Leftovers Leftovers
-
Daniel Stenberg ☛ the Apple curl security incident 12604
tldr: Apple thinks it is fine. I do not.
On December 28 2023, bugreport 12604 was filed in the curl issue tracker. We get a lot issues filed most days so this fact alone was hardly anything out of the ordinary. We read the reports, investigate, ask follow-up questions to see what we can learn and what we need to address.
-
Integrity/Availability/Authenticity
-
The Register UK ☛ Font security 'still a Helvetica of a problem' says Canva
The researchers were able to construct a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn't have access – which is bad.
-
-
Confidentiality
-
The Register UK ☛ Germany confirms Russia's military WebEx meeting leak
Senior government officials have also confirmed Russian reports that the call was hosted on and tapped via Cisco's WebEx video conferencing platform rather than any kind of secure, military-grade comms.
-
Politico ☛ Berlin blames Taurus call leak on officer logging in via insecure Singapore hotel line – POLITICO
WebEx, a communications program from U.S.-based Cisco Systems, provides end-to-end encryption which allows for secure communications. However, if a participant dials in via a landline rather than using the app — as apparently happened in the case of the officer in Singapore — then the encryption is not guaranteed.
-