InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
GitHub Improves Vulnerability Workflows and Becomes CVE Numbering Authority
Along with Semmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities. This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.
-
GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection
With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.
-
Five 0-Day iOS Vulnerability Chains Have Been Exploited for Years
A collection of fourteen vulnerabilities affecting almost every iOS versions from iOS 10 to iOS 12 enabled a number of hacked Websites to gain control of their visitors' devices and steal a wealth of private data aver at least two years, Google Threat Analysis Group (TAG) engineer Ian Beer wrote. These vulnerabilities are not new. What is new is the discovery of their active exploit in the wild.
-
Robot Social Engineering: Brittany Postnikoff at QCon New York
At QCon New York, Brittany Postnikoff presented “Robot Social Engineering: Social Engineering Using Physical Robots”. Quoting findings from academic research literature, she demonstrated that humans can often be manipulated via robots. A core message of the talk was the need for security and privacy to be part of any robot's fundamental design.
-
GitHub Adds Dependabot Automated Security PRs and More Security-Related Features
GitHub has announced a number of new features aimed to help developers secure their code, including the ability to create PRs for any dependencies needing an update to include security fixes, integration with WhiteSource data for better vulnerability assessment, dependency insights, and more.
-
Critical Remotely Exploitable Vulnerability Discovered in Oracle WebLogic Server
Security researchers have discovered a new remotely exploitable vulnerability in Oracle Weblogic Server (WLS). CVE-2019-2725 is remotely exploitable without user authentication and has an overall CVSS score of 9.3 out of 10, making it a critical vulnerability. Oracle released a security alert noting that versions of the server affected by this flaw include 10.3.6.0 and 12.1.3.0.
-
Security Landscape of the Docker Ecosystem and Best Practices
As part of its annual State of Open Source Security Report, security firm Snyk issued a specific report focusing on Docker security that shows vulnerabilities in container images are widespread. InfoQ has spoken with Liran Tal, Snyk developer advocate.
-
Design and Security in Agile: QCon London Q&A
Reviews of design diagrams by domain experts can detect potential security breaches not found by vulnerability scans or security automation. Such reviews should focus on critical functions like issuing and managing access tokens, transferring data to external services, and running untrusted code, said Kevin Gilpin, enterprise software engineer and co-founder of AppLand, at QCon London 2019.
-
Making Security More Intelligent, Microsoft Releases Azure Sentinel
In a recent blog post, Microsoft announced further investments to its intelligent security offerings in the form of a Security Information and Event Management (SIEM) product called Azure Sentinel. SEIMs are used by security professionals as a data store that is capable of aggregating security events from logs across a variety of systems, including servers, firewalls, routers and switches.
-
RunC Bug Enables Malicious Containers to Gain Root Access on Hosts
Security researchers have discovered a critical bug in runC - a lightweight CLI tool for spawning containers according to the OCI specification - which allows the attackers to escape the container and gain administrative privileges on the host, rendering it vulnerable.
-
Amazon Adds Three New Threat Detections to Its GuardDuty Service in AWS
Amazon has added another set of new threat detections to its GuardDuty service in AWS. The three new threat detections are two new penetration testing detections and one policy violation detection.
-
A Conversation about ZipSlip, NodeJS Security, and BBS Hacking
Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As it turns out, the vector attacks used by this exploit have been known since the early days of BBS. InfoQ has taken the chance to speak with Liran Tal to learn more about software security, and NodeJS security in particular.
-
Dependabot Automatically Creates GitHub PRs to Fix Your Vulnerabilities
Leveraging GitHub Security Advisory API, Dependabot aims to help developers track their dependencies, monitoring the security of their programs, and making sure any potential vulnerabilities are removed as easily as possible by automatically creating PRs to resolve them.
-
Microsoft Patches Active Internet Explorer Zero Day Exploit
Microsoft has issued an out-of-band update for a critical vulnerability in Internet Explorer (IE) scripting engine that could lead to remote code execution. The vulnerability is actively exploited in the wild, according to Tenable research engineer Satnam Narang, and users should update their systems as soon as possible.
-
PortSmash is the Latest Side-Channel Attack Affecting Intel CPUs
Researchers have devised a new kind of timing attack to steal information from a different process running on the same core with SMT/hyper-threading enabled. By carefully measuring port contention delays when sending instructions to a shared core, the researchers could recover a private key from a different process. Intel CPUs are probably not the only ones affected.