1月25日安全热点 - Chrome 64发布/框架漏洞影响多个应用

 

资讯类

Chrome 64发布并推出了更强大的弹出窗口拦截器

https://www.bleepingcomputer.com/news/software/chrome-64-released-with-stronger-popup-blocker-spectre-mitigations/

 

软件框架漏洞影响Skype, Signal, Slack, Twitch等应用程序

https://www.bleepingcomputer.com/news/security/software-framework-flaw-affects-apps-from-skype-signal-slack-twitch-others/

 

新的HNS物联网僵尸网络已经积累感染了超过14000台机器

https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/

 

MoneroPay勒索软件 ——伪造的SpriteCoin电子货币钱包

https://www.bleepingcomputer.com/news/security/moneropay-ransomware-disguised-as-wallet-for-fake-spritecoin-cryptocurrency/

 

惠普在Buggy Intel Meltdown和Spectre更新后重新发布BIOS更新

https://www.bleepingcomputer.com/news/hardware/hp-reissuing-bios-updates-after-buggy-intel-meltdown-and-spectre-updates/

 

技术类

360CERT——某游戏平台客户端DNS Rebinding攻击预警
https://www.anquanke.com/post/id/95895

 

https://www.anquanke.com/post/id/95950

 

MyKings: 一个大规模多重僵尸网络

http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

 

WPA2 “KRACK”漏洞简介与重现

https://paper.seebug.org/512/

 

2017年反序列化漏洞年度报告

http://blog.nsfocus.net/2017-loophole-report/

 

云安全风险（第1部分）：Azure CSV注入漏洞

https://rhinosecuritylabs.com/azure/cloud-security-risks-part-1-azure-csv-injection-vulnerability/

 

Oracle VirtualBox 多个逃逸漏洞

https://blogs.securiteam.com/index.php/archives/3649

 

Stack Canaries

https://0x00sec.org/t/exploit-mitigation-techniques-stack-canaries/5085

 

服务器端请求伪造（SSRF）漏洞

https://medium.com/in-the-weeds/all-about-paperclips-cve-2017-0889-server-side-request-forgery-ssrf-vulnerability-8cb2b1c96fe8