Security Leftovers
-
Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’
Printer exploit chain could be weaponized to fully compromise more than 100 models
-
Happy SHA1 Rejection Day
Today is the day Sequoia's
StandardPolicy
starts rejecting SHA1-based signatures by default. This change will affect existing programs based on Sequoia, as the SHA1 deprecation has been committed to and baked into the code three years ago. Therefore, all programs usingsequoia-openpgp
version 0.15 and up will now reject SHA1-based signatures by default. -
VMware Releases Security Update for VMware vRealize Operations
Original release date: February 1, 2023
VMware released a security update that addresses a cross-site request forgery bypass vulnerability affecting VMware vRealize Operations. A malicious user could exploit this vulnerability to take control of an affected system.
-
Vulnerabilities could let hackers remotely shut down EV chargers, steal electricity
The emerging market’s uneven response to fix the flaws suggests cybersecurity could be a growing concern in electric car charging networks.
-
GitHub revokes code signing certificates stolen in repo hack
GitHub says unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories.
So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.
"On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account," GitHub said.
"Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data."
-
Detecting (Malicious) OneNote Files, (Wed, Feb 1st) [Ed: Everything Microsoft touches becomes a security problem]
-
Passwords Are Terrible (Surprising No One)
This is the result of a security audit:
[...]In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts...