Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Duo Labs

The Weekly Ink #8

Duo Labs

THE WEEKLY INK

The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.

If you have links of your own that you think would be interesting to the company, be sure to send them to labs@duosecurity.com.

100 Bajillion-Trillion Passwords Leaked by Superhuman Genius Gods

Wait, it was only 4 billion passwords leaked by Russian hackers. Oh sorry, it's actually 1.2 billion. Just kidding, it's actually 500 million. Well, some amount of passwords were leaked by some group at some time after said group hacked some websites and obtained some data and somehow Alex Holden, founder of Hold Security knows all the details. But apparently he can't share any info because "there is an ongoing investigation". Well, unless you pay him. Of course, no law enforcement agencies have stated they are investigating this "breach". This whole debacle is suspicious at best.

Internet Explorer Begins Blocking Out-of-Date ActiveX Controls

It's confirmed that Internet Explorer is now 100% secure. No vulnerabilities are possible because Internet Explorer will begin blocking out-of-date ActiveX. Snark aside, this is a surprisingly good move. Old ActiveX controls have many known vulnerabilities. Most of these vulnerabilities have been patched in recent updates, but users may or may not have updated. However, it's very likely that users who don't update ActiveX don't actively update Internet Explorer, so I'm not sure how effective this update will be.

Remote Code Execution on Android

In 2012, a Remote Code Execution vulnerability was found in Android's addJavascriptInterface API (CVE-2012-6636). This bug allowed Javascript code to have greater code execution permissions than intended. Android 4.2 contained a fix for this vulnerability, but the fix was disabled in some situations for backwards compatibility. Bromium Labs looked at 100,000 apks from the google play store and found that around 12% were potentially vulnerable to this exploit. In addition more than 50% of devices run versions of Android prior to 4.2. In short, this RCE vulnerability from 2012 is still out in the wild and dangerous.

Also DEF CON and Black Hat Happened or Something

We went, we saw, we conquered. People did things. Other people broke things. It was cool. Black Hat talks are now online. So are B-Sides talks. Only a few DEF CON talks are available online at the moment.