The event lasted 2 hours. Repeating everything that has been said is difficult and makes little sense. Those who want can watch the full video or read the article about the event (both in Russian). Here I would like to share my impressions, compare this event with last year’s and express my position.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.
A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in V8 (Chromium). This vulnerability does not exist in NVD.
Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about malicious open source and the cost of using someone else’s code.
To be honest, at the beginning of the year I did not plan to talk about these things. But life changes rapidly and unpredictably, so it becomes impossible not to talk about this.
Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it’s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.
You can see them in my automated security news telegram channel avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.
Hello everyone! After a two-year break, I took part in Moscow CISO Forum 2022 with a small talk “Malicious open source: the cost of using someone else’s code”.
CISO Forum is the first major Russian conference since the beginning of The New Reality of Information Security (TNRoIS). My presentation was just on this topic. How malicious commits in open source projects change development and operations processes. I will make a separate video about this (upd. added Malicious Open Source: the cost of using someone else’s code). In this episode, I would like to tell you a little about the conference itself.
Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon as possible.
Unfortunately, Gitlab, as well as some other Western companies, is currently hostile to the country where I live and work. So their calls to immediately install updates now have additional connotations. If Gitlab is so clearly politically motivated that even the logo on their site has been recolored in a certain way, then what else can be expected from their updates? Backdoors? Malicious functionality that wipes data? Quite possible. IMHO, when companies are so willing to mix geopolitical messages and business, it exposes them as unreliable vendors that should be avoided.
But let’s get back to vulnerabilities. There are 17 CVEs in the bulletin. We will start with the most critical one.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
