Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label code execution. Show all posts

Linux Foundation Expert Advices, Open Source Deployment, Fighting Against Vulnerabilities

 

The Census II study's preliminary findings strongly suggest that open source initiatives require supporting toolsets, infrastructure, people, and good governance in order to function as a stable and healthy upstream project for your company. It's not nearly as horrible as it sounds, because not all flaws can be exploited.

Wheeler cited a report from Synopsys, a software security and IoT (Internet of Things) company – each application has an average of 528 open source components, 84% of codebases have at least one vulnerability, and that the average number of vulnerabilities per codebase is 158. An audit of 1,546 codebases was conducted, with a codebase being defined as "the code and accompanying libraries that make up an application or service." "If you're concerned about security, you'll inspect the software." Nonetheless, open-source is possibly safer, because of the long-standing secure software design principle that "the protective method must not rely on attacker ignorance," as outlined in a 1974 work by Jerome Saltzer and Michael Schroeder.

This is a benefit of open-source software. "The many eyes theory works," Wheeler added. Vulnerable software does not get updated, which is a big part of the problem. Many apps and systems do not update all of the components that they use. This is also true for closed source, although "open source software is used a lot more." 

Developers should "learn how to design and acquire secure software," according to the report, which lists a number of free courses, best practices, and tools. A flaw in test-driven development, according to Wheeler, is that the model of writing a test and then writing the code to make the test pass does not include negative tests, implying that there is a need to test to ensure that things that should not happen do not happen. A failure to include negative tests is one of the major issues in many test suites today. It's how the Apple goto fail vulnerability came to be, according to Wheeler, who was referring to this problem. Use caution while dealing with software that hasn't been utilized in a long time. "There will very certainly be no reviewers if there are no users. It's not a problem if you don't utilize it " If it is still required, the remedy is to "look at it yourself." 

In summation, although the problem is difficult to solve, there are several initiatives that may help. The SPDX project, which specifies the "bill of materials" utilized by a software library or application, and the Open Source Security Metrics (OpenSSF) dashboard, which, though still in its early stages, assists developers and users in assessing the security of specific packages. 

‘mitmproxy2’ Removed by PyPI due to Code Execution Issues

 

A Python package called 'mitmproxy2' was pulled off from the PyPI repository because it was a replica of the official "mitmproxy" library, though with an "artificially introduced" code execution flaw. 

The official Python library 'mitmproxy' is a free and open-source engaging HTTPS proxy that gets over 40,000 weekly downloads. 

Mitmproxy is an open-source proxy program that uses a man-in-the-middle technique to monitor HTTP and HTTPS connections between any HTTP(S) client (such as a mobile or desktop browser) and a web server (MITM).

Maximilian Hils, one of the developers of the 'mitmproxy' Python library, brought everyone else's attention to a fake'mitmproxy2' package submitted to PyPI, on the 11th of October. "mitmproxy2" is near "the same as regular mitmproxy, but with an artificial RCE vulnerability included." 

As Hils told Bleeping Computer, his biggest worry is that certain software developers would misunderstand 'mitmproxy2' for a newer version of 'mitmproxy,' resulting in vulnerable code being accidentally included in their products. Whilst investigating an unconnected PyPI warehouse problem, Hils came across this imitation package via "happy little accident". 

"When you run mitmproxy's web interface, we expose an HTTP API for that. If you remove all safeguards from that API, everyone on the same network can execute code on your machine with a single HTTP request," Hils told Bleeping Computer in an email interview. 

It's also unclear if the person who released the copycat 'mitmproxy2' software did the same with malevolent purposes or just because of poor coding techniques. It would have been much easier to just put some harmful code that is immediately executed upon installation. 

However, the issue is that if one uploads it to PyPI as 'mitmproxy2' with a version number that says it's newer/superseded, users will undoubtedly download it without realizing the changes. 

While investigating 'mitmproxy2,' BleepingComputer noticed that a new package called 'mitmproxy-iframe' had also arrived on the PyPI repository less than a day after 'mitmproxy2' was deleted. 

Since anyone can upload packages to open-source ecosystems, cybersecurity threats and attacks such as virus injection, typosquatting, brandjacking, and dependency misunderstanding have increased significantly in recent years. 

Such "whack-a-mole" problems will always repeat themselves unless actual validations are implemented by open-source registries.

Microsoft Alerts of Critical PowerShell 7 Code Execution Vulnerability

 

Microsoft is alerting customers to upgrade their installations of PowerShell 7 as soon as possible to protect themselves against a.NET remote code execution (RCE) vulnerability. 

PowerShell is a configuration management system that features a command-line shell as well as a task automation scripting language. It runs on.NET, which makes use of a text encoding package that was recently fixed against an RCE flaw. It works with structured data such as JSON, CSV, and XML, and REST APIs and object models, and it operates on all major platforms, including Windows, Linux, and macOS. 

The.NET vulnerability was recognized as a major vulnerability with a score of 9.8 and was patched in April. 

According to the firm, there are no mitigation steps available to prevent the exploitation of the security issue identified as CVE-2021-26701. Customers are encouraged to update to PowerShell 7.0.6 and 7.1.3 as soon as possible in order to safeguard their systems from potential threats. 

In addition, Microsoft's initial advisory instructs developers on how to update their programs to eliminate the risk. 

Microsoft explained in April when the security flaw was patched, "The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability." 

Any.NET 5,.NET Core, or.NET Framework based application that uses a System. Text.Encodings. The version of the web package indicated below is vulnerable to attacks:
1.System.Text.Encodings.Web: Vulnerable Versions 4.0.0 - 4.5.0 ; Secure Version 4.5.1

2.System.Text.Encodings.Web: Vulnerable Versions 4.6.0-4.7.1; Secure Version 4.7.2

3.System.Text.Encodings.Web: Vulnerable Versions 5.0.0; Secure Version 5.0.1 

According to Microsoft's security alert, Visual Studio consists of the binaries for .NET but it is not vulnerable to this flaw. The update includes the.NET files, ensuring that apps built with Visual Studio that use.NET capabilities are safe from this security flaw. 

"If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added. 

Microsoft has recently mentioned that future PowerShell upgrades will be released through the Microsoft Update service, making it easier to keep PowerShell up to date on Windows 10 and Windows Server.