Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say

A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk. The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory. “[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote. The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said. Snyk said that it began privately disclosing the vulnerability to […]

The post Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say appeared first on Cyberscoop.

Continue reading Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say

Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say

A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk. The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory. “[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote. The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said. Snyk said that it began privately disclosing the vulnerability to […]

The post Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say appeared first on Cyberscoop.

Continue reading Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say

The bug bounty market has some flaws of its own

In the wake of Microsoft’s announcement of a $250,000 reward for new hardware vulnerabilities, there’s growing concern that inflated bounties might be creating perverse incentives for young cybersecurity researchers and distorting the market for white-hat bug hunters. “If you can make considerably more money hunting bugs, there will be nobody left to fix them,” tweeted Katie Moussouris, a security researcher who created the first Microsoft program that rewarded those who reported vulnerabilities. “Those who do the hard work of code maintenance in corporations, dealing w [office] politics for a salary that’s ~1 bounty are 1 bad meeting away from rage quitting to hunt bugs full time,” the tweet concluded. “Motivations vary among hackers … but most are driven by some combination of three factors,” she told CyberScoop: Financial compensation, peer recognition and “the pursuit of intellectual happiness — loving what you do.” Moussouris would know. In addition to her practical […]

The post The bug bounty market has some flaws of its own appeared first on Cyberscoop.

Continue reading The bug bounty market has some flaws of its own