Security Leftovers

posted by Roy Schestowitz on Feb 07, 2024

• Security Week ☛ Critical Remote Code Execution Vulnerability Patched in Android

  Android’s February 2024 security patches resolve 46 vulnerabilities, including a critical remote code execution bug.

• Security Week ☛ Google Links Over 60 Zero-Days to Commercial Spyware Vendors

  More than 60 of the Adobe, Google, Android, Microsoft, Mozilla and Fashion Company Apple zero-days that have come to light since 2016 attributed to spyware vendors. 

• Nick Fitzgerald: Garbage Collection Without Unsafe Code

  Many people, including myself, have implemented garbage collection (GC) libraries for Rust. Manish Goregaokar wrote up a fantastic survey of this space a few years ago. These libraries aim to provide a safe API for their users to consume: an unsafe-free interface which soundly encapsulates and hides the library’s internal unsafe code. The one exception is their mechanism to enumerate the outgoing GC edges of user-defined GC types, since failure to enumerate all edges can lead the collector to believe that an object is unreachable and collect it, despite the fact that the user still has a reference to the reclaimed object, leading to use-after-free bugs.¹ This functionality is generally exposed as an unsafe trait for the user to implement because it is the user’s responsibility, not the library’s, to uphold this particular critical safety invariant.

• Federal News Network ☛ CISA could offer stronger ‘top-down’ support to agencies, cyber officials say

  Officials at the VA and Treasury say CISA should offer more centralized support to agencies through its cyber services and the Joint Cyber Defense Collaborative.

• Security Week ☛ Millions of User Records Stolen From 65 Websites via SQL Injection Attacks

  The ResumeLooters hackers compromise recruitment and retail websites using SQL injection and XSS attacks.

• Security Week ☛ A Chicago Children’s Hospital Has Taken Its Networks Offline After a Cyberattack [Ed: Windows Kills Children]

  Chicago children’s hospital forced to take networks offline after cyberattack, limiting access to medical records and hampering communication.

• Security Week ☛ Canon Patches 7 Critical Vulnerabilities in Small Office Printers

  Canon announces patches for seven critical-severity remote code execution flaws impacting small office printer models.

• Security Week ☛ Hacker Conversations: Rob Dyke on Legal Bullying of Good Faith Researchers

  SecurityWeek talks to Rob Dyke, discussing corporate legal bullying of good faith researchers.

• OpenSSF (Linux Foundation) ☛ Time is of the Essence to Mitigate Vulnerabilities like Leaky Vessels

  Time is of the essence to mitigate vulnerabilities like the recent Leaky Vessels in order to reduce the chance of the vulnerabilities being exploited by attackers. As noted in Leaky Vessels: Docker and runc container breakout vulnerabilities, “Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container.