All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
BashSpray is a password spray tool (a script that tests many accounts with common weak passwords to find security gaps) that red teams (security professionals hired to test defenses) can use to identify weak passwords in their organization. The tool works on both Mac and Windows systems, and ideally should be integrated into security response workflows so that affected users and security teams are notified to change passwords and investigate if needed.
This article discusses how to interact with Active Directory (a system that manages users and computers on networks) on macOS computers. It describes three approaches: using macOS's built-in Directory Utility, using Apache Directory Studio (a third-party tool), or writing custom scripts with LDAP (lightweight directory access protocol, the standard way to query directory systems) commands.
Google's login system leaks alternate email addresses to anyone who calls an unauthenticated endpoint (a service that doesn't require you to prove who you are) with just an email address. An attacker could use this to find backup accounts linked to a target email, then use those accounts for phishing (tricking people into giving up passwords) or to take over the main account if the alternate email is set up for password recovery.
Lyrebird is a security tool that takes a screenshot of your desktop and then monitors your computer by using the webcam to photograph anyone who tries to use it while you're away. The tool is designed to catch people who access an unattended workstation, helping you identify if someone has tampered with your computer.
CVE-2019-6689 is a command injection vulnerability (a type of attack where an attacker inserts malicious commands into program input) in Dillon Kane Tidal Workload Automation Agent 3.2.0.5 that allows local users on AIX systems to gain elevated privileges by crafting malicious Tidal Job Buffer parameters. This vulnerability exists because a previous fix for CVE-2014-3272 did not fully address AIX operating systems.
Google TensorFlow version 1.7.x and earlier contains a buffer overflow vulnerability (a bug where a program writes data outside its intended memory boundaries), which can be exploited in ways that depend on the specific context in which TensorFlow is used. The vulnerability is related to integer overflow or wraparound issues (errors in how very large numbers are handled in calculations).
A NULL pointer dereference (a type of bug where software tries to access memory that doesn't exist) in Google TensorFlow versions before 1.12.2 could allow an attacker to cause a denial of service (making the software crash or become unresponsive) by providing an invalid GIF image file. This vulnerability affects TensorFlow's image processing capabilities.
A bug in Google's Snappy library version 1.1.4, used in TensorFlow before version 1.7.1, allows a memcpy operation (a function that copies data in memory) to overlap with itself, potentially causing the program to crash or expose data from other parts of the computer's memory. This vulnerability stems from improper input validation (checking whether user input is safe before processing it).
CVE-2018-10055 is a vulnerability in TensorFlow (a machine learning framework) versions before 1.7.1 where the XLA compiler (a tool that optimizes machine learning code) has a memory access bug that could crash the program or allow reading data from other parts of the computer's memory when processing a specially crafted configuration file.
Google TensorFlow version 1.7 and below contains a buffer overflow (a bug where a program writes data beyond the memory space it's supposed to use), which allows an attacker to execute arbitrary code locally on the affected system. This vulnerability is tracked as CVE-2018-8825 and was identified as a weakness in how the software restricts operations within memory boundaries.
Google TensorFlow version 1.6.x and earlier contains a null pointer dereference vulnerability (a type of bug where software tries to access memory that doesn't exist, causing it to crash or behave unexpectedly). The vulnerability's impact depends on the specific context in which TensorFlow is being used.
CVE-2019-10844 is a vulnerability in Sony Neural Network Libraries (nnabla) through version v1.0.14 where the logger component relies on the HOME environment variable (a system setting that tells programs where a user's personal files are stored), which may be untrusted and could potentially be exploited. The vulnerability affects the libnnabla.a library file used in the software.
KoiPhish is a relay proxy (a tool that intercepts and forwards network traffic between a user and a target server) designed for phishing attacks. It forwards requests from victims to a real website while modifying links in responses to keep users engaged with the fake site instead of noticing they've been redirected.
This post describes techniques for accessing user accounts and data on macOS systems after gaining root access, including methods to bypass keychain (macOS's password storage system) protections through process injection and debugger attachment. The author notes that macOS has security features like SIP (System Integrity Protection, which prevents debugging of protected system processes) and keychain encryption that make direct access difficult, requiring either the target user's password or creative workarounds like injecting code into running processes.
Elasticsearch Security versions 6.5.0 and 6.5.1 have an XXE flaw (XML external entity injection, where an attacker exploits how the software processes XML data) in the Machine Learning find_file_structure API. If Elasticsearch's Java Security Manager allows external network access, an attacker could send a crafted request to leak local files from the server, potentially exposing sensitive information.
Square's Retrofit library (a tool for making web requests in Java) contained an XXE vulnerability (XML External Entity attack, where an attacker tricks the system into reading files by embedding malicious instructions in XML data) in its JAXB component. An attacker could exploit this to read files from the system or perform SSRF (server-side request forgery, where an attacker makes the server send requests to unintended targets).
CVE-2018-20301 is a mass assignment vulnerability (a flaw where an attacker can modify data fields they shouldn't be able to change) in Steve Pallen Coherence before version 0.5.2. The vulnerability allows users registering for accounts to update any field in the system, including automatically confirming their own accounts by adding a confirmed_at parameter to their registration request.
Attackers can steal authentication cookies (small files that prove you're logged in) from a compromised computer to break into web applications and cloud services, even bypassing multi-factor authentication (extra security checks beyond passwords). This works because cookies remain valid long after authentication is complete and are stored where attackers can find them, either on disk or in the computer's active memory. This technique, called "pass the cookie," is a post-exploitation method (a way attackers move through a system after gaining initial access) that also works with similar tokens like JWTs (JSON web tokens, another way to prove identity).
CVE-2018-20059 is a vulnerability in Pippo version 1.11.0 where the JaxbEngine.java file allows XXE attacks (XML external entity attacks, a type of injection where an attacker manipulates XML input to access unauthorized data or execute malicious code). The vulnerability relates to improper handling of XML external entity references in the application's code.
Fix: The source mentions two mitigations: (1) 'Remove all alternate account associations' and (2) 'Make sure that any alternate account is not your password recovery or 2FA to minimize attack surface.' However, these are user-level workarounds. Google declined to fix the issue itself after review.
Embrace The RedATutor (an educational software platform) versions through 2.2.4 have a vulnerability in their backup upload component that allows attackers to upload malicious files without proper restrictions. An attacker with instructor account access can upload a crafted ZIP file containing PHP code (a server-side programming language), which gets written to the web server and executed, giving them complete control over the system through RCE (remote code execution, where an attacker can run commands on a system they don't own).
Fix: Upgrade to TensorFlow version 1.12.2 or later. According to the source, the vulnerability existed in versions before 1.12.2, indicating this version includes the fix.
NVD/CVE DatabaseFix: The vulnerability was fixed after commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437. Users should update to a version of Retrofit that includes this commit.
NVD/CVE Database