Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox – ASW #281
A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more!
Announcements
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
Get ready for an electrifying experience at the 15th annual Identiverse! Join 3,000+ identity professionals at the ARIA Resort & Casino in Vegas on May 28-31, 2024, for 4 days packed with dynamic learning & collaboration. Don't miss out on keynote speakers including Denee Defiore, CSIO of United Airlines; Tucker Bryant, Entrepreneur and Former Googler; George Roberts, Director of Identity and Access Engineering at McDonald's and many more!
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Hosts
- 1. Multiple programming languages fail to escape args in Windows
It turns out how Microsoft's C library parses command line arguments is not how everybody thinks. This leads to a situation where programs might get those arguments in an unexpected manner, which means there's a potential for security vulnerabilities.
There's a good post about what's going on in a Microsoft blog - from over 10 years ago. https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
An question arises - should each software author fix this in their appliation, or should the OS vendor address this in the library they publish?
- 2. Buffer overflow visualizations in gcc analyzer, and more
Red Hat has been working on a static analyzer in gcc for the last several releases. At this point it's able to catch "some" infinite loops, perform taint analysis, etc. The one that caught my eye, though, is ability to detect - and then visualize via ASCII art - buffer overflow issues.
I know I'm always talking about being visual, personally - but this is a case where I think seeing really helps a developer (and their management!) understand what's going on and why a bug needs to be fixed.
- 3. Remote command injection vulnerability in Palo Alto Networks firewalls
There's a critical vulnerability in the zero-trust network access feature from Palo Alto Networks that runs on some of their firewalls.
- 4. Fortran and Webassembly is like Peanutbutter and….
As a callback to the first half, Fortran is still out there, but new tech can "help" keep older tech alive...
