Application Security This Week for February 17

A maintainer of the underlying runtime for Docker and Kubernetes) reported a vulnerability.

https://seclists.org/oss-sec/2019/q1/119

 

Here is a PoC codebase for the above.  Well written too.

https://github.com/Frichetten/CVE-2019-5736-PoC

 

Hashcat can now crack any eight chatacter Windows password in two hours.

https://www.theregister.co.uk/2019/02/14/password_length/

 

Interested in Bug Bounties?  Think they are all taken?  Facebook CSRF finding nets $25,000.

https://ysamm.com/?p=185

 

And that's the news.

Application Security This Week for February 10

Ullaakut on Reddit posted this toolset: Gorsair, a tool to remotely access the exposed Docker API of vulnerable Docker containers.  Works, too.

https://github.com/Ullaakut/Gorsair

 

Someone already pwned TLS 1.3, for crying out loud.

https://eprint.iacr.org/2018/1173

 

Cool attack on CORS configuration in mobile devices

https://research.digitalinterruption.com/2019/01/31/multiple-vulnerabilities-found-in-mobile-device-management-software/

 

RCE in Libreoffice.  Not so free NOW areya?

https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html

 

And that's the news. Stay warm.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList