Tencent Security Xuanwu Lab Daily News
• NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories:
https://www.wiz.io/blog/azure-app-service-source-code-leak
・ 微软 Azure App Service 在 Local Git 方式部署代码时存在漏洞,泄漏用户源码库
– Jett
• [PDF] https://www.bitdefender.com/files/News/CaseStudies/study/410/Bitdefender-PR-Whitepaper-Abode-creat4625-en-EN.pdf:
https://www.bitdefender.com/files/News/CaseStudies/study/410/Bitdefender-PR-Whitepaper-Abode-creat4625-en-EN.pdf
・ Abode IOTA 存在 Management Console 命令注入等多个高危漏洞
– Jett
• Cloud Security Breaches and Vulnerabilities: 2021 in Review:
https://blog.christophetd.fr/cloud-security-breaches-and-vulnerabilities-2021-in-review/
・ 2021 年云安全事件回顾
– Jett
• [Network] Responder and IPv6 attacks:
https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html
・ Responder and IPv6 attacks
– Jett
• [Vulnerability] MS Teams: 1 feature, 4 vulnerabilities | Positive Security:
https://positive.security/blog/ms-teams-1-feature-4-vulns
・ Microsoft Team 链接预览欺骗、IP 地址泄漏等漏洞的分析
– Jett
• BLISTER malware campaign discovered | Elastic Blog:
https://www.elastic.co/cn/blog/elastic-security-uncovers-blister-malware-campaign
・ Elastic 安全团队发现 BLISTER 恶意软件携带有效合法签名传播
– Jett
• Background:
https://objective-see.com/blog/blog_0x6A.html
・ macOS Gatekeeper Bypass 漏洞分析(CVE-2021-30853)
– Jett
• All in One SEO Plugin Bug Threatens 3M Websites with Takeovers:
https://threatpost.com/all-in-one-seo-plugin-bug-threatens-3m-websites-with-takeovers/177240/
・ WordPress 插件 All in One SEO 漏洞可导致网站被攻破,影响 300 万站点
– Jett
• Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!:
https://nakedsecurity.sophos.com/2021/12/21/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now/
・ Apache HTTP Server httpd 被发现两个高危漏洞
– Jett
• [PDF] https://messlab.moyix.net/papers/irqdebloat_oakland22.pdf:
https://messlab.moyix.net/papers/irqdebloat_oakland22.pdf
・ IRQDebloat – 利用自动化的固件重写技术部分禁用嵌入式设备的的功能,从而收紧暴露的攻击面(Paper)
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(12-23)