InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Amazon Adds Three New Threat Detections to Its GuardDuty Service in AWS
Amazon has added another set of new threat detections to its GuardDuty service in AWS. The three new threat detections are two new penetration testing detections and one policy violation detection.
-
A Conversation about ZipSlip, NodeJS Security, and BBS Hacking
Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As it turns out, the vector attacks used by this exploit have been known since the early days of BBS. InfoQ has taken the chance to speak with Liran Tal to learn more about software security, and NodeJS security in particular.
-
Dependabot Automatically Creates GitHub PRs to Fix Your Vulnerabilities
Leveraging GitHub Security Advisory API, Dependabot aims to help developers track their dependencies, monitoring the security of their programs, and making sure any potential vulnerabilities are removed as easily as possible by automatically creating PRs to resolve them.
-
Microsoft Patches Active Internet Explorer Zero Day Exploit
Microsoft has issued an out-of-band update for a critical vulnerability in Internet Explorer (IE) scripting engine that could lead to remote code execution. The vulnerability is actively exploited in the wild, according to Tenable research engineer Satnam Narang, and users should update their systems as soon as possible.
-
GPUs Found Vulnerable to Side-Channel Attacks
Since Spectre and Meltdown were demonstrated at the beginning of 2018, researchers have been discovering many variants of side-channel vulnerabilities affecting both Intel and AMD CPUs. GPUs seemed instead to be immune to such attacks. Until now, that is.
-
PortSmash is the Latest Side-Channel Attack Affecting Intel CPUs
Researchers have devised a new kind of timing attack to steal information from a different process running on the same core with SMT/hyper-threading enabled. By carefully measuring port contention delays when sending instructions to a shared core, the researchers could recover a private key from a different process. Intel CPUs are probably not the only ones affected.
-
MIT Researchers Propose DAWG Defense against Spectre and Meltdown
Security researchers from MIT claim to have devised a hardware solution to prevent cache timing attacks based on speculative execution, such as Spectre and Meltdown. Their approach, named Dynamically Allocated Way Guard (DAWG), splits the processor cache in variably-sized partitions to make it impossible for processes to snoop on other processes’ cache partitions.
-
GitHub Release Developer Workflow Tools: Actions, Suggested Changes & Security Alerts for .NET/Java
At GitHub Universe in San Francisco, GitHub announced a number of new tools to help developers make their workflows more effective, including Actions, Suggested Changes, Security Alerts for .NET and Java, and more.
-
New Git Submodule Vulnerability Patched
The Git community has disclosed a security vulnerability affecting the clone and submodule commands that could enable remote code execution when vulnerable machines access malicious repositories. The vulnerability, which has been assigned CVE–2018–17456 by Mitre, has been fixed in Git 2.19.1.
-
Checked C Extends LLVM to Bring Spatial Memory Safety to C
Checked C is an open, collaborative project led by Microsoft Research aimed to extend the C language so programmers can write more reliable programs free of errors such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts. Checked C code can coexist with code written in standard C to ease porting.
-
Intel Discloses New Speculative Execution Vulnerability L1 Terminal Fault
Intel has disclosed a new speculative execution side channel vulnerability, dubbed L1 Terminal Fault, that could potentially leak information residing in the processor L1 data cache. Mitigations are already available, according to Intel, based on its latest Microcode Updates and corresponding updates to operating systems and hypervisor stacks.
-
WhiteSource Launches Free Open Source Vulnerability Checking
WhiteSource, an open source security and license compliance management solution provider, has launched Vulnerability Checker; a new, free and standalone CLI tool that provides alerts on critical open source vulnerabilities.
-
NetBSD 8.0 Brings Spectre V2/V4, Meltdown, and Lazy FPU Mitigations, and More
NetBSD 8.0, a major release of the BSD-based OS providing portability across many architectures, brings mitigations for the Spectre V2/V4, Meltdown, and Lazy FPU vulnerabilities, along with many new features and bug fixes.
-
Spectre 1.1 and 1.2 Vulnerabilities Disclosed
Two new vulnerabilities exploiting flaws in CPUs speculative execution have been recently disclosed. Dubbed Spectre 1.1 and 1.2, both are variants of the original Spectre (Spectre-v1) vulnerability and leverage speculative stores to create speculative buffer overflows which can escape Spectre-v1 mitigations.
-
DevSecOps Grows Up and Finds Itself a Community
On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.