Black Hat 2019
Black Hat 2019

Google’s Project Zero drops a hand full of Zero Day vulnerabilities for the iPhone at Black Hat 2019. Apparently one of them isn’t patched yet. Interaction-less Attack Surface in this context means, it’s wormable, executing code with no human interaction.

Source: Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone

notepad.exe

Until recently, notepad.exe was considered safe in terms of security vulnerability, mostly for its lack of features and therefore lack of attack surface. Until Vulnerability researcher at Google, Tavis Ormandy, took a closer look and popped a shell from notepad.exe.

Awesome.

'Venom' bigger than Heartbleed

Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world.

Security researchers found a flaw in QEMU, dating back to 2004. Lots of virtualization platforms inherited the bug. Since virtualization powers the cloud, this has some potential.

Quelle: Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters | ZDNet

Risk assessment process

  • Threat identification is the review of technical and technical events that may damage a system
  • System characterization is the review of system and data criticality and sensitivity
  • Control analysis is the review of current and planned countermeasures against security requirements checklists.
  • Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.