Post Content
Yearly Archives: 2023
Smashing Security podcast #344: What’s cooking at Booking.com? And a podcast built by AI
How hunting for an aubergine could be all it takes for you to hand your credit card details over to a scammer, and just how good is a podcast entirely built by AI?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Multiple Vulnerabilities in ChromeOS Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in ChromeOS, the most severe of which could allow for arbitrary code execution. ChromeOS is a Linux-based operating system developed and designed by Google. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
USN-6435-1: OpenSSL vulnerabilities
It was discovered that OpenSSL incorrectly handled excessively large
Diffie-Hellman parameters. An attacker could possibly use this issue
to cause a denial of service. (CVE-2023-3446)
Bernd Edlinger discovered that OpenSSL incorrectly handled excessively
large Diffie-Hellman parameters. An attacker could possibly use this
issue to cause a denial of service. (CVE-2023-3817)
Timely Patching Reduces System Compromises
Timely patching is one of the most important cybersecurity controls preventing system compromise – especially amid growing cyber threats.
cachelib-17^20231016-1.fc40 fb303-2023.10.16.00-1.fc40 fbthrift-2023.10.16.00-1.fc40 fizz-2023.10.16.00-1.fc40 folly-2023.10.16.00-1.fc40 mcrouter-0.41.0.20231016-1.fc40 mvfst-2023.10.16.00-1.fc40 proxygen-2023.10.16.00-1.fc40 wangle-2023.10.16.00-1.fc40 watchman-2021.05.10.00-24.fc40 wdt-1.32.1910230^20230711git3b52ef5-2.fc40
FEDORA-2023-acbee8f31a
Packages in this update:
cachelib-17^20231016-1.fc40
fb303-2023.10.16.00-1.fc40
fbthrift-2023.10.16.00-1.fc40
fizz-2023.10.16.00-1.fc40
folly-2023.10.16.00-1.fc40
mcrouter-0.41.0.20231016-1.fc40
mvfst-2023.10.16.00-1.fc40
proxygen-2023.10.16.00-1.fc40
wangle-2023.10.16.00-1.fc40
watchman-2021.05.10.00-24.fc40
wdt-1.32.1910230^20230711git3b52ef5-2.fc40
Update description:
Update Folly stack to the latest 2023.10.16.00 tag
proxygen: Security fix for CVE-2023-44487
Google Play Protect Bolsters Security Against Malicious Apps
New real-time scanning feature conducts analyses of an app’s code during the installation process
AI Adoption Surges But Security Awareness Lags Behind
Plastic surgeries warned by the FBI that they are being targeted by cybercriminals
Plastic surgeries have been warned that they are being targeted by cybercriminals plotting to steal sensitive data – ncluding patients’ medical records and photographs – that will be later used for extortion.
Read more in my article on the Tripwire State of Security blog.
USN-6437-1: VIPS vulnerabilities
Ziqiang Gu discovered that VIPS could be made to dereference a NULL
pointer. If a user or automated system were tricked into processing
a specially crafted input image file, an attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-7998)
It was discovered that VIPS did not properly handle uninitialized memory
locations when processing corrupted input image data. An attacker could
possibly use this issue to generate output images that expose sensitive
information. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS. (CVE-2019-6976)
It was discovered that VIPS did not properly manage memory due to an
uninitialized variable. If a user or automated system were tricked into
processing a specially crafted output file, an attacker could possibly
use this issue to expose sensitive information.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2020-20739)
It was discovered that VIPS could be made to divide by zero in multiple
funcions. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS. (CVE-2021-27847)
It was discovered that VIPS did not properly handle certain input files
that contained malformed UTF-8 characters. If a user or automated system
were tricked into processing a specially crafted SVG image file, an
attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 22.04 LTS. (CVE-2023-40032)