Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864PUBLISHED: 2021-01-17An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162PUBLISHED: 2021-01-15Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -á-áThereGÇÖs man all over for you, blaming on his boots the faults of his feet".-á
It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-áyield-áthe expected results; it can also be argued that successful, ongoing-áexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)
It also is apparent that our 'adversaries' have the-áadvantage-áof fighting a-águerrilla-style-áwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-áasymmetrical aspect to each battle-ásecurity professionals fight; -áthe advantage is our adversaries' learn more about our defenses,-áadapt-áfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-áfundamental in our attempts to build better security systems and controls.-á
So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-áJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-áapproach in-ábuilding security infrastructure.-á