每日安全动态推送(8-12)
2024-8-12 11:50:23 Author: mp.weixin.qq.com(查看原文) 阅读量:0 收藏

Tencent Security Xuanwu Lab Daily News

• New Flaws in Sonos Smart Speakers Allow Hackers to Eavesdrop on Users:
https://thehackernews.com/2024/08/new-flaws-in-sonos-smart-speakers-allow.html

   ・ Sonos智能音箱存在严重漏洞,可能导致远程窃听。黑帽大会上披露了这些漏洞细节,包括两个CVE编号的漏洞和成功利用漏洞进行远程音频捕获的信息。 – SecTodayBot

• Filesystems timing attacks:
https://www.slideshare.net/slideshow/filesystems-timing-attacks/28134153

   ・ 介绍了基于时间攻击的新方法,通过分析文件系统的时序技术,研究了硬件和软件的定时技术,以及相关的整体理论。 – SecTodayBot

• Quark Engine: automating analysis of suspicious Android application:
https://meterpreter.org/quark-engine-automating-analysis-of-suspicious-android-application/

   ・ Quark Engine提供了一种自动化分析可疑Android应用程序的方法,其中包括开发了恶意软件评分系统和Dalvik字节码加载程序,可以帮助分析Android应用程序的安全性。  – SecTodayBot

• Downgrade Attacks Using Windows Updates:
https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/?utm_campaign=2023Q3_SM_Twitter&utm_content=303230899&utm_medium=social&utm_source=twitter&hss_channel=tw-3090576763

   ・ 文章揭示了一种名为降级攻击的新型攻击方式,以及针对Windows系统漏洞开发的工具Windows Downdate。该工具可以降级更新并绕过验证步骤,使得已修复的漏洞重新暴露,严重影响了Windows系统的安全性。 – SecTodayBot

• English Version:
https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/

   ・ 本文揭示了Apache HTTP服务器中的架构问题,包括新的漏洞和利用技术,以及在Black Hat USA和DEFCON等知名网络安全会议上的演讲。  – SecTodayBot

• Researchers Uncover 10 Flaws in Google's File Transfer Tool Quick Share:
https://thehackernews.com/2024/08/researchers-uncover-10-flaws-in-googles.html

   ・ 在Google的Quick Share数据传输实用程序中发现的10个安全漏洞,可能导致远程代码执行(RCE)链 – SecTodayBot

• Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE:
https://thehackernews.com/2024/08/microsoft-reveals-four-openvpn-flaws.html

   ・ 微软披露了开源OpenVPN软件中的四个中等严重的安全漏洞,这些漏洞可能被串联使用以实现远程代码执行和本地特权升级 – SecTodayBot

• Researchers Demonstrate How Hackers Can Exploit Microsoft Copilot:
https://cybersecuritynews.com/hackers-can-exploit-microsoft-copilot/

   ・ 安全研究人员在Black Hat USA大会上披露了Microsoft Copilot的漏洞,以及潜在的黑客利用可能。LOLCopilot是一个新的用于模拟攻击的工具,旨在帮助伦理黑客了解对Copilot构成的潜在威胁。 – SecTodayBot

• Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources:
https://www.aquasec.com/blog/bucket-monopoly-breaching-aws-accounts-through-shadow-resources/

   ・ 介绍了在AWS服务中发现的关键漏洞以及新的攻击向量,重点讨论了“Shadow Resource”攻击向量和“Bucket Monopoly”技术,对AWS用户具有重要参考价值。 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959757&idx=1&sn=9d50563cd1c7258fee45871af81b78b4&chksm=8baed152bcd95844d9ac98d010385325c7ad2ff08ca66f13a6c651fa22fc1fb8bb5572333476&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh