Project Zero looked at a zero click exploit against Zoom, exacerbated with the lack of ASLR. 1
Chrome will rollout private network access (PNA) from version 98. PNA could stop CSRF attacks against router web interfaces. 2
NCC Group discussed the most common ways that CI/CD pipeline get compromised. 3
RM Cybernetics found a malware preinstalled in a machine ordered from AliExpress. 4
Qualys discover a privilege escalation bug in pkexec, a SUID-root program that is found in most Linux distribution. 5
Footnotes
1. Project Zero: Zooming in on Zero-click Exploits (googleprojectzero.blogspot.com)
See also:
2. Private Network Access: introducing preflights - Chrome Developers (developer.chrome.com)
See also:
3. 10 real-world stories of how we’ve compromised CI/CD pipelines – NCC Group Research (research.nccgroup.com)
4. Zheng Bang ZB3245TSS Pick & Place Machine - Custom Electronics, PWM Circuits, Induction Heating, and DIY Science Projects (www.rmcybernetics.com)
5. PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog (blog.qualys.com)
See also: