Application Security This Week for October 28

A flaw in X.Org is exploitable with a tweet sized attack.

https://lists.x.org/archives/xorg-announce/2018-October/002927.html

https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh

 

A malformed IPv6 packet can take over a Linux box. Thanks, SystemD.

https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

 

Twelve malicious Python libraries were found and removed from PyPi.

https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

 

And that's the news!

 

Application Security this week for October 21

The "Man that was a hell of a flu bug" edition. Stay healthy, everyone.

 

SSH bypass by ... wait for it ... telling the server your request is granted.  These are not the vulnerabilities you are looking for.  They can go on their way.

https://www.libssh.org/security/advisories/CVE-2018-10933.txt

 

PHP 5.6 support is ending.  That's a whole lot of websites.

https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

 

RCE in URL handling in Edge.  Positive security model, people.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8495

 

Oracle released 300 patches, most of them critical or high.  Not sure if this is good or bad.

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

 

jQuery File Upload has a serious bug that has been being exploited for three years.  Go update those old applications.

https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/

 

Here's a new SSL testing contender.  I haven't tried it yet but I will tomorrow.  Let me know what you think if you use it.

https://testssl.sh/

 

And that's the news.

Application Security This Week for October 7

Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges.  Obscure finding, but neat bug.

https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

 

EIGHTY FIVE findings in latest Adobe Reader patch.

https://www.theregister.co.uk/AMP/2018/10/02/adobe_acrobat_reader_patch/

 

It looks like we might be getting a foothold on the war against malware.

https://www.infosecurity-magazine.com/news/malware-less-common-in-q2-still/

 

And that's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList