Remote Attestation, 0-Days, SEC - July 24th - 30th, 2023 - F5 SIRT - This Week in Security

 

 

Google has published its review of 0-days being exploited in the wild for 2022.    Unsurprisingly one of the notable trends they saw is that 40% of 0-days discovered were variants of  previous 0-day vulnerabilities.    If you have been paying attention to trends in vulnerabilities this would be expected, as researchers learn new techniques from previous vulnerabilities and often when one mistake was made in writing the software, similar mistakes were probably made elsewhere.   As they say, history rhymes.

 

Another notable conclusion from the report is that long patch times on Android have been leading to exploits getting out in the wild before patches from many manufacturers.    The interaction between the operating system being maintained by the Android team and various levels of manufactures often requires vulnerabilities in device drivers to be bounced between large and notoriously slow engineering firms before they land on the average users phone.   While this is really bad, it reminds me of the embedded IoT vulnerability iceberg lurking somewhere out there, seeing as those manufacturers rarely issue updates.

 

A third notable conclusion and one we have seen at F5 is that more and more researchers are finding the same vulnerability at the same time.   We have been noticing this trend as the rhyming of vulnerabilities leads researchers to concentrate on the same areas of software they are investigating.    The dark side of this conclusion is that where researchers are finding these, the attackers are probably finding the same.

 

 

Google and Apple are rolling out remote attestation of browser integrity in an attempt to stem the tide of automated access to websites.  This news has been met with mixed reactions because while it can help stem the tide of bots attacking websites using modified browsers that are hard to detect, it also serves to verify that browsers are not running any software to block advertisements or other data collection.   Time will tell where this rollout goes.

 

 

The United States Securities and Exchange Commission has adopted new rules requiring security breaches and other cybersecurity events to be disclosed on a short timeline of 4 days.  These new rules will push companies to disclose any cybersecurity incident that has material impact to public company's investors on Form 8-K.  This will help drive cybersecurity through investor pressure, as incidents will have to be disclosed and the SEC will prosecute companies that knowingly fail to disclose such incidents.   This is not expected to drive disclosure of details before they are analyzed because the disclosure requirements do not require a substantial amount of detail about the incident, and the volume of 8-K forms being filed by companies means individual investors may not always be up to date on these disclosures.