vulnerability updates

Nowadays our lives are increasingly web-connected – so keeping up with security vulnerability news is more crucial than ever. You wouldn’t leave your door unlocked for carjackers

Prototype pollution bug in Chromium bypassed Sanitizer API

A prototype pollution bug in the Chromium project allowed attackers to bypass Sanitizer API, a built-in browser library for removing potentially malicious code from user-controlled input sources. Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways. Reported by security researcher Michał Bentkowski, the bug highlights the challenges of preventing client-side prototype pollution attacks.

Prototype pollution can happen both on the client side (browser) and server side (Node.js servers). Bentkowski, who has done extensive research on the topic, discovered the new bug while exploring client-side prototype pollution vulnerabilities in Chromium. The Sanitizer API was added to Chromium brow

Bentkowski notes that for the vulnerability to work, the browser’s #enable-experimental-web-platform-features must be enabled.

We all need to remain vigilant when it comes to the things that we can easily control, like choosing a strong password. After all, it’s usually human behaviour that’s the weakest link in the IT security chain. But we can breathe a sigh of relief when it comes to the secure daily working of IT itself, counting on International Standards and groups like JTC 1, ISO and the IEC’s joint technical committee on information technology. Within JTC 1, cutting-edge work in areas from data management to streaming videos is being standardized by more than 40 subcommittees. Some of these subcommittees, in areas like artificial intelligence, are just a few years old, while others have been around quite a bit longer.

Bug or feature?

The discussion thread on the Chromium bug tracker shows some of the complexities of drawing the boundaries on prototype pollution bugs. Manipulating prototypes is one of the features that make JavaScript flexible and versatile, which means that hardening applications against prototype pollution attacks will always require meticulous efforts by web developers. As one security researcher noted in the discussion thread, the prototype pollution vector is not something that should be addressed in Sanitizer API. “Environments that have their Object prototypes polluted are already compromised, and I don’t think selectively hardening chosen web APIs against that would offer much practical benefit, and it may only offer a false sense of security, at the expense of API cognitive complexity,” the researcher wrote. “Before reporting the bug I was unaware that there exists a WebIDL spec that specifically defines that the prototype chain must be traversed by Web APIs,” Bentkowski said. “This means that in fact, it is a feature, and this cannot be changed right now because that would be backward-incompatible; that is, many applications would be broken.” Developers, therefore, need to identify and remove all gadgets that pollute prototypes from user-controlled sources.

WatchGuard firewall exploit threatens appliance takeover.

WatchGuard has patched several vulnerabilities in two main firewall brands that have been rated between medium and critical severity. In combination, two of the flaws allowed Ambionics security engineer Charles Fol to obtain pre-authentication remote root on every WatchGuard Firebox or XTM appliance. Both the Firebox and XTM ranges were implicated earlier this year in a number of hacking attacks, with Russian state-sponsored threat actor Sandworm abusing a privilege escalation flaw in order to build a botnet called Cyclops Blink that was taken down in April. Over a four-month period, WatchGuard released three firmware updates, patching a number of critical vulnerabilities. DON’T MISS API security: Broken access controls, injection attacks plague enterprise security landscape And, by coincidence, said Fol, this is when he started looking for exploitable bugs in firewalls for a red team engagement. He found five in the WatchGuard products, of which two were patched during his research, which is documented in a write-up published earlier this week. The three remaining flaws were blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials; integer overflow, which allowed an attacker to execute malicious code on remote appliances; and a third vulnerability that meant it was possible to escalate privileges from a low-privilege user into root.

Alias quia non aliquid. Eos et ea velit. Voluptatem maxime enim omnis ipsa voluptas incidunt. Nulla sit eaque mollitia nisi asperiores est veniam.

Complete access as root

“By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root,” Fol told The Daily Swig. “This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. “The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”