Application Security Weekly for July 15

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.

https://snyk.io/vuln/npm:eslint-scope

 

In dev news, the #1 development GUI of all time is being updated.  Notepad!

https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update

 

Apple wrote some code to appease the Chinese government and it was kind of a mess.

https://objective-see.com/blog/blog_0x34.html

 

Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.

http://seclists.org/fulldisclosure/2018/Jul/44

 

Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...

https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/

 

New variation of my favorite Weblogic vuln - CVE-2017-10271.

https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

I wrote the tests for this vulnerability for Nikto.

https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac

 

And that's the news.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList