每日安全动态推送(01-07)

Tencent Security Xuanwu Lab Daily News

• Attackers test “CAB-less 40444” exploit in a dry run – Sophos News:
https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/

   ・ Sophos 对恶意攻击者利用 CVE-2021-40444 MSHTML RCE 漏洞攻击 Word 过程的分析 – Jett

• 代码安全指南:
https://github.com/Tencent/secguide

   ・ 腾讯安全团队总结的面向开发人员梳理的代码安全指南 – Jett

• The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console:
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console

   ・ The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console – Jett

• Exploiting Redash instances with CVE-2021-41192:
https://ian.sh/redash

   ・ Exploiting Redash instances with CVE-2021-41192  – Jett

• GoAhead环境变量注入复现踩坑记:
https://tttang.com/archive/1399/

   ・ GoAhead环境变量注入复现踩坑记. – lanying37

• mm0r1/exploits:
https://github.com/mm0r1/exploits

   ・ 多个 PHP disable_functions Bypass Exploits – Jett

• Fuzz introspector:
https://github.com/ossf/fuzz-introspector

   ・ Fuzz introspector – 帮助 Fuzzer 开发者监控 Fuzzer 工作状态的工具 – Jett

• The Top 5 Bugs Submitted in 2021:
https://www.zerodayinitiative.com/blog/2022/1/5/the-top-5-bugs-submitted-in-2021

   ・ ZDI 评选的 “The Top 5 Bugs Submitted in 2021” – Jett

• AI-for-Security-Learning:
https://github.com/404notf0und/AI-for-Security-Learning

   ・ AI-for-Security-Learning – 安全场景、基于 AI 的安全算法和安全数据分析学习笔记 – Jett

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(01-07)