Security Roundup - 2018-05-18

Incorrect handling of HTML leads to security problems. eFail is the latest named vulnerability going around. Initially hyped as a PGP failure, what actually is happening is that systems interpreting HTML can be abused to exfiltrate data. If you combine this with automatic decryption of PGP data in your email client, you potentially have your client decrypt the text and then handily send it to an external source. The EFF has an extensive FAQ.

Remote code injection in DHCP client. RedHat Linux and variants have released patches for a bug that caused the dhcp client to parse responses like commands allowing for remote code execution. The PoC exploit fit into a tweet.

Rowhammer in the wild. Several Rowhammer attacks have been demonstrated in the wild, including one triggered by sending packets over a network and another that used the GPU on phones.

When your desktop apps have XSS. Electron, a framework for creating cross platform desktop apps using html, css and javascript had a remote code execution exploit disclosed this week, due to an incorrect handling of defaults. This potentially means that a number of Electron apps are exposed to cross site scripting attacks. Related, the secure messaging app Signal had two XSS vulnerabilities found in their desktop app.

Active zero day for Internet Explorer. Discovered by two seperate security companies investigating attacks, make sure you upgrade and/or move to more modern browsers.

IBM bans thumb drives. IBM has recently reviewed their security standards and has decided that thumb drives are no longer to be used. Given their history as an attack vector, as well as a common method to lose/leak data this seems like a smart (though perhaps hard to enforce/implement) strategy.

Subliminal IoT. Students at UC Berkley have demonstrated that voice assistants can be controlled by subliminal messages.

This photocopier contains secrets. Getting rid of old photocopiers/scanners at work? Make sure they aren’t storing secrets, like maybe social security numbers, contracts, or medical records.

People Don’t Patch. I actually talked to members at Sonatype about this, where they see thousands of organizations downloading vulnerable software packages, like the Struts vulnerability that resulted in huge news stories when it was the cause of the Equifax breach.

Written on May 18, 2018