They all use a company called 7.ai, a chatbot provider, which had a malware infection in October last year.
The WebAuthn API will allow websites to easily provide password-less authentication. Google, Microsoft and Mozilla are working on an implementation.
A non-inclusive list of updates I came across:
- Microsoft released an out-of-band update to fix a very serious vulnerability in Defender, where visiting a malicious site could trigger remote code execution: link
- Microsoft also had its Patch Tuesday, fixing 65 other security issues, 23 of which are rated critical: link
- the Spring framework has an update fixing another remote code execution issue: link
This researcher found a fascinating exploit where he could submit a sitemap for a domain that was not his own. He could rank his site into the top 10 in a matter of days.
He received a bounty of $1337. As this discussion on Hackernews makes clear, he probably should have gotten much more.
WannaCry infections are apparently still going strong. The company that runs the killswitch domain that stops WannaCry from spreading now offers a free service that tells you if an IP in your company tried to phone home to it, meaning you have an infection somewhere.
When some of your subdomains aren't explicitly listed in Cloudfront's alternate domains list, someone else can create a Cloudfront endpoint for it and your traffic will be redirected there. Worth a read.
Interesting post on how the author was logged into someone else's Netflix account because Google makes firstname.lastname@example.org and email@example.com go to the same inbox.
For those using Kubernetes, here's a sensible list of security measures to take.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
Automatically identify cross-site scripting, SQL injection and other vulnerabilities in your web applications before malicious attackers find and exploit them. Use the dead accurate Netsparker web application security scanner to generate accurate reports so you do not have to manually check if the reported issues are real or false positives, and you can concentrate on your job.