Exchange RCE, Patching at Scale, DORA Metrics, USENIX Best Papers, Passkeys – ASW #214

An SSRF and RCE (which requires an authenticated user) were disclosed before Microsoft had a chance to prepare fixes. These are familiar classes of bugs and apparently related to the prior ProxyShell vuln, although details have yet to be shared. The broader appsec angle here is the choice of software -- running your own Exchange server -- and what tools you have to mitigate vulns when patches aren't available. Additional resources: - https://www.darkreading.com/application-security/microsoft-confirms-exchange-zero-days-no-patch - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

https://cloud.google.com/devops/state-of-devops/

https://therecord.media/log4j-senators-introduce-bill-centered-on-cisa-open-source-security-efforts/

Highlights - "Attacks on Deidentification's Defenses" -- https://www.usenix.org/conference/usenixsecurity22/presentation/cohen - "Dos and Don'ts of Machine Learning in Computer Security" -- https://www.usenix.org/conference/usenixsecurity22/presentation/arp - "Provably-Safe Multilingual Software Sandboxing using WebAssembly" -- https://www.usenix.org/conference/usenixsecurity22/presentation/bosamiya - "Let’s Hash: Helping Developers with Password Security" -- https://www.usenix.org/conference/soups2022/presentation/geierhaas

Here's an article about implementing Passkeys that seemed like a good educational exercise. At the very least, it's a helpful way to understand the protocol through the text explanation and supplemental JavaScript and Python3 code. And, while it wouldn't be the recommended approach for a complete implementation for a production system, it'd be a good way to talk about a protocol, implement it, then conduct threat models on both the protocol's design and, importantly, it's implementation.

Picking up this talk from DEF CON and BSides Las Vegas about generating pull requests at scale to address vulns. In spirit, this feels like a more constructive and successful approach to dealing with vulns. After all, offering an applicable, mergable solution is a lot more helpful and efficient than adding to a chorus of, "You should fix this." It's a great version of "show, don't tell" in the vein of tools like Dependabot.

It's an unhelpful tautology to say secrets are supposed to be secret. Services often need to present secrets like API keys or service tokens to prove their identity. The challenge is in storing secrets so that access is restricted to only the service that needs it, which becomes difficult in complex systems. The advisory is at https://github.com/advisories/GHSA-g7j7-h4q8-8w2f

Typescript 4.9 introduces a satisfies operator to ensure an object has the type that a developer is expecting