VayFul Security - August 16 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

From Object Transition to One-Click RCE in the Chrome Renderer - GitHub Security Lab details a critical vulnerability in the Chrome browser's rendering engine. This vulnerability, dubbed "From Object Transition to RCE," allows attackers to remotely execute arbitrary code on a victim's machine simply by visiting a malicious website. #chrome #rce

Zoom Patches Multiple Security Vulnerabilities -  Zoom addresses multiple vulnerabilities affecting Zoom Workplace Desktop App which include privilege escalation. Zoom urges users to  update to the latest version which was released recently. #zoom #vulnerabilities 

Critical Windows TCP/IP Remote Code Execution Vulnerability - A critical vulnerability (CVE-2024-38063) has been discovered in the Windows TCP/IP stack. This "zero-click" exploit allows attackers to remotely execute malicious code on vulnerable machines simply by sending specially crafted IPv6 packets. #windows #0-click #rce 

PostgreSQL Database Exposes Users to SQL Injection (CVE-2024-7348) - CVE-2024-7348 in PostgreSQL, a popular open-source database management system, exposes users to potential SQL injection attacks. This vulnerability exploits a Time-of-Check Time-of-Use (TOCTOU) race condition within the pg_dump utility. #postgresql #sql #injection

DoS Vulnerability in Forta CLFS.sys Driver Causes Windows BSOD Attack - Denial-of-Service (DoS) vulnerability in the CLFS.sys driver. This driver is a component of some Fortra software products. The vulnerability could allow an attacker to crash the system, potentially causing significant disruption. #windows #driver #BSOD

🔥 INTERESTING WRITEUPS

Argo CD CSRF leads to Kubernetes cluster compromise - [4660$ Bounty]

Apache Tomcat HTTP Request Smuggling (Client- Side Desync) -  [4660$ Bounty]

CSP bypass on PortSwigger.net using Google script resources -  [1500$ Bounty]

📝 BLOGS & ARTICLES

10 Essential Strategies for Securing Your Data in the Public Cloud - A new guide from DuoKey offers ten crucial strategies for safeguarding your data in the public cloud environment. This comprehensive resource outlines best practices for access control, encryption, data sovereignty, and more. #cloud #security #best #practices

MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles - Through a black box analysis of Shimano’s proprietary wireless protocol, we uncovered the following critical vulner- abilities: including replay attacks, targeted jamming attack, disable gear shifting and Information leakage resulting from the use of ANT+ communication. #bicycle #wireless #protocols #attacks

AI Systems Security: Top Tools for Preventing Prompt Injection - The post delves into various types of AI security tools, explaining their functionalities and offering insights on how these tools can protect AI systems from attacks and manipulations. #A #prompt #injection #security

Safety and Security of Llama Across Generations (2 to 3.1) - The blog highlights how deepfakes can be used for various malicious purposes, including business email compromise (BEC) scams, manipulating financial transactions, and damaging reputations. Hydrox emphasizes the importance of cybersecurity awareness training for employees to identify and report potential deepfake attacks. #llama #security #deepfake

🛠️TOOLS

ScoutSuite - Multi-Cloud Security Auditing Tool. #cloud #security #audit

Odd-box - A simple, cross-platform reverse proxy server tailored for local development and tinkering.  #reverse #proxy 

Playwright_xss_scanner - Simple single-file python program that can find basic XSS (cross-site scripting) vulnerabilities in a target url. #xss #scanner #websec

PayloadsAllTheThings - A list of useful payloads and bypasses for Web Application Security and Pentest/CTF. #payload #list #appsec

🧠 TUTORIALS & SKILL-BUILDING

Blockchain Security Series 11 - In the 11th episode of Blockchain Security Series we sit down with Peter Kacherginsky.. We discuss his journey into the cryptocurrency world and his role in blockchain security. #blockchain #crypto #security

15 Ways to Break Your Copilot - BH-US '24 presentation, titled "15 Ways to Break Your Copilot," explores various methods to exploit Copilot's functionalities for malicious purposes. These methods could potentially lead to the generation of insecure code or the introduction of vulnerabilities through Copilot's suggestions.

We R in a right pickle with all these insecure serialization formats - BH-US '24 presentation by security researcher Stefan Schulz sheds light on the security vulnerabilities associated with insecure serialization formats and highlights the potential dangers lurking in these data encoding methods. #insecure #serialization #vulnerabilities

🎁 MISCELLANEOUS

Pyvideotrans - Video Translation and Voiceover Tool.This is a video translation and voiceover tool that can translate videos from one language into a specified language, automatically generating and adding subtitles and voice overs in that language. #Voice recognition #text-to-speech #speech-to-text

Albumentations - Fast and flexible image augmentation library. Albumentations is a Python library for image augmentation. Image augmentation is used in deep learning and computer vision tasks to increase the quality of trained models #image #augmentation #ml

Why AI is no substitute for human teachers: The Future of Education or Hype? - This Axios article explores the growing debate surrounding AI-powered tutors. While institutions like Khan Academy and Wharton are integrating AI into learning platforms, questions remain about their effectiveness and potential impact on the traditional teacher role. #AI #powered #tutors

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team