Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek – ASW #349
In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more!
Join us for InfoSec World 2025 — October 27 to 29 in sunny Lake Buena Vista, Florida at Disney’s Coronado Springs Resort! Workshops run October 25–26 and October 29–30. The premier cybersecurity conference is here — save 25% with code ISW25-SW at securityweekly.com/ISW2025!
Mike Shema
- One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens – dirkjanm.io
The design weaknesses called out on the Actor token hearkens back to that lovely CSRB report that described a "cascade of avoidable failures".
- Memory Integrity Enforcement: A complete vision for memory safety in Apple devices – Apple Security Research
- Security-Focused Guide for AI Code Assistant Instructions | OpenSSF Best Practices Working Group
- API Security in the AI Era: Best Practices for AI-Driven APIs | CSA
- Wasm 3.0 Completed
More wishful thinking from me that wasm would be the default sandbox environment choice for MCPs.
- A new experimental Go API for JSON – The Go Programming Language
Get rid of ambiguity, error on invalid characters instead of silently skipping them, don't let case insensitive parsing surprise users, and more tweaks that would make a more secure parser.
- Bye bye Kerberos FTP | daniel.haxx.se
Two flaws enter, one feature leaves. The first flaw was a security vuln based on a legit stack overflow -- something that's rare in curl! The second flaw was an implementation error in the protocol that meant the feature never worked properly in the first place, which meant it wasn't exploitable in practice.
The fact that no one noticed the bugged feature lends more weight to removing it altogether. Why not reduce the attack surface by removing code rather than writing a few tests for something no one needs.
Semi-related, the curl project also had to review yet another LLM-generated bug bounty report. This purported "Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE" turned out to be a proof-of-concept code that legitimately had a buffer overflow -- it just never used curl, never represented any risk, and was literally just a self-contained example of how to write a buffer overflow.
- NPM: aNother Pummeling, Man
In contrast, I like "How Go Mitigates Supply Chain Attacks". The comparisons don't map one-to-one -- Go's static compilation is not something we'll see in the NPM world. But it would be cool to see NPM and JavaScript evolve some capability to reduce its attack surface and shed unused code in a manner similar to static compilation.
p.s. I always appreciate a good reinterpretation of acronyms. I would have tried Noisy Package Madness.
John Kinsella
- Code review can be better
Interesting retrospective on a tool to do code reviews and have them be part of git history. I like the idea of this, but agree with the article that there's work to be done.
- Profiles favored over Safe C++ proposal
Looks like the "Safe C++" proposal has been stoped, with folks instead working on Stroustrup's C++ Profiles. "A profile is a set of guarantees, such as type safety, avbsence of resource leaks, and range errors," according to the intro paper.
Kalyani Pawar
- AI firm DeepSeek writes less secure code for groups China disfavors
- Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
- Modern memory is still vulnerable to Rowhammer vulnerabilities — Phoenix root privilege escalation attack proves that Rowhammer still smashes DDR5 security to bits
