![]() ![]() A not-so-common and stupid privilege escalation.PoC to demonstrate the vulnerability here. All those enterprise Java apps still on Java 8 are safe □. "If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU)." A Java rewrite of a C++ cryptographic library introduced this flaw in Java 15. CVE-2022-21449: Psychic Signatures in Java.Memory scanners can pose an problem to red team tooling, but there are clever (not not new) tricks to keep memory encrypted until it's needed. Bypassing PESieve and Moneta (The "easy" way.?).Perhaps it will take a large add-on compromise for the industry to wake up? No one seems to be publicizing the power they have now that every app is a web app. Browser add-ons continue to be a silent killer. Adobe Acrobat hollowing out same-origin policy.This is a good post for anyone interested in IoT devices as it contains some nice gotchas and workarounds. No Hardware, No Problem: Emulation and Exploitation.The unwillingness of Microsoft to break backward compatibility has caused many a vulnerability, perhaps the tide is turning? You can still enable SMBv1 but soon even the binaries will be gone and will be a separate unsupported install. SMB1 now disabled by default for Windows 11 Home Insiders builds.TLDR: Always take more base over options. Infosec Salaries - the myth and the reality. ![]() Minor updates include a new user defined size limit for execute-assembly, and a unified "arsenal kit." The bigger updates are around the "security" (anti-piracy) features which may make it harder for criminals to use Cobalt Strike. Cobalt Strike 4.6: The Line In The Sand."When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities." Keep looking for adjacent vulnerabilities! The More You Know, The More You Know You Don't Know: A Year in Review of 0-days Used In-the-Wild in 2021.Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |