Security Leftovers

posted by Roy Schestowitz on Oct 11, 2023,
updated Oct 11, 2023

• Security updates for Tuesday

  Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).

• A remote code execution vulnerability in GNOME [Ed: Microsoft is badmouthing GNU/Linux security again while Microsoft put back doors in everything for the NSA. See the comments.]

  The GitHub blog describes a vulnerability in the libcue library (which is used by the GNOME desktop) that can be exploited by a remote attacker to run code on a desktop system if the target can be convinced to click on a malicious link.

• Carlos Garnacho: On CVE-2023-43641

  As you might have read already about, there was a vulnerability in libcue that took a side gig demonstrating a sandbox escape in tracker-miners.

  The good news first so you can skip the rest, this is fixed in the tracker-miners 3.6.1/3.5.3/3.4.5/3.3.2 versions released on Sept 28th 2023, about a couple weeks ago. The relevant changes are also in the tracker-miners-3.2 and tracker-miners-3.1 branches, but I didn’t wind up to doing releases for those. If you didn’t update yet, please do so already.

• QSB-095: Missing IOMMU TLB flushing on x86 AMD systems

  We have published Qubes Security Bulletin 095: Missing IOMMU TLB flushing on x86 AMD systems. The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.

• XSAs released on 2023-10-10

• Google to start prompting users to set up passkeys by default

  A year after first making passkeys available for developers in Android and on Chrome, Google LCC announced today that it’s now giving all users the ability to set up their own passkeys by default.

• October 2023 Microsoft Patch Tuesday Summary, (Tue, Oct 10th)

  For October, Microsoft released patches for 105 different vulnerabilities. This count includes one Chromium vulnerability that was patched earlier this month.

• Patch Tuesday, October 2023 Edition

  Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

• Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business

  Microsoft patches more than 100 vulnerabilities across the Windows ecosystem and warned that three are already being exploited in the wild.

• Patch Tuesday: Code Execution Flaws in Adobe Commerce, Photoshop

  Adobe Commerce customers exposed to code execution, privilege escalation, arbitrary file system read, and security feature bypass attacks.

• Microsoft reveals 105 flaws, three zero-days on Patch Tuesday

  Microsoft has detailed 105 vulnerabilities in its products on October's Patch Tuesday, including three zero-days and 12 critical flaws that could be exploited for remote code execution.

• Microsoft Blames Nation-State Threat Actor for Confluence Zero-Day Attacks [Ed: Microsoft is the culprit, not the authority, and it puts back doors in things]

  Microsoft says an APT group tracked as Storm-0062 has been hacking Confluence installations since mid-September, three weeks before Atlassian’s disclosure.

• Largest-ever DDoS leverages zero-day vulnerability

  A new zero-day led to the largest distributed denial of service attack ever seen on the internet, according to a group of tech companies.

• Mirai Variant IZ1H9 Adds 13 Exploits to Arsenal [Ed: Windows TCO]

  A Mirai botnet variant tracked as IZ1H9 has updated its arsenal with 13 exploits targeting various routers, IP cameras, and other IoT devices.

• SAP Releases 7 New Notes on October 2023 Patch Day

  SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated ‘medium severity’.

• New ‘Grayling’ APT Targeting Organizations in Taiwan, US

  A previously unknown APT group is targeting organizations in biomedical, IT, and manufacturing sectors in Taiwan.

• Model Extraction Attack on Neural Networks

  Adi Shamir et al. have a new model extraction attack on neural networks:

  Polynomial Time Cryptanalytic Extraction of Neural Network Models

  Abstract: Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembles a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and requires a polynomial number of queries but an exponential amount of time (as a function of the number of neurons)...

• ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History

  A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.

• How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack

  A number of Google services and Cloud customers have been targeted with a novel HTTP/2-based DDoS attack which peaked in August. These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.

• Distributed denial-of-service attacks are growing bigger and more lethal

  A sad and scary new record was set this past week, with the latest and biggest distributed denial-of-service attack. The network security provider Cloudflare Inc. posted on its blog today that it had observed and repelled the attack in August. The previous volumetric record was set in February, the August attack was three times as much.

• IoT Secure Development Guide

  Introduction This guide deals with threat modelling and early stages of development so that security issues and controls are identified before committing to manufacturing.

Update

A couple more:

• Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws

• Researcher bags two-for-one deal on Linux bugs while probing GNOME component [Ed: "Researcher" = Microsoft shill who knew nothing about it, merely stumbled upon it by accident]

  The issue is thought to affect all GNOME-based distros, including RHEL, SUSE, and Debian, but has only been proven to work on the latest versions of Ubuntu and Fedora so far.

  A user just has to download a file and have it stored in a commonly scanned directory, such as the downloads, music, or videos folders, and the attacker can achieve RCE on their machine.