Episode #2022-03

Posted on
malware private-network-access pwnkit supply-chain zoom

Project Zero looked at a zero click exploit against Zoom, exacerbated with the lack of ASLR. 1

Chrome will rollout private network access (PNA) from version 98. PNA could stop CSRF attacks against router web interfaces. 2

NCC Group discussed the most common ways that CI/CD pipeline get compromised. 3

RM Cybernetics found a malware preinstalled in a machine ordered from AliExpress. 4

Qualys discover a privilege escalation bug in pkexec, a SUID-root program that is found in most Linux distribution. 5

1. Project Zero: Zooming in on Zero-click Exploits (googleprojectzero.blogspot.com)

See also:

2. Private Network Access: introducing preflights - Chrome Developers (developer.chrome.com)

See also:

3. 10 real-world stories of how we’ve compromised CI/CD pipelines – NCC Group Research (research.nccgroup.com)
4. Zheng Bang ZB3245TSS Pick & Place Machine - Custom Electronics, PWM Circuits, Induction Heating, and DIY Science Projects (www.rmcybernetics.com)
5. PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog (blog.qualys.com)

See also: