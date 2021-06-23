The results are enough to keep sysadmins awake at night, as the researcher demonstrated how desynchronization attacks levied against HTTP/2 systems enabled him to steal secrets from websites running Amazon’s Application Load Balancer, poison every page on Bitbucket, and forced Atlassian to sign every single one of its users out of Jira.

Two years after taking to the Black Hat USA stage to document his exploits in the field of HTTP request smuggling, PortSwigger* security researcher James Kettle is back with a fresh perspective into how this attack vector can also impact HTTP/2 infrastructure.

The worst of the awards -- Most Epic Fail -- went to Microsoft for its handling of the PrintNightmare Print Spooler vulnerability, a bug that led to a problematic patch and more questions about potentially vulnerable code.

Despite Microsoft's attempts to make its Office suite more secure and disable many automatic features, despite the fact that users are warned that suspicious documents should not be opened, malicious Word documents remain a key infection vector today. One of our readers (thanks Joel!) shared a sample that he received and, unfortunately, opened on his computer. The document was delivered to him via a spoofed email (sent by a known contact). The document ("legal paper.08.04.2021.doc") was delivered in a protected ZIP archive and has a VT score of 11/58[1]. This remains a very low score for a simple Word document. It deserved to have a look at the content.

As one of the world’s biggest tech companies, the decisions Apple make matter. This is a clear signal to every government around the world that Apple - and inevitably their entire industry - have the technology and the will to carry out mass surveillance. By opening the floodgates, even for something as important as protecting children, Apple and the rest of the industry will inevitably be unable to resist doing the same for other reasons and for other governments.

“Apple has decided to undermine end-to-end encryption and make all its users vulnerable to censorship and surveillance. By allowing scanning of photos in private communications and iCloud, Apple products will become a threat to their users. The company should take a step back, abandon these changes and defend people from corporate and government surveillance,” says Diego Naranjo, Head of Policy at EDRi.

Apple has just announced significant changes to their privacy settings for messaging and cloud services: first, it will scan all images sent by child accounts; second, it will scan all photos as they are being uploaded to iCloud. With these changes, Apple is threatening everyone’s privacy, security and confidentiality. Although these changes seem to be first applied to users in the US, we concur with Edward Snowden that this change will have repercussions globally.

The Linux kernel already supports making use of Arm's True Random Number Generator (TRNG) SMCCC interface within the random seed code while for the upcoming Linux 5.15 cycle an "arm_smccc_trng" driver is being added and will allow exposing the entropy to user-space.

