|
and if that wasn't enough have some http/2 DoS: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
|
# ? Aug 13, 2019 19:16 |
|
|
# ? Mar 29, 2024 11:46 |
|
some kids are probably going to jail https://twitter.com/Techmeme/status/1161348231911104513
|
# ? Aug 13, 2019 19:52 |
|
Cocoa Crispies posted:like, I bet every other desktop os has similar poo poo going on under the hood "xorg is horribly buggy" is to security conference talks as "the drinking age in america is bs" is to intro college communication courses an easy, low effort topic that can be thrown together at the last minute
|
# ? Aug 13, 2019 20:38 |
|
Cocoa Crispies posted:loving raw
|
# ? Aug 13, 2019 21:03 |
|
so good news these are patched:Wiggly Wayne DDS posted:rdp pre-auth rces: https://twitter.com/metr0/status/1161381376060358656
|
# ? Aug 13, 2019 22:01 |
|
sounds like so long as you have NLA on those RDP vulnerabilities aren't wormable and thus you don't need to rush to patch them if you somehow have NLA off in 2019 then wtf are you doing?
|
# ? Aug 13, 2019 22:58 |
|
Number19 posted:sounds like so long as you have NLA on those RDP vulnerabilities aren't wormable and thus you don't need to rush to patch them there are unfortunately some problems with nla where it is impossible to connect from an azuread system to an AD system because "Microsoft. gently caress you." Just straight up bounces the connection, doesn't bother saying its untrusted do you want to connect or whatever
|
# ? Aug 14, 2019 00:12 |
|
BangersInMyKnickers posted:there are unfortunately some problems with nla where it is impossible to connect from an azuread system to an AD system because "Microsoft. gently caress you." Just straight up bounces the connection, doesn't bother saying its untrusted do you want to connect or whatever Under what circumstances do you see this happen?
|
# ? Aug 14, 2019 00:27 |
|
Wiggly Wayne DDS posted:going through some patch tuesday cves: Good lord I picked a good time to implement client firewalls w/ipsec. Windows firewall authenticated/encrypted connections make these attacks way harder. Phone posted:lmao deleted comment #21 What was it? Someone bitching about disclosing automatically at day 90 again?
|
# ? Aug 14, 2019 00:31 |
|
Potato Salad posted:Under what circumstances do you see this happen? Hybrid environments syncing their on-prem ad to azuread with adsync
|
# ? Aug 14, 2019 00:46 |
|
ewiley posted:What was it? Someone bitching about disclosing automatically at day 90 again? https://forums.somethingawful.com/showthread.php?threadid=3887592&userid=0&perpage=40&pagenumber=74#post497475385 quote:Comment 21 by taviso@google.com on Tue, Aug 13, 2019, 12:56 PM EDT (9 minutes ago)
|
# ? Aug 14, 2019 00:52 |
|
Phone posted:https://forums.somethingawful.com/showthread.php?threadid=3887592&userid=0&perpage=40&pagenumber=74#post497475385 mystes fucked around with this message at 01:08 on Aug 14, 2019 |
# ? Aug 14, 2019 01:04 |
|
mystes posted:They don't release after 90 days have elapsed? They release on the 90th day? Ah, Biblical timekeeping, like how sunset on Good Friday to Easter Sunday morning is somehow "three days".
|
# ? Aug 14, 2019 01:14 |
|
my job is 90% figuring out the length between two dates
|
# ? Aug 14, 2019 01:19 |
|
mystes posted:They don't release after 90 days have elapsed? They release on the 90th day? Day 89 is the 90th day.
|
# ? Aug 14, 2019 01:19 |
|
maybe his calendar is bricked
|
# ? Aug 14, 2019 01:25 |
|
7of7 posted:Sure, posting Taviso is easy mode but this thing he just posted is mind blowing. if this capability always existed then why can you not use your media keys or drag-drop in elevated apps
|
# ? Aug 14, 2019 02:28 |
|
~Coxy posted:if this capability always existed then why can you not use your media keys or drag-drop in elevated apps Those were vectors they considered while the more generic one taviso found was not?
|
# ? Aug 14, 2019 03:20 |
|
~Coxy posted:if this capability always existed then why can you not use your media keys or drag-drop in elevated apps
|
# ? Aug 14, 2019 03:22 |
|
BangersInMyKnickers posted:Hybrid environments syncing their on-prem ad to azuread with adsync Also, no way to RDP into an AzureAD connected PC from a PC not connected to the same AzureAD with NLA enabled.
|
# ? Aug 14, 2019 06:52 |
|
JawnV6 posted:maybe his calendar is bricked lmao
|
# ? Aug 14, 2019 12:04 |
|
Phone posted:https://forums.somethingawful.com/showthread.php?threadid=3887592&userid=0&perpage=40&pagenumber=74#post497475385 oh duh, thanks Taviso is very abrasive and yelled at me on twitter about antivirus once, so I'm not surprised.
|
# ? Aug 14, 2019 12:08 |
|
BangersInMyKnickers posted:Hybrid environments syncing their on-prem ad to azuread with adsync swear on me mum this is working with a client; maybe it's not doing what I thought it was doing
|
# ? Aug 14, 2019 12:23 |
|
i presume taviso's point is that they reported before business open day 1 and disclosed after business close on day 90 or some such, but since afaik we don't know that the public snark was pretty uncalled for.
|
# ? Aug 14, 2019 12:25 |
|
the whole "barely respond for the first two months of disclosure" probably soured him a bit, which is understandable as this isn't exactly a simple issue to fix e: also i guess this is why everyone was talking about updating pulse secure, etc yesterday: https://twitter.com/wdormann/status/1161595148251336704
|
# ? Aug 14, 2019 12:35 |
|
Cybernetic Vermin posted:i presume taviso's point is that they reported before business open day 1 and disclosed after business close on day 90 or some such, but since afaik we don't know that the public snark was pretty uncalled for. Wiggly Wayne DDS posted:the whole "barely respond for the first two months of disclosure" probably soured him a bit, which is understandable as this isn't exactly a simple issue to fix yeah, like, I know if I got an email from taviso I’d probably reply within seconds but I’m not in a role where I would
|
# ? Aug 14, 2019 14:24 |
|
Potato Salad posted:swear on me mum this is working with a client; maybe it's not doing what I thought it was doing I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well.
|
# ? Aug 14, 2019 15:38 |
|
BangersInMyKnickers posted:I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well. we wanted to do passwordless for a client in a hybrid environment and once you get through all the hype the answer is "you can't".
|
# ? Aug 14, 2019 15:46 |
|
if i won the lottery i would fund taviso to just disclose every 0-day he discovered immediately and see what sort of chaos could come about. responsible disclosure is boring.
|
# ? Aug 14, 2019 15:51 |
|
I’ve worked somewhere on the receiving end of taviso
|
# ? Aug 14, 2019 16:17 |
|
lol some dumb poo poo symantec is doing blocks win7/2008r2 systems from seeing updates that are only sha2 signed for some reason and they aren't saying why but it affects every version of their client
|
# ? Aug 14, 2019 16:47 |
|
it would be hilarious if that why they backdated certs, like the av department has a bug and calls the cert department to backdate certs for a big client because its easier than fixing the bug
|
# ? Aug 14, 2019 17:13 |
|
Lain Iwakura posted:I’ve worked somewhere on the receiving end of taviso I would like to know more but I suspect nda
|
# ? Aug 14, 2019 17:30 |
|
BangersInMyKnickers posted:lol some dumb poo poo symantec is doing blocks win7/2008r2 systems from seeing updates that are only sha2 signed for some reason and they aren't saying why but it affects every version of their client https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486 quote:Symptom: Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start. https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms quote:The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff. quote:Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes. Wiggly Wayne DDS fucked around with this message at 17:42 on Aug 14, 2019 |
# ? Aug 14, 2019 17:36 |
|
Wiggly Wayne DDS posted:microsoft's holding the updates back. these are the first sha2-only signed updates which was meant to go ahead in june but guess who's too incompetent to support it? lol I assumed it was some kind of signed code validation problem since I know their engine does that but just nuking anything that doesn't present a sha1 hash is pretty lol
|
# ? Aug 14, 2019 18:04 |
|
i didn't mention it earlier as i was hoping it was a minor joke amongst yesterday's pile of issues and wouldn't affect anyone here, alas
|
# ? Aug 14, 2019 18:18 |
|
Captain Foo posted:I would like to know more it has been years and it wasn't so bad minus him giving a talk on the whole matter and work getting uppity about me being at said conference, fearing that the media would somehow figure out that i worked for them i don't really care anymore but taviso does strike fear into some companies and i know this first-hand
|
# ? Aug 14, 2019 18:40 |
|
Wiggly Wayne DDS posted:microsoft's holding the updates back. these are the first sha2-only signed updates which was meant to go ahead in june but guess who's too incompetent to support it? reminder to everyone affected to change their fingerprints
|
# ? Aug 15, 2019 01:31 |
|
Is SentinelOne security snake oil? An exec friend was asking me and while it looks like nothing I would want on in one of my companies, I was curious. It’s a low IP company so the threat model is likely stopping cryptolocker and spear phishing poo poo. For that I usually would recommend AppLocker and PS1 signing since it’s an all-Windows environment sans the marketing Dept.
|
# ? Aug 15, 2019 02:07 |
|
|
# ? Mar 29, 2024 11:46 |
|
BangersInMyKnickers posted:I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well. I'm more surprised you actually managed to get that kind of answer out of MS documentation
|
# ? Aug 15, 2019 02:56 |