Application Security This Week for September 29

The big news of the week is that every iPhone from 1 to X is apparently vulnerable to a bootROM flaw, and it is a hardware problem so Apple can't patch it.  Now, this won't help malware writers fortunately, but it will make it easier to jailbreak your phone, and there are some more sinister uses as well.  Several articles:

https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/

https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

https://github.com/axi0mX/alloc8

https://github.com/axi0mX/ipwndfu

 

McAfee published a conglomeration of their studies on Cloud security, and as I am sure you can imaging the news isn't good.

https://www.theregister.co.uk/2019/09/24/mcafee_cloud_leak_study/

 

And there was a vulnerability discovered in Cold Fusion, so make sure you patch ... wait people still use Cold Fusion?

https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html

Application Security This Week for September 15

Here's a neat Android reverse engineering game.

https://0x00sec.org/t/reversing-hackex-an-android-game/16243

 

A tool to edit images to have payloads.  Use it t o test and see if your imagine processing components have vulnerabilities!

https://github.com/chinarulezzz/pixload

 

I have been running into HTTP Request Smuggling a lot recently after the new research by PortSwigger.  Here is an interesting writeup.

https://medium.com/@memn0ps/http-request-smuggling-cl-te-7c40e246021c

 

That's the news, folks.

Application Security Weekly for September 8

Only Rails 6.x and 5.2.x are getting security updates.  Plan your development accordingly.

https://rubyonrails.org/security/

Jason Karns was kind enough to pass along this awesome upgrade helper for Rails:

https://blog.testdouble.com/posts/2019-09-03-3-keys-to-upgrading-rails

 

I regularly write apps up for failure to disable autofill, and this article is a good explainer.

https://www.social-engineer.com/disable-autofill-browsers/

 

Bruce has a really good set of reasoning on why there is no difference between "commercial" encryption and "consumer" encryption.

https://www.schneier.com/blog/archives/2019/08/the_myth_of_con.html

 

iOS doesn't get a lot of malware love because it's only 12% of the phone market, but the bad guys realized that 12% has a lot of money, so here are a BOATload of exploits that Google found them.

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1

 

I also write folks up for clickjacking a lot, and it is making a comeback.  It's just a header people, add it.

https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/

 

Some RCE flaws discovered in PHP. Update if you can, mitigate if you can't.

https://thehackernews.com/2019/09/php-programming-language.html?m=1

 

That's the news.  Stay safe.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList