Security Leftovers

posted by Tux Machines on Aug 01, 2022

• Security updates for Monday [LWN.net]

  Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, gnutls, go-bindata, goaltdns, gobuster, godep, godoctor, godotenv, gojq, golist, goloris, gomtree, google-guest-agent, gotags, gotun, grafana, gron, grpcurl, hakrevdns, hcloud, htmltest, httprobe, hulk, ignition, jid, kata-containers, kiln, kompose, kubernetes, libldb, manifest-tool, mass3, meg, meshbird, micro, mingw-harfbuzz, mingw-poppler, moby-engine, mqttcli, nats-server, nebula, netscanner, oci-seccomp-bpf-hook, ohmybackup, onionscan, open-policy-agent, origin, osbuild-composer, podman-tui, popub, powerline-go, reposurgeon, restic, runc, samba, shellz, shhgit, skopeo, snapd, snowcrash, source-to-image, subfinder, syncthing, sysutil, terrier, thunderbird, tiedot, toolbox, vgrep, vultr, vultr-cli, webanalyze, webkit2gtk3, weldr-client, wgctrl, xe-guest-utilities-latest, xen, xq, yggdrasil, yubihsm-connector, and a vast number of golang packages), Mageia (chromium-browser-stable, firefox, gdk-pixbuf2.0, python-ujson, and webmin), Red Hat (firefox and thunderbird), Slackware (gnutls), and SUSE (chromium, firefox, mozilla-nss, rubygem-tzinfo, samba, and xen).

• UEFI – Terra Firma for Attackers

  In today’s computing environment, firmware can mean several things, ranging from an entire operating system in embedded devices to a small flash program in a hardware component that tells your operating system (OS) about that hardware’s capabilities. In this blog post, we will focus on the vulnerabilities in the latter type of firmware popularized by the Uniform Extensible Firmware Interface (UEFI). I will explore how these vulnerabilities are a lucrative target for high-profile attackers, such as nation-states that are seeking vulnerabilities in the less-visible portions of today’s computing environment.

  First, to get our footing, it is important to understand what UEFI really is. UEFI replaces the legacy Basic Input/Output System (BIOS), interfacing hardware to the OS and provides an extensible intersection between hardware and the OS itself. The UEFI standard also identifies reliable ways to update this firmware from the OS. In essence, in today’s computers, there is another layer of software that can help the OS understand and use available hardware. Of course, this essential layer of software faces all the challenges of today’s software: bugs, security issues, patching, and maintenance. It also lacks visibility, making it hard for defenders to protect this part of their computing environments from ever-increasing threats.

• Is Linux secure? | Ubuntu

  Meet Pal. Pal is a senior developer working at PalBank. For the next 6 months, Pal will be responsible for leading the development of the bank’s web application client, which will be used daily by millions of customers.

  Pal invests considerable effort into designing and implementing the most secure app reasonably achievable: tightly controlled and secure development, build and deployment pipelines, static code analysis, pentesting by external parties, multi-factor authentication to access the app and encrypting data at rest. And the list goes on!

  Pal’s the best, isn’t he? Unfortunately, while such efforts are essential, they are insufficient! And even if we assumed, for the sake of argument and humour, that the PalBank’s client web app is completely free of all known and unknown software vulnerabilities, the app’s security guarantees are bound to be threatened once consumers run it on their endpoint devices. They will be threatened by the millions of lines of code which comprise the platform’s privileged system software, if it becomes either malicious or compromised. Within this context, system software includes the operating system, virtual machine manager and all the platforms’ firmware embedded within.

  To put it differently, it matters little if a user chooses a perfectly strong unique password, when their operating system is infected with a keylogger leaking it to malicious third-parties. Similarly, it matters little if your code has no buffer overflows, if your operating system is backdoored and simply decides to leak all your customers’ data to malicious third parties.

  So why does the security of user-level applications depend on the security of its underlying system software? The reason is the hierarchical architecture of commodity devices: privileged system software gets unrestricted access to all the resources of unprivileged user-level applications, because it controls its execution, memory, and access to the underlying hardware. Indeed, it’s a feature, not a bug!

• Best Practices for PHP Security

  Following these best practices will help you secure your PHP applications and protect them from attack. Remember to always keep your software up to date, properly configure your web server and your PHP, and be sure to perform regular security audits to identify any vulnerabilities that may have slipped through the cracks. We hope you found this article useful and we hope you check out our other articles that may help in keeping your systems secure!