Application Security Weekly for July 15

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.

https://snyk.io/vuln/npm:eslint-scope

 

In dev news, the #1 development GUI of all time is being updated.  Notepad!

https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update

 

Apple wrote some code to appease the Chinese government and it was kind of a mess.

https://objective-see.com/blog/blog_0x34.html

 

Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.

http://seclists.org/fulldisclosure/2018/Jul/44

 

Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...

https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/

 

New variation of my favorite Weblogic vuln - CVE-2017-10271.

https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

I wrote the tests for this vulnerability for Nikto.

https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac

 

And that's the news.

Application Security Weekly for July 8

LTE has a bug.  Who knew? One more strike for IoT devices, methinks.

https://arstechnica.com/information-technology/2018/06/lte-wireless-connections-used-by-billions-arent-as-secure-as-we-thought/

 

Cool XXE Vulnerability in WeChat Pay SDK.

http://seclists.org/fulldisclosure/2018/Jul/16

 

UK's National Health Service had a breack due to a currently unspecified coding flaw, keep an eye on the story for more info.

https://www.theregister.co.uk/2018/07/03/confidential_patient_info_nhs_software_share_tpp/

Application Security Weekly for July 1

It's the "Bill accidentally skipped a week" edition.  I didn't even DO anything last Sunday, I just forgot!

 

The IETF calls for formal revocation of the TLS 1.0 and 1.1 standards.  This will effectively cut mobile users on Android 4.4 and earlier off the web.  Guess who this hurts: developing countries. And why?  Because it's possible to decrypt a message BEFORE the heat death of the universe.  We have a priority problem.

https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation/

 

Rhino Security put together a good article about privilege escalation on Amazon Web Services, and it is juicy.

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

They have an open source AWS scanning tool too!!

https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools

 

This isn't a security story explicitly, but it is about why security in apps for mobile is so important, and it features Columbus, where I am based.  And it is The Atlantic, one of my favorite papers.

https://www.theatlantic.com/technology/archive/2018/06/shops-arent-for-shopping-anymore/563054/?utm_source=feed

 

There's a 7-month-unpatched vulnerability in Wordpress that allows for unauthorized access.  Considering what Wordpress has grown into I'm kind of shocked by this.

https://thehackernews.com/2018/06/wordpress-hacking.html

 

A breach bigger than Equifax?  SURE WHY NOT.

https://www.wired.com/story/exactis-database-leak-340-million-records/

 

While I am eating up your Wired soft-paywall allowance, they have another good article on how the Mirai botnet was just some kids trying to cheat at Minecraft.  Great long read.  Don't screw with malware, folks!

https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/?mbid=social_twitter

By the way, Wired has great reporting and is worth the $10 a year.  You should subscribe.

 

And that's the news.  Have a great 4th, if you are in the US.  Otherwise, have a great week!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList