Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/dangoodin/statuses/111143883186094889">Dan Goodin (dangoodin@infosec.exchange)'s status on Friday, 29-Sep-2023 02:39:52 JST</a><a href="https://infosec.exchange/@dangoodin" title="dangoodin@infosec.exchange"><img src="https://gnusocial.jp/avatar/92418-48-20240105201020.webp" width="48" height="48" alt="Dan Goodin" style="position: absolute; left: 0; top: 0;">Dan Goodin</a></section><article><p>Ugh. Google has patched yet another 0day in yet another media-encoding library that's nearly ubiquitous. Libvpx is in a ton of Linux projects (citation: <a href="https://pastebin.com/TdkC4pDv" rel="nofollow noreferrer">https://pastebin.com/TdkC4pDv</a>). Wikipedia says it's used by YouTube, Netflix, Amazon, JW Player, Brightcove, and Telestream. It also appears to be used in iOS.</p><p>If anyone has reasons to think this vulnerability is limited to Chrome, please let me know. Preliminarily, though, I'm inclined to think this is yet another vuln under active exploit that's going to make a ton of software vulnerable to RCE exploits.</p><p>The 0day is tracked as CVE-2023-5217.</p><p><a href="https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html" rel="nofollow noreferrer">https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2114228#notice-4151731">In conversation</a><time datetime="2023-09-29T02:39:52+09:00" title="Friday, 29-Sep-2023 02:39:52 JST">about a year ago</time> <span>from <span><a href="https://infosec.exchange/@dangoodin/111143883186094889" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@dangoodin/111143883186094889">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: pastebin.com</div><h5><a href="https://pastebin.com/TdkC4pDv">Ubuntu packages that depend on libvpx7 - Pastebin.com</a></h5><div></div></header><div>Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Friday, 29-Sep-2023 02:39:52 JST Dan Goodin
Ugh. Google has patched yet another 0day in yet another media-encoding library that's nearly ubiquitous. Libvpx is in a ton of Linux projects (citation: https://pastebin.com/TdkC4pDv). Wikipedia says it's used by YouTube, Netflix, Amazon, JW Player, Brightcove, and Telestream. It also appears to be used in iOS.
If anyone has reasons to think this vulnerability is limited to Chrome, please let me know. Preliminarily, though, I'm inclined to think this is yet another vuln under active exploit that's going to make a ton of software vulnerable to RCE exploits.
The 0day is tracked as CVE-2023-5217.
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
In conversationabout a year ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: pastebin.com
  Ubuntu packages that depend on libvpx7 - Pastebin.com
  Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Public

Embed Notice

HTML Code

Corresponding Notice