It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”

https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/

Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.

TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.

Some highlights:

• Eleven pre-installed browser extensions but only two visible to users.
• Two extensions unnecessarily relax Content-Security-Policy protection.
• One of these two extensions also requesting all privileges possible, despite not actually using them.
• Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
• One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
• The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
• To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).

Enjoy!

#avast #avg #avira #ccleaner #securebrowser #infosec

We love Open Source contributors.

If you are a significant contributor to an Open Source project, DM us, and we will give you a full briefings pass to BlackHat USA (absolutely free).

__
* Tickets handed out totally at our discretion;
** We only have a few tickets left;

fq 0.12.0 released 🥳 nothing fancy, REPL and jpeg fixes otherwise mostly update of dependencies.

https://github.com/wader/fq/releases/tag/v0.12.0

#fq #jq

Spent the last four days coordinating incident response for the Squarespace domain hijackings with @tay and @AndrewMohawk. Now that it seems to be resolved, we wrote a little postmortem/retrospective

https://securityalliance.notion.site/A-Squarespace-Retrospective-or-How-to-Coordinate-an-Industry-Wide-Incident-Response-fead693b66c14543a48283d85aec19ad

Starting from v0.10 (the next version), HyperDbg uses @keystone_engine as its assembler. ❤️

Thanks to our new team member @AbbasMasoumiG for adding it.

The following commands are added to assemble virtual and physical memory:

- https://docs.hyperdbg.org/commands/debugging-commands/a

- https://docs.hyperdbg.org/commands/extension-commands/a

Clever & fun technique to dump #Windows LSA secrets bypassing #EDR by @sensepost

Dumping LSA secrets: a story about task decorrelation

https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/

Introduction to the Wild West of Proof of Concept #Exploit Code (#PoC) aka SSHing the Masses

https://santandersecurityresearch.github.io/blog/sshing_the_masses.html

Everyone complains about meetings, but rarely anybody puts time before the meeting to do the work needed for the meeting to be useful.

CCC researchers had live access to 2nd factor SMS of more than 200 affected companies - served conveniently by IdentifyMobile who logged this sensitive data online without access control.
You had one job.

https://www.ccc.de/en/updates/2024/2fa-sms

Does anyone have a technical reference (assuming it is public) for the hardware additions to ARMv8 which Apple made in Apple Silicon to support Rosetta 2?

“Admiral Grace Hopper’s landmark lecture is found, but the NSA won’t release it “: https://www.muckrock.com/news/archives/2024/jul/10/grace-hopper-lost-lecture-found-nsa/
(I heard her speak at Chapel Hill when I was in grad school. Sadly, she did not hand out nanoseconds at that talk.)

"adhd is a new thing" is very funny to me, you used to be able to buy amphetamines over the counter, anyone with it could self medicate

much like erdős did, heh

a close friend bet him $500 he couldn't last a month without them. he did

"you have set mathematics back by a month"

gambling is the only non-substance addiction disorder recognized in the American Psychiatric Association’s DSM-5 🤔 good thing modern smartphone use is totally unlike gambling in any way whatsoever

#shitpost

My blog post about several findings in Dynamics 365 Business Central. I tried writing in a .NET primer style for code audit beginners.

https://frycos.github.io/vulns4free/2024/07/10/dynamics-ups-and-downs.html

VMware security advisory: VMSA-2024-0017
CVE-2024-22280 (8.5 high) SQL-injection vulnerability in VMware Aria Automation: An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database. No mention of exploitation.

#VMware #PatchTuesday #CVE_2024_22280 #vulnerability #CVE

Only something this useless could be this educational https://robertheaton.com/pyskywifi/

Pwn2Own: WAN-to-LAN Exploit Showcase TP-Link ER605 routers and Synology BC500 IP camera - Part 1: WAN https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase

Stacey Marshall, the current sendmail maintainer for #OracleSolaris, has blogged about disabling the CR+LF requirements for SMTP newly enforced in Solaris 11.4.68 and later due to the fix for CVE-2023-51765, for sites stuck with non-compliant SMTP senders:
https://staceymarshall.wordpress.com/2024/07/09/configuring-sendmail-srv_feature/

(Though that should be a short-term solution until you can get the software senders updated to follow the SMTP RFCs.)