Security: Proprietary Software Holes and More
-
It's the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font
With the year winding to a close and the holiday parties set to kick off, admins will want to check out the December Patch Tuesday load from Microsoft, Adobe, Intel, and SAP and get them installed before downing the first of many egg nogs.
[...]
Also of note is CVE-2019-1471, a critical hypervisor escape bug that would allow an attacker running on a guest VM to execute code on the host box.
The bulk of this month's critical fixes were for a series of five remote code execution flaws in Git for Visual Studio. In each of the flaws, said to be caused by improper handling of command-line input, an attacker would launch the exploit by convincing the target to clone a malicious repo.
The remaining critical patch is for CVE-2019-1468, a play on the tried-and-true font-parsing vulnerability. In the wild, an attacker would embed the poisoned font file in a webpage and attack any system that visits.
-
Exploring Legacy Unix Security Issues
The operating system SGI IRIX 6.5.22 was declared end of life in 2003, so it has limited use as a production system. I decided I could relive the good old days by looking for new vulnerabilities on an old system in my spare time. It was also an excuse to write some C code, and refresh my memory.
One of my favorite vulnerabilities is the Insecure Temporary File (CWE-377). This involves manipulating files created in /tmp in an insecure manner. A file is created in /tmp by a piece of software that doesn’t check if the file exists before creating it. Allowing a malicious local user to symlink that file to a critical system file and overwriting it with the contents of what is written to the file in /tmp.
So I started looking under the /usr/sbin directory for binaries to target. I did a quick examination of binaries and scripts in using the find command to give myself a starting point.
-
Private Internet Access updates Linux desktop client to prevent against [CVE-2019-14899]
The Breakpointing Bad team at the University of New Mexico recently reported a VPN vulnerability that affects Linux, MacOS, iOS, Android, and more. The vulnerability allows malicious actors to not only see your VPN IP address, but also identify sites you are visiting and inject data into connections. The team consists of William J. Tolley, Beau Kujath, and Jedidiah R. Crandall and the public was notified on December 4th, 2019. Designated [CVE-2019-14899], the vulnerability shook the VPN industry due to the breadth of affected systems. [CVE-2019-14899] affects many different types of VPN protocols including OpenVPN, WireGuard, and IKEv2/IPSec.
Private Internet Access has released an update to its Linux client that mitigates [CVE-2019-14899] from being used to infer any information about our users’ VPN connections. To our knowledge, Private Internet Access is the first commercial VPN to release a new client that prevents this ongoing security vulnerability.
-
Chrome now warns you when your password has been stolen
Google is rolling out Chrome version 79 today, and it includes a number of password protection improvements. The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.
- Login or register to post comments
- Printer-friendly version
- 4843 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
Google Chrome Will Now Alert You...
Google Chrome Will Now Alert You If Your Passwords Have Been Hacked