• Don’t Let Your Domain Name Become a “Sitting Duck”:
https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
・ 揭露了域名在大型Web托管提供商和域名注册商中存在的认证漏洞,导致超过百万个域名容易遭受网络犯罪分子的攻击。
– SecTodayBot
• Heap exploitation, glibc internals and nifty tricks.:
http://blog.quarkslab.com/heap-exploitation-glibc-internals-and-nifty-tricks.html
・ 对2024年HitconCTF Qualifiers的堆pwn挑战的分析,讨论了glibc malloc内部和堆利用技巧。
– SecTodayBot
• Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services:
https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/
・ Google最近解决了一个认证漏洞,允许攻击者绕过电子邮件验证步骤创建Google Workspace账户,并利用该漏洞冒充第三方服务的域持有人。
– SecTodayBot
• Unmasking the SMS Stealer: Targeting Several Countries with Deceptive Apps:
https://www.zimperium.com/blog/unmasking-the-sms-stealer-targeting-several-countries-with-deceptive-apps/
・ 研究人员发现的大规模针对安卓手机的短信窃取恶意软件活动
– SecTodayBot
• [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread:
https://seclists.org/oss-sec/2024/q3/126
・ 介绍了libcurl库的安全漏洞(CVE-2024-7264)及其影响
– SecTodayBot
• Re: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076):
https://seclists.org/oss-sec/2024/q3/127
・ 讨论了BIND 9软件的四个漏洞
– SecTodayBot
• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 2:
https://www.thezdi.com/blog/2024/7/30/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-2
・ 介绍了一种利用NTFS streams进行提权的新技术,并披露了影响ESET Security产品的CVE-2024-0353漏洞的详细分析和利用方法。
– SecTodayBot
• Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues:
https://blog.talosintelligence.com/vulnerability-roundup-july-31-nvidia/
・ 介绍了Cisco Talos漏洞研究团队在过去三周披露和修补的六个新漏洞,包括NVIDIA显卡驱动中的一个漏洞和Ankitects Anki闪卡软件中的多个漏洞。
– SecTodayBot
• An In-Depth Look at the Cisco CCDE-AI Infrastructure Certification:
https://feedpress.me/link/23532/16758320/an-in-depth-look-at-cisco-ccde-ai-infrastructure-certification
・ 介绍了AI在网络中的整合以及如何保护AI模型和防范恶意使用情况
– SecTodayBot
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab