Security Roundup - 2018-05-10

RouterSploit 3.0 Released. A security tool for auditing routers has gotten a major upgrade. The biggest new feature tries to address the plague of default credentials, but providing a framework for anyone to add the appropriate authentication method for devices. This seems pretty important area of research, given stories like:

Other internet connected device flaws. Routers are not the only devices with reported flaws this week:

Office 365 Zero day discovered. Overlooked html functionality has resulted in an Office 365 zero day which bypasses security checks.

Fun with passwords. Who better to get password tips than from those that break them? Rapid7 has collected passwords from a number of security engagements and has some tips on how people can do better. Troy Hunt also reminds us all that password selection is horrible, with more than 86% of passwords in a recent breach already appearing in other breaches making brute force attempts that much easier.

Hijacked Accounts on Steam. Finally frustrated by scammers on the online gaming community Steam, one security researchers set out to discover how they worked, leading to him finding their admin console and alerting Steam of compromised user accounts.

OS Makers misread docs, build in vulnerabilities. The majority of OS providers are releasing patches this week to deal with a misunderstanding on how Intel deals with debug exceptions due to ambiguous documentation. This could allow an attacker with physical access to a machine to get elevated privileges.

Written on May 10, 2018