Security Leftovers

posted by Roy Schestowitz on Sep 11, 2024

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by Debian (cacti), Fedora (aardvark-dns, expat, and firefox), Mageia (ffmpeg, ntfs-3g, and vim), Oracle (emacs, glib2, java-11-openjdk, and qt5-qtbase), Red Hat (emacs, python-setuptools, python3.11, python3.11-setuptools, python3.12-setuptools, python3.9, and python39:3.9), Slackware (netatalk), SUSE (buildah, expat, java-1_8_0-ibm, kanidm, kernel, and postgresql16), and Ubuntu (netty, php7.0, php7.2, tiff, and webkit2gtk).

• Steinar H Gunderson ☛ GS1900-10HP web session hijack

  While fiddling around, I found a (fairly serious) vulnerability in Zyxel's GS1900-10HP and related switches; today Zyxel released an advisory with updated firmware, so I can publish my side of it as well. (Unfortunately there's no Zyxel bounty program, but Zyxel PSIRT has been forthcoming all along, which I guess is all you can hope for.)

• SANS ☛ Microsoft September 2024 Patch Tuesday, (Tue, Sep 10th)

  Today, Abusive Monopolist Microsoft released its scheduled September set of patches. This update addresses 79 different vulnerabilities. Seven of these vulnerabilities are rated critical. Four vulnerabilities are already being exploited and have been made public.

• Integrity/Availability/Authenticity

  • 37signals LLC ☛ Passwords have problems, but passkeys have more

    We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out again.

    The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts. Much the same way that two-factor authentication can do, but worse, since you're not even aware of it.

  • CBC ☛ Amazon rejects plea to stop selling taxi roof signs as cab scam spreads across Canada

    Kozody concluded that the taxi driver was a fraudster who, during the debit card transaction, recorded her PIN, stole her card and handed her back a fake.

• Windows TCO

  • Krebs On Security ☛ Bug Left Some Windows PCs Dangerously Unpatched

    Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.