每日安全动态推送(04-20)

Tencent Security Xuanwu Lab Daily News

• Teaching Burp a new HTTP Transport Encoding:
https://www.pentagrid.ch/en/blog/teaching_burp_a_new_http_transport_encoding/

   ・ 为 Burp 提供对 HTTP Transport Encoding 自定义编码解析的支持 – Jett

• 2274 – project-zero – Project Zero – Monorail:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2274

   ・ Issue 2274: Linux: watch_queue filter OOB write (and other bugs) – Jett

• [PDF] https://www.ndss-symposium.org/wp-content/uploads/2022-78-paper.pdf:
https://www.ndss-symposium.org/wp-content/uploads/2022-78-paper.pdf

   ・ Cross-Language Attacks – 多语言构建的应用在漏洞利用缓解方面可能会引入新的问题 – Jett

• [Vulnerability] When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops:
https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/

   ・ 据 ESET Blog，联想笔记本被发现固件级漏洞，管理员权限的攻击者可以植入固件级恶意代码 – Jett

• 2256 – project-zero – Project Zero – Monorail:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2256

   ・ Issue 2256: bluez: malicious USB devices can steal Bluetooth link keys over HCI using fake BD_ADDR, plus bluetoothd double-free – Jett

• The More You Know, The More You Know You Don’t Know:
https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html

   ・ Project Zero 对 2021 年野外漏洞利用情况的总结分析 – Jett

• A Deep Dive into iOS Code Signing:
https://blog.umangis.me/a-deep-dive-into-ios-code-signing/

   ・ 深入理解 iOS的代码签名. – lanying37

• Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities – SentinelOne:
https://www.sentinelone.com/labs/inside-the-black-box-how-we-fuzzed-microsoft-defender-for-iot-and-found-multiple-vulnerabilities/

   ・ How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities – Jett

• Using Emulation Against Anti-Reverse Engineering Techniques:
https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques

   ・ Fortinet 分享用模拟执行的方式对抗恶意软件中的 Anti-RE 的实现 – Jett

• Persisting XSS With IFrame Traps – TrustedSec:
https://www.trustedsec.com/blog/persisting-xss-with-iframe-traps/

   ・ Persisting XSS With IFrame Traps – Jett

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab

原文始发于微信公众号（腾讯玄武实验室）：每日安全动态推送(04-20)