Mudge, Tox P2P Messenger, 8 Year Old Linux Flaws, Dirty Pipe, & Unix Legends – PSW #753
Full episode and show notes
This week in the Security News: Crypto Miners Using Tox P2P Messenger as Command and Control Server, 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe, & Janet Jackson music video given CVE for crashing laptops, & more!
Use code "securityweekly" to save 10% off Hack Red Con tickets at https://www.hackredcon.com/
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Founder at Security Weekly
- 1. Microsoft warns that KB5012170 update may cause 0x800f0922 error
- 2. Microsoft Pluton: Security chip doesn’t let Linux on the Lenovo Z13 and Z16"this means that given the default firmware configuration, nothing other than windows will boot. it also means that you won't be able to boot from any third-party external peripherals that are plugged in via thunderbolt. there's no security benefit to this."
- 3. Vulnerability wholesaler cuts disclosure times over poor-quality patches"For failed patches, ZDI will give vendors 30 days to address the flaw if it's critical, the patch is easily circumvented, and if exploitation is expected. Vendors will have 60 days to address critical and high severity issues if the patch provides some defence and exploitation is possible. They will get 90 days for all other vulnerabilities below these severity ratings and there's no imminent threat of exploitation. "
- 4. Janet Jackson music video given CVE for crashing laptops"It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that they and other manufacturers used"
- 5. Intel SA-00086 vulnerability and CPU firmware security: what
- 6. 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe“DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged. Although the concept is simple, it is effective.”
- 7. Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts
- 8. Uncovering a ChromeOS remote memory corruption vulnerability – Microsoft Security Blog"As with other modern browsers, exploiting ChromeOS usually requires chaining vulnerabilities together. Due to hardening measures in ChromeOS, discovering vulnerabilities became a specific niche and, therefore, the number of public vulnerabilities is quite low compared to other operating systems." interesting: "The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE. Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code."
- 9. Zoom patches root exploit, patches patch due to root exploitMoar patching: "The two holes could be exploited together to, simply put, feed a malicious update to Zoom to install and run, which shouldn't normally be allowed to happen. Wardle gave Zoom credit for issuing quick patches for the flaws, which the biz published individually on August 9 and 13. But look at Zoom's recent security bulletins, and it becomes quickly clear that something went wrong: five days later a third patch was released for the same problem. "
- 10. An encrypted ZIP file can have two correct passwords — here’s why
- 11. Vulnerability in Linux containers – investigation and mitigation
- 12. New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data
- 13. Privilege Escalation Flaw Haunts VMware Tools
- 14. Last port of call – The Hacker Factor Blog
Product Security Research and Analysis Director at Finite State
- 1. Crypto Miners Using Tox P2P Messenger as Command and Control Server
- 2. Russian threat group exploiting Microsoft weaknesses to target US entities, says analyst
- 3. Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
- 4. Janet Jackson had the power to crash laptop computers
- 5. Unix legend, who owes us nothing, keeps fixing foundational AWK code
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
- 1. Hack Red ConAnnouncing a new conference called Hack Red Con this September in Louisville, KY. With the mission of educating, mentoring, and workforce development for the future of the cyber security industry. Conference dates are September 7th-11th 2022. We hope to see you there! Security Weekly listeners get a 10% discount on tickets!