Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53).

  • U.S. Government Says Update Chrome 80 As High-Rated Security Flaws Found

    Are you a Google Chrome user? High-rated security vulnerabilities have already been discovered in version 80 of Google Chrome. The Cybersecurity and Infrastructure Security Agency is encouraging Google users to update again just weeks after the Chrome 80 release. Here’s what you need to know.

  • OpenBSD Pwned, Patched Again: Bug is Remotely Exploitable [Ed: Misleading. This is about OpenSMTPD.]

    There’s a fresh remote code execution (RCE) vulnerability in OpenSMTPD, and by extension in OpenBSD. Yes, it feels like déjà vu all over again.

    The severity of the vulnerability, CVE-2020-8794, means that anyone running a public-facing OpenSMTPD deployments should update as soon as possible.

    OpenBSD’s developers describe the issue as a “an out of bounds read in smtpd [that] allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.”

  • Kali Linux explained: A pentester’s toolkit

    Kali Linux is the world's most popular offensive-security-optimized Linux distro. Maintained and managed by the fine folks at Offensive Security, Kali was born in 2006 as BackTrack Linux, but after a major refactoring in 2013 got the name Kali. What does the name mean? Well, we'll get to that.

  • Police to get right to use spyware in serious crime investigations

    The new bill, that will allow the police to use trojans or virus programmes to tap into the chats, is expected to be voted through parliament on Thursday. Home Affairs Minister Mikael Damberg says he is convinced it will lead to more convictions.

  • McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges

    A while back I wrote about a bunch of vulnerabilities in McAfee WebAdvisor, a component of McAfee antivirus products which is also available as a stand-alone application. Part of the fix was adding a bunch of pages to the extension which were previously hosted on siteadvisor.com, generally a good move. However, when I looked closely I noticed a Cross-Site Scripting (XSS) vulnerability in one of these pages (CVE-2019-3670).

    Now an XSS vulnerability in a browser extension is usually very hard to exploit thanks to security mechanisms like Content Security Policy and sandboxing. These mechanisms were intact for McAfee WebAdvisor and I didn’t manage to circumvent them. Yet I still ended up with a proof of concept that demonstrated how attackers could gain local administrator privileges through this vulnerability, something that came as a huge surprise to me as well.

More in Tux Machines

Another look at the open source bootable USB tool Ventoy

We looked at the open source bootable USB tool Ventoy back in April 2020 when it first came out. The developer has been very active in the meantime; reason enough to take another look at the application to find out what has changed and improved. Ventoy creates bootable USB devices using ISO images. That sounds an awful lot like what established programs such as Rufus do at first, but when you realize that it puts the ISO images on the drive and does not extract them, it becomes interesting. Even better, it is possible to place multiple ISO images on the USB device after it has been prepared by Ventoy; this allows you to boot into different Linux systems or install different versions of Windows straight from a single USB device. Read more

Open source software for open infrastructure

Implementing infrastructure using open-source software significantly reduces the total cost of ownership (TOC) of your infrastructure. Over the last few years, we’ve seen more and more companies moving to open source. These include Netflix, Uber, Visa, eBay, Wikipedia and AT&T. And this trend will only continue to grow. The migration is driven by better economics, improved flexibility, better integration capabilities and thus, the higher business value provided by the open source software. Together with Dell, we hosted a webinar describing all of those benefits in detail. We also demonstrated our joint reference architecture for open infrastructure implementation. In this blog, I expand on the building blocks behind the open infrastructure and explain the role they play in the stack. Read more

Android Leftovers

SteamOS-like Linux distribution GamerOS has a new release up

GamerOS, a Linux distribution based originally on Arch with a firm focus on an out of the box experience for gaming on your couch (much like Valve's original idea with SteamOS) has a new release. Sounds like plenty of nice changes if you want a Linux-based system to stick under your big-screen TV. If you've used Steam Big Picture mode and know your way around it, GamerOS should make it quite easy since that's what it's based upon. Plenty of the key components behind it have been upgraded with GamerOS 18 including a newer Linux Kernel at 5.6.15, update Mesa drivers 20.0.7, NVIDIA driver 440.82, plus an updated compositor and other bundled packages like RetroArch 1.8.8. Read more