InfoSec Week 4, 2019

Posted Jan 24, 2019

Microsoft’s mobile Edge browser begins issuing fake news warnings. It is powered by news rating company NewsGuard. It gives you fake news warning for Wikileaks, so decide for yourself.
https://www.engadget.com/2019/01/23/microsoft-edge-mobile-fake-news

A vulnerability in the apt package allows a network man-in-the-middle or malicious mirror to execute arbitrary code as root on a machine installing any packages.
https://justi.cz/security/2019/01/22/apt-rce.html

Encryption mode in the well-known compression software 7-Zip uses poor randomness when generating AES initialization vectors.
https://sourceforge.net/p/sevenzip/bugs/2176/

Turns out that the MySQL server has access to all client local files. Patched server can upload clients’ files like SSH keys.
https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/

Daniel Miessler published a short blog about the reasons why software remains insecure.
TLDR: “Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.”
https://danielmiessler.com/blog/the-reason-software-remains-insecure/

Trend Micro engineers found applications in the Google Play store that drop Anubis banking malware after the device motion sensors are activated to evade initial detection.
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/

Interesting Twitter bug was filled via HackerOne platform - changing email address on Twitter for Android unsets “Protect your Tweets” flag and make protected tweets public.
https://hackerone.com/reports/472013

Great in-depth blog about the finding and exploiting bugs in Marvell Avastar Wi-Fi.
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/

WPintel - Chrome extension designed For WordPress vulnerability scanning and information gathering.
https://github.com/Tuhinshubhra/WPintel