Security Leftovers
-
SANS ☛ Apple Updates Everything, (Mon, Oct 28th)
Today, Fashion Company Apple released updates for all of its operating systems. These updates include new Hey Hi (AI) features. For iOS 18 users, the only upgrade path is iOS 18.1, which includes the Hey Hi (AI) features. Same for users of macOS 15 Sequoia. For older operating systems versions (iOS 17, macOS 13, and 14), patches are made available, addressing only the security issues.
-
SANS ☛ Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials, (Mon, Oct 28th)
Phishing authors have long ago discovered that adding HTML attachments to the messages they send out can have significant benefits for them....
-
Scoop News Group ☛ Operation Magnus targets Redline, Meta infostealers
Authorities say they've gained "full access" to the hackers' servers.
-
SANS ☛ Two currently (old) exploited Ivanti vulnerabilities, (Sun, Oct 27th)
Ivanti products have given us a rich corpus of vulnerabilities in recent months (years). Of course, we do see occasional scans attempting to exploit them.
-
Wil Clouser: Mozilla Accounts password hashing upgrades
We’ve recently finished two significant changes to how Mozilla Accounts handles password hashes which will improve security and increase flexibility around changing emails. The changes are entirely transparent to end-users and are applied automatically when someone logs in.
Randomizing Salts
If a system is going to store passwords, best practice is to hash the password with a unique salt per row. When accounts was first built we used an account’s email address as the unique salt for password hashing. This saved a column in the database and some bandwidth but overall I think was a poor idea. It meant people couldn’t re-use their email addresses and it leaves PII sitting around unnecessarily.
-
Bleeping Computer ☛ New backdoored Windows Driver Signature bypass allows kernel rootkit installs
Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems. This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status.
-
LWN ☛ Security updates for Monday
Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, python-platformio, python-rpyc, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, suricata, thunderbird, and yarnpkg), Mageia (cpanminus, libgsf, mozjs78, redis, and thunderbird), Oracle (firefox, python3.12, python3.9, and python39:3.9 and python39-devel:3.9), Red Hat (edk2, grafana, httpd, httpd:2.4, and mod_jk), and SUSE (nodejs-electron, python3, python310, and python39).
-
CVE-2024-49761: ReDoS vulnerability in REXML
There is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-49761. We strongly recommend upgrading the REXML gem.
This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.