Comment by xmodem
5 years ago
This is truly the stuff of nightmares, and I'm definitely going to review our CI/CD infrastructure with this in mind. I'm eagerly awaiting learning what the initial attack vector was.
5 years ago
This is truly the stuff of nightmares, and I'm definitely going to review our CI/CD infrastructure with this in mind. I'm eagerly awaiting learning what the initial attack vector was.
9 times out of 10, through the front door. Some shit in a .doc, .html or .pdf. The Google-China hack started with targetted pdfs
If people didn't allow macros in Excel, stayed in read-only mode in Word and only opened sandboxed PDFs (convert to images in sandbox, OCR result, stitch back together), we would see a sharp decline in successful breaches. But that would be boring.
I think opening all PDFs in a browser would be good enough™ as browser sandboxes are about as secure as sandboxing gets.
1 reply →
How such an attack is even possible? A bug in the LibreOffice, browser, or Evince?
PDF is a nightmare format, including such gems as javascript IIRC; it's not surprising that it can be used to make exploits in reader software.
5 replies →
Remember how Adobe removed Flash support from Acrobat a couple of years back? Attacks like this are why. Well, and Flash had other issues, too.
I'm not sure when you started using PDFs (I remember mid-90s when my Dad told me about this cool new document format that would standardize formats across platforms, screen and paper!), but hardly anything is static any more.
The nexus of unsafe programming languages and exploit markets, where for the right price you can purchase undisclosed bugs basically ready to use. Modern offensive security is essentially a bit like shopping in Ikea