This Week in Security: No More CVEs, 4chan, and Recall Returns

This Week in Security: No More CVEs, 4chan, and Recall Returns

The sky is falling. Or more specifically, it was about to fall, according to the security community this week. The MITRE Corporation came within a hair’s breadth of running out of its contract to maintain the CVE database. And admittedly, it would be a bad thing if we suddenly lost updates to the central CVE database.

What’s particularly interesting is how we knew about this possibility at all. An April 15 letter sent to the CVE board warned that the specific contract that funds MITRE’s CVE and CWE work was due to expire on the 16th. This was not an official release, and it’s not clear exactly how this document was leaked.

Many people made political hay out of the apparent imminent carnage. And while there’s always an element of political maneuvering when it comes to contract renewal, it’s worth noting that it’s not unheard of for MITRE’s CVE funding to go down to the wire like this. We don’t know how many times we’ve been in this position in years past.

Regardless, MITRE has spun out another non-profit, The CVE Foundation, specifically to see to the continuation of the CVE database. And at the last possible moment, CISA has announced that it has invoked an option in the existing contract, funding MITRE’s CVE work for another 11 months.

Mobile Devices: A Secure State

Mobile devices are in their most secure state right after boot, before the user password is entered to unlock the device for the first time. Tools like Cellebrite will often work once a device has been unlocked once, but just can’t exploit a device in the first booted state.

This is why Google is rolling out a feature, where Android devices that haven’t been unlocked for three days will automatically reboot. Once a phone is unlocked, the encryption keys are stored in memory, and it only takes a lock screen bypass to have full access to the device.

But before the initial unlock, the device is still encrypted, and the keys live in a secure partition known as the "keystore". This feature aims to prevent attackers from using brute force attacks to guess the unlock code.

4chan: A Haven for Security Vulnerabilities

Unfortunately, 4chan was hit by another wave of security vulnerabilities this week. The site, known for its anonymous user accounts and lax moderation policies, has become a haven for hackers looking to exploit its users.

The site's administrators have promised to take action against the malicious actors, but it’s unclear what concrete steps they will take to address the issue.

Recall: The AI-Powered Security Tool

A new security tool called Recall has been making waves in the cybersecurity community. This AI-powered tool aims to detect and prevent attacks by monitoring system logs for potentially malicious activity.

The tool, developed by Claudio Contin, uses a technique called "EDV" (Entity Discovery and Verification) to analyze system events and identify potential threats.

Fortinet: The Exploited Backdoor

Fortinet has revealed that its SSL VPN system was exploited by hackers, who installed a backdoor on the devices. The backdoor allows attackers to access the device remotely and steal sensitive data.

The company believes that the exploited devices have harbored this backdoor since the 2023-2024 hacking spree, which suggests that the vulnerability has been present for quite some time.

LLMs: The Hallucinating Package Managers

Artificial intelligence-powered package managers are becoming increasingly popular in the developer community. However, their use also comes with a number of risks, including typosquatting attacks.

According to Tyler August, who recently covered this topic, LLMs (Large Language Models) are likely to hallucinate package names, making it easy for attackers to register fake packages and steal sensitive data.

Vibe Detections: The New Threat

A new tool called Vibe Detections has been demonstrated by Claudio Contin. This tool uses the LLM-powered Copilot AI to detect potentially malicious activity on Windows systems.

The tool, which is not intended for production use, was able to detect about 40% of the malicious tests that Windows Defender missed.

Apple: The 0-Day Vulnerabilities

Apple has pushed out updates to its entire lineup of devices, fixing a pair of 0-day vulnerabilities. The first vulnerability is in CoreAudio, which allows attackers to execute arbitrary code when playing audio from a malicious file.

The second vulnerability is in the Pointer Authentication scheme, which Apple uses to prevent memory-related vulnerabilities.

Gnome: The Yelp Help Browser

The Gnome desktop has an interesting problem, where the yelp help browser can be tricked into reading the contents of arbitrary filesystem files.

This vulnerability is made worse by the possibility of browser links automatically opening in yelp, which could lead to a number of security issues.

Google Project Zero: The Windows Registry

Google Project Zero has released part six of its deep dive into the Windows Registry. This installment dives into actual memory structures and lets us in on the history behind why the Windows registry is called the hive and uses the 0xBEE0BEE0 signature.

The story behind this nickname is quite amusing, involving a developer who hated bees and another who thought it would be hilarious to give the registry a bee-themed name.