BT

Object Deserialisation Filters Backported from Java 9

by Abraham Marín Pérez on  Mar 28, 2017

JEP 290, which allows filtering of incoming data when deserialising an object, and was initially targeted to Java 9, has been backported to Java 6, 7, and 8. The feature provides a mechanism to filter incoming data in an object input stream as it is being processed, and can help prevent deserialisation vulnerabilities like the one that affected Apache Commons and other libraries a while back.

Study Shows the Web is Crowded with Outdated, Vulnerable JavaScript Libraries

by Sergio De Simone on  Mar 13, 2017

A recent study has found that 37% of Alexa top 75K websites has at least one vulnerability and almost 10% at least two. Maybe even more shockingly, 26% of Alexa top 500 websites use vulnerable libraries.

Cloudbleed - Cloudflare Proxies Memory Leak

by Chris Swan on  Feb 26, 2017

A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered by Google Project Zero vulnerability researcher Tavis Ormandy.

Microservices and Security

by Jan Stenberg on  Nov 15, 2016

When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.

Major Windows Vulnerability Disclosed by Google before Patch Available

by Sergio De Simone on  Nov 02, 2016

A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice. Microsoft has stated a fully tested patch will be available in a week.

Angular 1.X Usage Banned in Firefox Extensions

by David Iffland on  Oct 24, 2016

A developer found out the hard way that they had built their Firefox browser extension on banned technology. Angular 1.X has been banned for use in Firefox extensions as long as a security vulnerability exists in the way Angular interacts with the extension and the displayed web page.

Docker Security Scanning

by Chris Swan on  May 10, 2016

Docker Inc have announced general availability of Docker Security Scanning, which was previously known as Project Nautilus. The release comes alongside an update to the CIS Docker Security Benchmark to bring it in line with Docker 1.11.0, and an updated Docker Bench tool for checking that host and daemon configuration match security benchmark recommendations.

GitLab Discloses Critical Vulnerability, Provides Patch

by Sergio De Simone on  May 04, 2016

GitLab has just announced a fix for a number of important security fixes, including a critical privilege escalation, and strongly recommends that all GitLab installations from version 8.2 onwards be upgraded immediately. InfoQ has spoken with GitLab’s Stan Hu, VP of Engineering.

NPM Worm Vulnerability Disclosed

by Alex Blewitt on  Mar 26, 2016 2

The NPM project has formally acknowledged a long-standing security vulnerability in which it is possible for malicious packages to run arbitrary code on developer's systems, leading to the first NPM created worm. With the recent problems with NPM, is it safe to use any more? InfoQ investigates.

Clair Helps Secure Docker Images

by Manuel Pais on  Dec 30, 2015

Clair is an open-source container vulnerability scanner recently released by CoreOs. The tool cross-checks if a Docker image's operating system and any of its installed packages match any known insecure package versions. The vulnerabilities are fetched from OS-specific common vulnerabilities and exposures databases. Currently supported are Red Hat, Ubuntu, and Debian.

Vulnerability Discovered in libpng

by Jeff Martin on  Nov 18, 2015

It has been announced that the popular and widely used libpng library has vulnerabilities that make applications that rely on it for PNG image support vulnerable to exploitation. System administrators and application developers should take heed to update their systems as soon as possible.

Remotely Exploitable Java Zero Day Exploits through Deserialization

by Alex Blewitt on  Nov 07, 2015 8

According to a recent security analysis by Foxglove Security suggests that applications using deserialization may be vulnerable to a zero-day exploit. This includes libraries including OpenJDK, Apache Commons, Spring and Groovy. InfoQ investigates.

Cambridge Study Analyzes State of Android Security

by Sergio De Simone on  Oct 22, 2015

Researchers at the University of Cambridge have carried through an extensive research to assess security across Android devices, Android versions, and years. Their findings show 87% of Android devices to be vulnerable on average over the last four years. InfoQ has spoken with Daniel Thomas, lead author of the study.

LinkedIn Release QARK to Discover Security Holes in Android Apps

by Abel Avram on  Aug 27, 2015

LinkedIn has recently open sourced QARK, a static analysis tool meant to discover potential security vulnerabilities existing in Android applications written in Java.

Critical Flaw Allows Remote Code Execution on Internet Explorer

by Jeff Martin on  Aug 19, 2015

Microsoft has announced the presence of a critical flaw that exists in all versions of Internet Explorer, allowing for remote code execution. This flaw applies to all current Windows systems and should be patched as soon as possible.

BT