Application Security This Week for June 7

Another great Server Side Request Forgery find.  I found this on a test again in May folks, it's a real thing.  Just because your analyst doesn't have time to write the exploit doesn't mean it isn't real.

https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204

 

Spoofing attacks on contact tracing.  Man, the bad guys will stop at nothing.  Insane.

https://www.theregister.com/2020/06/02/contact_tracing_spoofable/

 

Two MORE remote code execution vulns in Zoom.  Now, don't think I am picking on them, but this is why we should be careful up front - you never know when you are gonna go viral! I think the devs at Zoom are doing an AWESOME job fixing these as they show up.

https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html?m=1

 

The fantastic Google Project Zero wrote a neat instrumentation library that is ACTUALLY lightweight for Windows 32 and 64.  You should use it to instrument only modules of interest, and it adds very little overhead. I haven't played with it yet but I am very excited to (when I have two minutes to rub together).

https://github.com/googleprojectzero/TinyInst/blob/master/README.md

 

Hope you are all safe. Weird stuff going on, and us in tech are well positioned to make changes in the world.  Stop and think before you choose a direction.

 

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList