Application Security This Week for July 14

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.

https://github.com/samanL33T/Awesome-Mainframe-Hacking/

 

Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)

https://www.engadget.com/2019/07/09/zoom-will-remove-server-behind-mac-security-hole/?ncid=txtlnkusaolp00000618

 

Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.  

https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

 

One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.

https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes

 

There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.

https://thehackernews.com/2017/12/android-malware-signature.html?m=1

 

That's the news, folks.  Have a safe week!

 

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList