots.

  • Logarithmic ticks are used when the Y axis is logarithmic.

  • The graph crosshairs context menu option works.

  • You can resize the graph list columns to their contents by right clicking on the list header. Issue 18102

  • The graph is more responsive to mouse movement, especially on Linux Wayland.

• Improvements to the Sequence Diagram (Flow Graphs and VoIP Calls):

  • When exporting the graph as an image, the entire graph is shown with up to 1000 items instead of only what was visible on-screen. This value can be increased in the preferences. Issue 13504

  • Endpoints that share the same address now have two distinct nodes with a line between them. Issue 12038

  • The "Comment" column can be resized by selecting the axis between the "Comment" column and the graph and dragging, and auto-resized by double-clicking the column. Issue 4972

  • Tooltips are shown for elided comments.

  • The scroll direction via keyboard is no longer reversed. Issue 12932

  • The column widths are fixed instead of resizing slightly depending on the visible entries. Issue 12931

  • The Y axis labels stay in the correct position without having to click the Reset button.

  • The progress bar appears correctly in the Flow Graph (non VoIP Calls).

  • The behavior of the "Any" and "Network" combobox is corrected. Issue 19818

  • "Limit to Display Filter" is checked if a display filter is applied when the Flow Graph is opened, per the documentation.

• TCP Stream Graphs:

  • A better decision is made about which side is the server and thus the initially chosen direction in the graph.

  • The "Window Scaling" graph axis labels are corrected and show both graphs.

  • The graph crosshairs context menu option works.

  • Switching between relative and absolute sequence numbers works again.

• The "Follow Stream" dialog can now show delta times between turns and all packets and events.

• A number of graphs using the QCustomPlot widget ("I/O Graphs", "Flow Graph", "TCP Stream Graphs", and "RTP Player") are more responsive to mouse movement, especially on Linux when Wayland is used.

• The "Find Packet" dialog can search backwards and find additional occurrences of a string, hex value, or regular expression in a single frame.

• When using "Go To Packet" with an undisplayed frame, the window goes to nearest displayed frame by number. Issue 2988

• Display filter syntax enhancements:

  • Better handling of comparisons with value strings. Now the display filter engine can correctly handle cases where multiple different numeric values map to the same value string, including but not limited to range-type value strings.

  • Fields with value strings now support regular expression matching.

  • Date and time values now support arithmetic, with some restrictions: the multiplier/divisor must be an integer or floating point number and appear on the right-hand side of the operator.

  • The keyword "bitand" can be used as an alternative syntax for the bitwise-and operator.

  • Functions alone can now be used as an entire logical expression. The result of the expression is the truthiness of the function return value (or of all values if more than one). This is useful for example to write "len(something)" instead of "len(something) != 0". Even more so if a function returns itself a boolean value, it is now possible to write "bool_test(some.field)" instead of having to write "bool_test(some.field) == True". Both forms are now valid.

  • Display filter references can be written without curly braces. It is now possible to write $frame.number instead of ${frame.number} for example.

  • There are new display filter functions which test various IP address properties. Check the wireshark-filter(5) man page for more information.

  • There are new display filter functions which convert unsigned integer types to decimal or hexadecimal, and convert fields with value strings into the associated string for their value, which can be used to produce results similar to custom columns. Check the wireshark-filter(5) man page for more information.

  • Display filter macros can be written with a semicolon after the macro name before the argument list, e.g. ${mymacro;arg1;…;argN}, instead of ${mymacro:arg1;…;argN}. The version with semicolons works better with pop-up suggestions when editing the display filter, so the version with the colon might be removed in the future.

  • Display filter macros can be written using a function-like notation. The macro ${mymacro:arg1;…;argN} can be written $mymacro(arg1,…,argN).

  • AX.25 addresses are now filtered using the "CALLSIGN-SSID" string syntax. Filtering based on the raw bytes values is still possible, like other field types, with the @ operator. Issue 17973

• Display filter functions can be implemented as libwireshark plugins. Plugins are loaded during startup from the usual binary plugin configuration directories. See the ipaddr.c source file in the distribution for an example of a display filter C plugin and the doc/plugins.example folder for generic instructions how to build a plugin.

• Display filter autocompletions now also include display filter functions.

• The display filter macro configuration file has changed format. It now uses the same format as the "dfilters" file and has been renamed accordingly to "dmacros". Internally it no longer uses the UAT API and the display filter macro GUI dialog has been updated. There is some basic migration logic implemented but it is advisable to check that the "dfilter_macros" (old) and "dmacros" (new) files in the profile directory are consistent.

• Custom columns can be defined using any valid field expression:

  • Display filter functions, like len(tcp.payload), including nested functions like min(len(tcp.payload), len(udp.payload)) and newly defined functions using the plugin system mentioned above. Issue 15990 Issue 16181

  • Arithmetic calculations, like ip.len * 8 or tcp.srcport + tcp.dstport. Issue 7752

  • Slices, like tcp.payload[4:4]. Issue 10154

  • The layer operator, like ip.proto#1, which will return the protocol field in the first IPv4 layer if there is tunneling. Issue 18588

  • Raw byte addressing, like @ip, which will return the bytes of protocol or FT_NONE fields, among others. Issue 19076

  • Logical tests, like tcp.port == 443, which produce a check mark if the test matches (similar to protocol and FT_NONE fields without @.) This works with all logical operators, including e.g. regular expression matching (matches or ~.)

  • Defined display filter macros.

  • Any combination of the above also works.

  • Multifield columns are still available. For backwards compatibility, X or Y is interpreted as a multifield column as before. To represent a logical test for the presence of multiple fields instead of concatenating values, use parenthesis, e.g. (tcp.options.timestamp or tcp.options.nop).

  • Field references are not implemented because there’s no sense of a currently selected frame. "Resolved" column values (such as host name resolution or value string lookup) are not supported for any of the new expressions yet.

• Custom output fields for tshark -e <field> can also be defined using any valid field expression as above.

  • For custom output fields, X or Y is the usual logical test; to output multiple fields use multiple -e terms as before.

  • The various -E options, including -E occurrence, all work as expected.

• When selecting "Manage Interfaces" from "Capture Options", Wireshark only attempts to reconnect to rpcap hosts that were active in the last session, instead of every remote host that the current profile has ever connected to. Issue 17484

• The "Resolved Addresses" dialog only shows what addresses and ports are present in the file (not including information from static files), and selected rows or the entire table can be saved or copied to the clipboard in several formats. Issue 16419

• Dumpcap and Wireshark support the -F option when capturing a file on the command line. Issue 18009

• When capturing on the command line dumpcap accepts a -Q option that is quieter than -q and prints only errors to standard error, similar to tshark. Issue 14491

• When capturing a file and requesting the pcap format, nanosecond resolution time stamps will be written if the device and version of libpcap supports it.

• When capturing using a file size autostop or ring buffer condition, the maximum value is now 2 TB, up from 2GiB. Note that you may have problems when the number of packets gets larger than 2³¹ or 2³², though that is also true when no limit is set.

• When capturing files in multiple file mode, a pattern that places the date and time before the index number can be used (e.g., foo_20240714110102_00001.pcap instead of foo_00001_20240714110102.pcap). This makes file names sortable in chronological order across file sets from different captures. The "File Set" dialog has been updated to handle the new pattern, which has been capable of being produced by tshark since version 3.6.0.

• Adding interfaces at startup is about twice as fast, and has many fewer UAC pop-ups when Npcap is installed with access restricted to Administrators on Windows.

• The Lua version included with the Windows and macOS installers has been updated to 5.4. While we have tried to help with backward compatibility by including lua_bitop library with Lua 5.3 and 5.4 in addition to the native Lua support for bit operations present in those versions, different versions of Lua are not guaranteed to be compatible. If a Lua dissector has issues, check the manuals for Lua 5.4, Lua 5.3, and Lua 5.2 for incompatibilities and suggested workarounds. Note that features marked as deprecated in one version are removed in the subsequent version without additional notice, so it can be worth checking the manual for previous versions.

• Lua scripts in the plugins directories are now initially loaded via the same internal Lua methods as require(). This avoids errors from loading plugins twice, once by scanning the directory initially, and once by require(), and also results in globals defined in plugins entering the global namespace. Previously globals defined in plugins only entered the global namespace when placed in the global plugins directory, but not the personal plugins directory. Using globals in plugins remains deprecated style (both by Wireshark and in Lua generally), that should be avoided via using other methods. Issue 18589

• Lua functions have been added to decompress and decode TvbRanges with other compression types besides zlib, such as Brotli, Snappy, Zstd, and others, matching the support in the C API. tvbrange:uncompress() has been deprecated in favor of tvbrange:uncompress_zlib().

• Lua Dumper now defaults to the pcapng file type, and to per-packet encapsulation (creating interfaces on demand as necessary) when writing pcapng Issue 16403

• Editcap has an --extract-secrets option to extract embedded decryption secrets from a capture file. Issue 18197

• Global profiles can be used in tshark by using --global-profile option.

• Capture files can be saved with LZ4 compression. LZ4 has an emphasis on speed and may be particularly useful for large files.

• Fast random access is supported with LZ4 compressed files when compressed with independent blocks, which is the default. This provides much more responsive GUI performance when jumping to different packets. Fast random access has been supported with gzip compressed files since version 1.8.0, but this is not supported for Zstd compressed files.

• Mergecap, Editcap, TShark and Text2pcap have an --compress option to compress output to different formats. For now, it supports the gzip and LZ4 compression formats. When the option is not given, the desired compression format can also be deduced from the output filename extension, e.g. gzip for .gz.

• Wireshark’s Git repostory tags are now signed using SSH. See the Developer’s Guide for more details.

Removed Features and Support

• The tshark -G option with no argument is deprecated and will be removed in a future version. Use tshark -G fields to produce the same report.

Removed Dissectors

The Parlay dissector has been removed.

New Protocol Support

Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed (mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP), MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication redirection virtual channel protocol (rdpear), RF4CE Network Layer (RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy (SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP)

Updated Protocol Support

IPv6: The "show address detail" preference is now enabled by default. The address details provided have been extended to include more special purpose address block properties (forwardable, globally-routable, etc).

Too many other protocol updates have been made to list them all here.

New and Updated Capture File Support

EGNOS Messager Server (EMS) files

New and Updated Capture Interfaces support

u-blox GNSS receivers

Major API Changes

• The entire code base has been updated to use C99 types instead of GLib types. This includes changing occurrences gboolean, which is an integer, to C99’s native bool type in many places. See issue 19116 for more details.

• The tvb_get_guintX and tvb_get_gintX functions in the tvbuff API have been renamed to tvb_get_uintX and tvb_get_intX (the GLib-style "g" has been removed). You can still use the old-style names, but they have been deprecated.

• Plugins should provide a plugin_describe() function that returns an ORed list of flags consisting of the plugin types used. See wsutil/plugins.h for details.

 

[0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux]

Hello @pondus and all:

Some browsers have already been fixed. For those browsers still waiting for their fixes, the following is optionally available:

If the computer's browser in question has the v1.59.0 (or higher) optional extension release of uBlock Origin (uBO), please:

1. Open the browser's uBO GUI.
2. Select the “Open the dashboard” icon near the lower right-hand corner of the GUI.
3. Select the “Filter lists” tab.
4. Go to, and open, the “Privacy” category and if the “Block Outsider Intrusion into LAN” line is not already ticked, do so.
5. That browser is/was protected. Repeat for other uBO protected browsers as required.
6. For further conformation, open that Privacy category by selecting the view content “eye” icon.
7. If the line “||0.0.0.0^$3p,domain=~localhost|~127.0.0.1|~[::1]|~0.0.0.0|~[::]|~local" is present at (or near) line 40, that is additional confirmation.

The above uBO filter rule means: block all third-party requests to 0.0.0.0 from any domain except (various forms of) localhost and 0.0.0.0.

Thank you and HTH

Reference: https://www.linuxquestions.org/questions/showthread.php?p=6519422

 

[Hackers infect ISPs with malware that steals customers’ credentials]

Hello @sman:

https://arstechnica.com/security/2024/08/hackers-infect-isps-with-malware-that-steals-customers-credentials/

The above is the sort of attribution example being referred to. Please do keep looking for and posting these. 👍

Thank you, @sman.

[NoScript]

NoScript | Homepage | Changelog | Download | Usage | Community | FAQ | Forum | Versions | 

NoScript stable 11.4.35 has been released. (28-August-2024)

Autoupdate or Download

Quote

v 11.4.35
============================================================
x Improved lazy_load capability (optimization and notification)
x [nscl] Slight optimization of NOSCRIPT element emulation loop
x Automatically add extra capabilities to policyTypesMap
x Gracefully handle new capabilities still unknown to the settings host (e.g. Tor/Mullvad browser), if any
x Configurable "lazy_load" capability (see https://github.com/whatwg/html/issues/5250)
x Prefetch all CSS subresources (1st party included) in private contexts where both unchecked_css and scripting capabilities are disabled
x Forcibly neutralize lazy loading attributes when scripting
  is disabled
x [nscl] Restored SyncMessage compatibility with Firefox 78 and below
x Lock nscl version on stable releases
x [L10n] Updated de, fr, tr, ru, uk, zh_CN

 

[Bitwarden Password Manager]

 

Bitwarden | Home Page | Download | FAQ | Release Notes | Blog |

The updated Bitwarden Password Manager v2024.8.1 has been released. 27-August-2024)

Release notes & downloads for all editions

Quote

• Bug fixes

[Trojan:Win64/Reflo.HNS!MTB wont leave my PC.]

Hello @chaminar:

Please reply to this topic and let the forum know if you are still with us.

Thank you.

[Microsoft Defender detects trojan on launch, then forgets]

Hello @lone and :

Please know that the valuable attachments are greatly appreciated but your helper can best analyze the computer when the following procedures are carefully executed in sequence:

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[Persistent root exploit]

Hello @Used_barracuda and :

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[Help removing trojan]

Hello @Turtleton and :

The valuable attachments are greatly appreciated and result in the best results when run with the greatest care using the exact procedures that follow.

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[Audit of some storage practices at the FBI]

Quote

The purpose of this memorandum is to advise you of concerns that we identified during an ongoing audit of
a Federal Bureau of Investigation (FBI) contract. During this contract audit, we identified significant
weaknesses related to the FBI’s inventory management and disposition procedures for its electronic storage
media containing sensitive but unclassified (SBU) information, such as law enforcement sensitive
information, as well as classified national security information (NSI).1 We also identified concerns regarding
the physical security over these items at an FBI-controlled facility where the media destruction takes place
(Facility).2 While these concerns are outside the objectives of our ongoing contract audit, we believe they
are significant enough to warrant the FBI’s immediate attention and action to better safeguard electronic
storage media containing SBU or classified NSI.

More...

 

[ISSUE & FEEDBACK - Can't Start Scan From Menubar + Greedy UI Design]

Hello @jee75:

I have updated you on MB5 for Mac's recent menu bar icon ability.

As Malwarebytes' management is already aware of some user's negative opinion of the new GUI, there is not much more to be done at this time.

Thank you, @jee75

[ISSUE & FEEDBACK - Can't Start Scan From Menubar + Greedy UI Design]

Hello @jee75:

If the Mac device in question has an OCLP update such that Malwarebytes 5 for Mac is v5.4.1 or greater, the pull-down menu bar icon is now populated with a Start scan choice.

Reference: https://forums.malwarebytes.com/topic/314912-malwarebytes-for-mac-v541/

HTH

[Browser Guard blocking ad.doubleclick.net?]

Hello @robains:

For currently blocked URLs you want permitted, you may open the GUI for Malwarebytes Browser Guard (MBG), select the 3 vertical dots in the upper-right corner and select the Allow List where a blocked URL of your choice may be permitted.

Reference: https://support.malwarebytes.com/hc/en-us/articles/360039021953-Add-websites-to-the-Allow-list-in-Browser-Guard

HTH

[New Widespread Extension Trojan Malware Campaign]

Quote

Executive Summary

Web browser extensions have grown from being just a niche piece of software into a full-on sub-economy of the Internet industry. Extensions are supported on most browsers, including Microsoft Edge and Google Chrome - both offer hundreds of thousands of extensions in the Chrome Web Store and Microsoft Edge Add-ons. With the rise in the popularity of extensions has come a rise in malicious extensions built by bad actors who have pinpointed this relatively new malware attack vector. This research article intends to highlight a specific ongoing threat and the larger issue: malicious web extensions.

More...