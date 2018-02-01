Security: Flash, FOSS and More
New Adobe Flash Zero-Day Spotted in the Wild
South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild.
According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.
"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.
Growth of open source adoption increases number of security vulnerabilities [Ed: No, Equifax was the opposite. It's proof that patches were available but were not being applied.]
The 2017 Equifax breach served as a major PSA of the growing size and scope of security vulnerabilities in open source — software components and applications. Despite many of them being “known,” these security flaws pose a potentially debilitating risk to enterprise security.
Software Composition Analysis: Identify Risk in Open Source Componentsf
In March of 2017, it was reported that certain versions of the Apache Struts 2 Framework were vulnerable to Remote Code Execution attacks. If you were using a vulnerable version of the Apache Struts 2, the recommended remediation was to upgrade to Apache Struts 2.3.32 or 2.5.10.1. The issue was a Remote Code Execution bug in the Jakarta Multipart parser of Apache Struts 2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.
Mitigating known security risks in open source libraries
This chapter focuses on all you should know about fixing vulnerable packages, including remediation options, tooling, and various nuances. Note that SCA tools traditionally focused on finding or preventing vulnerabilities, and most put little emphasis on fix beyond providing advisory information or logging an issue. Therefore, you may need to implement some of these remediations yourself, at least until more SCA solutions expand to include them.
How to eliminate the default route for greater security
