Security Leftovers
-
Tidelift GC: Paid open source can stave off another Log4j [Ed: Tidelift helps the FUD machine; Log4Shell is very old news (one year).]
If the industry wants to thwart software supply chain attacks and prevent another Log4Shell, the way forward is to pay open source maintainers, Tidelift GC Luis Villa says.
-
Vice Society ransomware 'persistent threat' to education sector [Ed: This is a Microsoft Windows problem]
-
Microsoft December 2022 Patch Tuesday, (Tue, Dec 13th) [Ed: The latest NSA bug doors are ready to install]
In the last Patch Tuesday of 2022, we got patches for 74 vulnerabilities. Of these, 7 are critical, 1 was previously disclosed, and 1 is already being exploited, according to Microsoft.
The exploited vulnerability is a Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698). When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. Exploiting this vulnerability, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses. The CVSS for this vulnerability is 5.4.
-
Let's Encrypt now supports ACME-CAA: closing the DV loophole
The CA industry has largely settled on a model of charging money based on the degree of verification performed. The cheapest kind of certificate is a “Domain Validation” (DV) certificate, free in the case of Let's Encrypt. (While there are more expensive certificates such as “Extended Validation” (EV), these are basically pointless because even if you go through the process of paying a lot more money for an EV certificate, browsers will still accept a DV certificate, so a MitM attacker still only needs to successfully obtain a DV certificate to pull off a MitM attack successfully.)