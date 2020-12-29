Security: Patches, VPN, Adobe, and Microsoft Cracked
-
Security updates for the start of 2021
Security updates have been issued by Debian (libxstream-java and p11-kit), Mageia (curl and minidlna), and openSUSE (groovy).
-
Very Pwnable Network (VPN)
This research starts with a weird series of crashes on Jiska's iPhone. Due to her ongoing paranoia, she decided to use a VPN, and because she had to trust her university's network anyway, she decided to use her university's Cisco VPN service. Obviously, this did not go well, and soon she had crash logs with memory accesses to invalid addresses, because these addresses were representing Strings?! These errors only occurred when she had bad network connectivity and no debugging enabled, so nobody was able to reproduce them. Either way, to start analyzing Cisco AnyConnect security, the more accessible Linux client was the first option. Gerbert did a detailed analysis and documented how this client works, since there was no documentation at all and users basically install a black box on their system. The application is by no means just a VPN client anymore. In addition to VPN connections, the application offers a number of special features like auto updating, file deployment and host assessment. The AnyConnect Linux client is even able to execute arbitrary scripts provided by the server, thus, the user needs to ultimately trust the AnyConnect provider. Even if this trust assumption holds true, the client is so complex that various attack vectors become possible. Gerbert found two vulnerabilities resulting in three attack scenarios. One of the issues was fixed without being assigned a CVE, the other one got CVE-2020-3556. Matthias continued with the iOS client, which is even harder to analyze than the closed-source Linux client. Since many Linux features are not available on iOS and the client has a completely different design, the previously found attacks do not apply. However, he will show the general architecture of this iOS Cisco AnyConnect Network Extension.
-
Adobe Flash Player is now history, top browsers end support
First announced in July 2017, Adobe had said to stop updating and distributing Flash Player after December 31, 2020 due to the diminished usage of the technology and the availability of better, more secure options such as HTML5, WebGL and WebAssembly.
-
Adobe Flash Player is finally laid to rest
Released in 1996, Flash was once one of the most popular ways for people to stream videos and play games online.
But it was plagued with security problems and failed to transition to the smartphone era.
Adobe will no longer offer security updates for Flash and has urged people to uninstall it.
-
Microsoft says [crackers] were able to see some of its source code
Earlier this month, Microsoft President Brad Smith said the attack was a “moment of reckoning” and warned about its danger. “This is not ‘espionage as usual,’ Smith said. “In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical [sic] infrastructure in order to advance one nation’s intelligence agency.”
-
SolarWinds [attackers] accessed Microsoft source code, the company says
It is not clear how much or what parts of Microsoft’s source code repositories the [attackers] were able to access, but the disclosure suggests that the [crackers] who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products as well.
-
Group Behind Alleged Russia [Crack] Broke Into Microsoft's Internal Systems
But the admission Thursday is the first time Microsoft acknowledged the attackers did more than place a tainted software update on its system: hackers successfully broke into the company's systems and viewed source code, the carefully guarded DNA of the company's software products.
-
Here’s why it’s so dangerous that SolarWinds [crackers] accessed Microsoft’s source code
Some security experts think that even a glance at source code data might provide information that could help with future attacks.
-
