Citrix Bleed, Atlassian Authz Vuln, OpenJS & jQuery, Secure Future Initiative – ASW #262
Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more!
Hosts
- 1. Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
This is a very Heartbleed-like vuln with a very informative write-up from Assetnote. It's also a good reminder that rewriting code to use more secure functions (like sprintf to snprintf) doesn't always make code more secure.
- 2. CVE-2023-22518 – Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support
I grabbed this more as an example of vendor-driven emphasis on risk and its degree of transparency. Maybe it's even a chance to experiment with how CVSS 4.0 would represent this vuln.
- 3. OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites
To quote from the article, they “...estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade.”
I don't know that those upgrades have a direct security consequence, but the prospect of upgrading a few billion sites seems daunting.
- 4. Hackers Surpass $300 Million in All-Time Earnings on the HackerOne Platform
This is a lot of money to find flaws. I'm still curious how the cost to fix those flaws compares
- 5. A new world of security: Microsoft’s Secure Future Initiative – Microsoft On the Issues
Microsoft is moving to embrace more secure design choices and memory safe languages in an initiative reminiscent of the Trustworthy Computing push from 20 years ago.
Check out more of the engineering ideas at https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/.
- 6. FUN: Caricatures of Security People
Hopefully you won't recognize yourself in this list, but you probably recognize someone you've worked with. (And maybe ask a friend if they think you're on the list.)