Application Security Weekly for June 17

The Android Debig Bridge (ADB) feature is even less secure than we thought.  Avoid those "recharge stations"

https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20

 

A tale of the disclosure of WebUSB vulns.

https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html

 

In the "let's be clear" department, Microsoft explains what is will and will not fix.

https://www.theregister.co.uk/AMP/2018/06/13/microsoft_security_servicing_commitments_for_windows_draft/

 

And that's the news.

Application Security Weekly for June 10

Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news.  Thus, long newsletter.

 

Microsoft bought Github.  This might seem to not be a security issue, but 'tis.  Why did they buy them? Github doesn't make money.  However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning.  So, let's get all of the devs and all of their code and ... profit?

https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/

 

This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.

https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure

 

A cartoon intro to DNS over HTTPS.  We need more of these.

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

 

Building malicious zip files.  Remember, mess with malware in a virtual machine, and NOT on your company network please.

https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md

 

Didier Stevens is oft referenced in these missives, and he had a really productive May.  I'll just link to his own overview.  Lots of great appsec content.

https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/

 

XSS on ESPN's site.  Stuff is just everywhere:

http://seclists.org/fulldisclosure/2018/Jun/22

 

Oh man, I forgot about this one.  Remote Code Execution on a voice-based AI.  You know, one of those smart speakers?  Incredible stuff.  Now I wanna go test my Echo.

https://github.com/Nhoya/MycroftAI-RCE

 

And we'll finish up with a breakdown by El Reg of all of the week's data breaches.

https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/

 

Have a good week, everyone. I'm going back to bed. Oh, and that's the news.

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList