Application Security This Week for July 14

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.

https://github.com/samanL33T/Awesome-Mainframe-Hacking/

 

Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)

https://www.engadget.com/2019/07/09/zoom-will-remove-server-behind-mac-security-hole/?ncid=txtlnkusaolp00000618

 

Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.  

https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

 

One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.

https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes

 

There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.

https://thehackernews.com/2017/12/android-malware-signature.html?m=1

 

That's the news, folks.  Have a safe week!

 

Application Security This Week for July 7

Good article on using fuzzers as productivity tools

https://kripken.github.io/blog/binaryen/2019/06/11/fuzz-reduce-productivity.html

Reminds me of a great talk by the remarkable Craig Stuntz, worth a read.

https://speakerdeck.com/craigstuntz/high-speed-bug-discovery-with-fuzzing

 

Firefox will automatically trust certificates trusted by your OS

https://thehackernews.com/2019/07/firefox-https-security.html?m=1

In other Firefox news, the UK is up in arms about Secure DNS breaking the Great British Pornwall

https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/

 

Next time I ping your site for not using X-FRAME-OPTIONS on a DNS endpoint, well, HAH I TOLD YOU SO NAAA NAA NAA

https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef

 

And that's the news, folks.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList