腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2017/11/01

[ Browser ] 为了保护用户的隐私，Firefox 将在下个版本中移除 "Canvas Fingerprinting"，"Canvas Fingerprinting" 可以被用于跨网站建立指纹追踪用户： https://threatpost.com/firefox-bolsters-privacy-pulls-plug-on-browser-canvas-fingerprinting/128697/
[ Browser ] EdgeHTML 16 新引入的几个特性介绍：WebAssembly、SharedArrayBuffer、Atomics： https://blogs.windows.com/msedgedev/2017/10/31/optimizations-webassembly-sharedarraybuffer-atomics-edgehtml-16/#4OWbChIifql6k32H.97
[ Industry News ] Apple 在最新 iOS 11.1 中修复了 KRACK 漏洞： https://threatpost.com/apple-patches-krack-vulnerability-in-ios-11-1/128707/
[ iOS ] 苹果发布多个产品的更新补丁，包括 iOS 11.1、macOS High Sierra 10.13.1、Safari 11.1、watchOS 4.1 等，本次更新修复多个漏洞： https://support.apple.com/zh-cn/HT208222 https://support.apple.com/zh-cn/HT208221 https://support.apple.com/zh-cn/HT208223 https://support.apple.com/zh-cn/HT208220
[ Linux ] Linux device driver labs 的网站，网站上有 Linux 内核驱动的大量文档： https://linux-kernel-labs.github.io/
[ Others ] 优化 ASP.NET Docker 镜像的大小： https://www.hanselman.com/blog/OptimizingASPNETCoreDockerImageSizes.aspx
[ Others ] API 是如何工作的？： https://t.co/3n9fNykJ84
[ Others ] 利用 Splunk 的自定义搜索命令找样本 IOC： https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/
[ Vulnerability ] Oracle 发布紧急更新（CVE-2017-10151）： http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html
[ Vulnerability ] Circle with Disney 家长控制系统在最近披露了 23 个漏洞： https://threatpost.com/popular-circle-with-disney-parental-control-system-riddled-with-23-vulnerabilities/128711/ Cisco Talos 团队披露了细节： http://blog.talosintelligence.com/2017/10/vulnerability-spotlight-circle.html

[ Crypto ] 区块链的故事： https://securelist.com/tales-from-the-blockchain/82971/
[ Industry News ] CA DigiCert 准备收购赛门铁克的 CA 证书签发业务，Mozilla 对此相关信任问题的声明： https://blog.mozilla.org/security/2017/10/31/statement-digicerts-proposed-purchase-symantec/
[ MalwareAnalysis ] 请警惕新的黑产趋势：入侵网站并植入挖矿恶意代码： http://www.freebuf.com/articles/web/152021.html
[ Others ] 如何区分随机 256 位排列的数据和 SHA256 Hash: https://sensepost.com/blog/2017/a-distinguisher-for-sha256-using-bitcoin-mining-faster-along-the-way/
[ Others ] 使用 Apostille 克隆 x509 证书链： https://sensepost.com/blog/2017/recreating-certificates-using-apostille/
[ Others ] How to crack private APN keys with hashcat： https://www.pentestpartners.com/security-blog/how-to-crack-private-apn-keys-with-hashcat/
[ Others ] 揭秘：两张A4纸破解虹膜、人脸识别，百度安全技术小哥怎么做到的？： https://mp.weixin.qq.com/s/zq7D8YzjljJ8rsteib1ljA
[ Popular Software ] Office DDEAUTO技术分析报告： http://www.freebuf.com/articles/terminal/152064.html
[ Protocol ] 使用SGX构建健壮的同步P2P基础协议： https://mp.weixin.qq.com/s/KCdRJkqJ94AHQOioc2Y4nQ
[ SecurityProduct ] Cisco ASA series part seven: Checkheaps： https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/october/cisco-asa-series-part-seven-checkheaps/
[ Vulnerability ] GraphicsMagick 中发现多个漏洞： https://blogs.securiteam.com/index.php/archives/3494
[ Vulnerability ] Talos 揭露 Cesanta Mongoose 中存在多处漏洞： http://blog.talosintelligence.com/2017/10/vulnerability-spotlight-multiple_31.html
[ Vulnerability ] TP-LINK 远程代码执行漏洞 CVE-2017-13772 趣谈： https://paper.seebug.org/434/
[ WirelessSecurity ] Android蓝牙远程命令执行漏洞利用实践:从PoC到Exploit： https://paper.seebug.org/430/

2017/11/01