news
Security Leftovers
-
Presigned URLs are technically a security vuln
A presigned URL is a replay attack you did on purpose.
Replayable auth tokens are the textbook way to create vulnerable systems, but Tigris ships them as a first-class feature with presigned URLs and so does every other object storage system on the planet. However this isn't an oversight because presigned URLs turn a weakness into a feature.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (389-ds:1.4, buildah, freeipmi, freerdp, gegl, gimp, golang, kernel, libreoffice, maven:3.9, openexr, perl-DBI, plexus-utils, podman, tomcat, tomcat9, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (imagemagick, p7zip, and redis), Fedora (breezy, calibre, and golang-github-openprinting-ipp-usb), Mageia (ffmpeg, gzip, haproxy, libheif, libtiff, libxml2, packages, perl-List-SomeUtils-XS, and perl-Socket), SUSE (alsa, chromedriver, curl, dhcpcd, docker-compose, glibc, haproxy, ImageMagick, jq, kernel, kubernetes, libpng15, libredwg-devel, libslirp, nghttp2, php8, python-Pillow, python313-Django, python313-weasyprint, qemu, rust-keylime, sccache, and systemd), and Ubuntu (cifs-utils, libexif, libreoffice, libssh2, openssh, and pipewire).
-
Citizen Lab ☛ Canada’s Electronic Spy Agency Conducted Cyberattacks on Criminals Brokering Fentanyl Ingredients, Report Says
Research fellow Bill Robinson speaks with The Globe and Mail about CSE spending.
-
Security Week ☛ SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud
The flaws could allow attackers to access and modify data, and cause system unavailability and request-response desynchronization.
-
Security Week ☛ Unpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar
A ClaudeBleed-linked vulnerability reportedly persists across eight patches, exposing potentially sensitive data to other extensions.
-
Security Week ☛ 7 Severe Vulnerabilities Patched in VMware Avi Load Balancer
The flaws can be exploited for authentication bypass, remote code execution, privilege escalation, and directory traversal.
-
Security Week ☛ Adobe Patches Critical ColdFusion Vulnerabilities
The ColdFusion security defects could allow attackers to execute arbitrary code or elevate their privileges.
-
Security Week ☛ Synopsys Finds No Evidence of Data Breach Amid Bosch Hack Claims
The D1R cybercrime group claimed to have stolen valuable data from Synopsys and Bosch, threatening to leak it unless a ransom is paid.
-
Federal News Network ☛ Air Force network lockouts hit troops and civilians
Air Force employees are being locked out of their computers as cybersecurity quarantines tied to software updates disrupt work across bases and the Pentagon.
-
Bruce Schneier ☛ Vulnerability in FIFA’s Network
FIFA’s network was vulnerable to anyone with even minimal access.
-
Entrapment (Microsoft GitHub)
-
Security Week ☛ Multiple Jscrambler Packages Impacted by Supply Chain Attack [Ed: NPM = Microsoft TCO]
A threat actor poisoned several Jscrambler NPM package versions to drop a cross-platform credential stealer.
-