Application Security This Week for October 20

Here is a good writeup on the overflow error found in libssh2

https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/

 

Speaking of bugs in old software, here's one in sudo.

https://www.openwall.com/lists/oss-security/2019/10/14/1

 

Using data analysis to further research into malware sources, with PDB paths. Pretty neat!

https://www.fireeye.com/blog/threat-research/2019/10/definitive-dossier-of-devilish-debug-details-part-deux.html

 

And in IoT security news, the Catholic church's eRosery (no I'm not kidding) has a number of significant flaws.

https://www.msn.com/en-us/news/technology/vatican-s-wearable-rosary-gets-fix-for-app-flaw-allowing-easy-hacks/ar-AAIZICz?ocid=ARWLCHR

https://www.theregister.co.uk/2019/10/18/vatican_erosary_insecure/

 

That's the news, folks!

Application Security This Week for December 23

SplashData has their 100 worst passwords out again this year.  Remember, at least, prevent these passwords in your signin flow.

https://www.prweb.com/releases/bad_password_habits_die_hard_shows_splashdata_s_8th_annual_worst_passwords_list/prweb15987071.htm

 

Really good breakdown of finding hidden files and directories and using them for information gathering on web applications.

https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad

 

Microsoft has come out with Windows Sandbox - might be a good platform for analyzing malware, but the jury is still out.

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849

 

Gah, bug in Ghostscript.  Lots of vectors in the ImageMagik/PostScript space these days, watch yourselves.

https://www.rapid7.com/db/modules/exploit/multi/fileformat/ghostscript_failed_restore

 

And this is why I write up folks that have third party hosted JavaScript.

https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/

 

That's the news folks.  Stay safe, and have a good holiday.

Application Security Weekly for July 15

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.

https://snyk.io/vuln/npm:eslint-scope

 

In dev news, the #1 development GUI of all time is being updated.  Notepad!

https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update

 

Apple wrote some code to appease the Chinese government and it was kind of a mess.

https://objective-see.com/blog/blog_0x34.html

 

Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.

http://seclists.org/fulldisclosure/2018/Jul/44

 

Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...

https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/

 

New variation of my favorite Weblogic vuln - CVE-2017-10271.

https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

I wrote the tests for this vulnerability for Nikto.

https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac

 

And that's the news.

Application Security Weekly for April 1

Chinese cell phone manufacturer OnePlus (incidentally my daily carry) plans on including cryptocurrency mining baked into their next release of Oxygen in the OnePlus 6, sparking security concerns.

https://youtu.be/Lj9DcBeer14

 

The IETF floated a new analog protocol for internet traffic in an attempt to get some more security in the system.

https://tools.ietf.org/html/rfc1149

 

 I don't often talk biotech here, but Razer (the gaming hardware maker) is creating a nanobot infused energy drink for gamers.  I am sure that will go well.

https://www.razer.com/campaigns/project-venom-v2

 

Finally some good news - plans to add a security parameter in response headers.  Should be a good move toward better browser level decision making.

https://tools.ietf.org/html/rfc3514

 

And that's been your week in application security.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList