Google’s Project Zero drops a hand full of Zero Day vulnerabilities for the iPhone at Black Hat 2019. Apparently one of them isn’t patched yet. Interaction-less Attack Surface in this context means, it’s wormable, executing code with no human interaction.
Until recently, notepad.exe was considered safe in terms of security vulnerability, mostly for its lack of features and therefore lack of attack surface. Until Vulnerability researcher at Google, Tavis Ormandy, took a closer look and popped a shell from notepad.exe.
Use Containers they said.
It’d be more secure, they said.
Until CVE-2019-5736 was disclosed.
Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world.
Security researchers found a flaw in QEMU, dating back to 2004. Lots of virtualization platforms inherited the bug. Since virtualization powers the cloud, this has some potential.
- Threat identification is the review of technical and technical events that may damage a system
- System characterization is the review of system and data criticality and sensitivity
- Control analysis is the review of current and planned countermeasures against security requirements checklists.
- Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.