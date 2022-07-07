Security Leftovers
-
Anatomy of a basic extension | Almost Secure
I am starting an article series explaining the basics of browser extension security. It’s meant to provide you with some understanding of the field and serve as a reference for my more specific articles. You can browse the extension-security-basics category to see other published articles in this series.
Before we go for a deeper dive, let’s get a better understanding of what a browser extension actually is. We’ll take a look at a simple example extension and the different contexts in which its code runs.
[...]
So our example extension is going to be a Chrome-compatible one. I’ll discuss the files one by one but you can download the entire source code to play around with here. Unpack this ZIP file to some directory.
All browsers support trying out extensions by loading them from a directory. In Chromium-based browsers you go to chrome://extensions/, enable developer mode and use “Load unpacked” button. In Firefox you go to about:debugging#/runtime/this-firefox and click “Load Temporary Add-on” button.
This extension uses questionable approaches on purpose. It has several potential security issues, none of these are currently exploitable however. Small changes to the extension functionality will change that however, I’ll introduce these in future articles.
-
CISA warns of UnRAR security flaw affecting Linux systems [Ed: Grotesque bias from Microsoft's propagandist Sofia Wyciślik-Wilson; CISA has in fact just warned about Microsoft Windows, so Sofia tries to write some nonsense about Linux; GNU/Linux barely even use RAR. This is low-graded Microsoft propaganda. Check the banner/feature image saying "Linux" when in fact what CISA announced is actively-exploited holes in Microsoft Windows. RAR is just some ancient proprietary codec/compression algorithm, GNU/Linux users overwhelmingly adopt Gzip.]
The US Cybersecurity and Infrastructure Security Agency has issued a warning about a security issue with the UnRAR tool for Linux-based systems.
The vulnerability is being tracked as CVE-2022-30333, and if successfully exploited, the flaw could allow an attacker to use the process of unpacking an archive to write data to an area of storage.
-
Security updates for Wednesday [LWN.net]
Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).
-
Dissecting Google's Titan M chip: Vulnerability research challenges - Help Net Security
The enterprise-grade Titan M security chip was custom built to help protect data. Derived from the same chip Google uses to protect its cloud data centers, it handles processes and information, such as passcode protection, encryption, and secure transactions in apps.
In this Help Net Security video, Damiano Melotti, Security Researcher, Quarkslab, talks about the vulnerability research challenges encountered while exploring Google’s Titan M chip.
-
Palo Alto Networks Releases Security Update for PAN-OS | CISA
Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. A remote attacker could exploit this vulnerability to conduct a reflected denial-of service.
-
CISA Releases Cybersecurity Toolkit to Protect U.S. Elections [Ed: Delete Windows with back doors, for starters...]
CISA—through the Joint Cyber Defense Collaborative (JCDC)—has released a toolkit of free cybersecurity resources for the election community. The toolkit aims to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure. The toolkit resources, which come from CISA, JCDC members, and others across the cybersecurity community, focus on assessing risk and protecting election infrastructure assets commonly targeted by phishing, ransomware, and distributed denial-of-service (DDoS) attacks.
-
Adopting Sigstore Incrementally [Ed: Pentagon-funded companies pushing in the direction of denying you running a program of your choice on your own system]
adopt Sigstore may already sign published artifacts. Signers may have existing procedures to securely store and use signing keys. Sigstore can be used to sign artifacts with existing self-managed, long-lived signing keys. Sigstore provides a simple user experience for signing, verification, and generating structured signature metadata for artifacts and container signatures. Sigstore also offers a community-operated, free-to-use transparency log for auditing signature generation.
Sigstore additionally has the ability to use code signing certificates with short-lived signing keys bound to OpenID Connect identities. This signing approach offers simplicity due to the lack of key management; however, this may be too drastic of a change for enterprises that have existing infrastructure for signing. This blog post outlines strategies to ease adoption of Sigstore while still using existing signing approaches.
-
Sysdig Employs AI to Thwart Container Cryptojacking Attacks [Ed: Calling everything "Hey Hi" (AI) for hype's sake]
At the Black Hat USA 2022 conference, Sysdig today revealed it is adding machine learning algorithms capable of detecting cryptojacking attacks to its cloud service for securing container applications. The algorithms are offered at no additional charge, Sysdig says.
-
Deepfence Expands Scope of Open Source Container Security Platform - Container Journal
Deepfence CEO Sandeep Lahane says as the economy continues to stagnate, the rate at which organizations are embracing open source cybersecurity tools is only going to accelerate.
-
- Login or register to post comments
- Printer-friendly version
- 183 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Videos: Southern California Linux Expo, 'Dumb' Phone, Linux Mint 21 “Vanessa” MATE, and More
today's howtos
Ubuntu 22.04 and 20.04 LTS Users Receive New Kernel Updates, 8 Security Issues Fixed
The new kernel version (linux-image 5.15.0.46.46) is available now for both Ubuntu 22.04 LTS and Ubuntu 20.04 LTS users, fixing CVE-2022-2585, a flaw found in Linux kernel’s POSIX timers implementation, CVE-2022-2586, a use-after-free vulnerability discovered in the netfilter subsystem, and CVE-2022-2588, a security issue found by Zhenpeng Lin in the network packet scheduler implementation. All these flaws could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.
How To Design A Pi Case For Laser Cutting – In Depth Tutorial
The last couple of times I’ve done a project involving a laser-cut Pi case, people have asked me to put together an in-depth tutorial on how to design them. So I’ve prepared this tutorial using an open-sourced software package called Inkscape to do just that. Inkscape is a free vector-based graphics editor that is available for Windows, Mac and Linux, so you can even run it on your Raspberry Pi. If you don’t have it installed already, visit their downloads page to download it for your device. This tutorial is going to focus mainly on the design of the case, so I’m not going to go into much detail on how to use the basic functions of Inkscape. There are loads of guides and tutorials for this already, so it’ll be good to be somewhat familiar with the package to start. Once you’ve got Inkscape installed on your device, grab your Raspberry Pi and a vernier or ruler to take measurements from it and you’re ready to start. Read on
Recent comments
38 min 36 sec ago
4 hours 28 min ago
11 hours 5 min ago
11 hours 30 min ago
13 hours 44 sec ago
15 hours 11 min ago
22 hours 57 min ago
22 hours 59 min ago
23 hours 19 min ago
23 hours 38 min ago