Cybersecurity Newsletter, October 26 - November 8
Qrator Newsletter

Hello and welcome back to our weekly news recap! This time we are interested in the most exciting articles and papers published in two weeks - between October 26 and November 8, 2020.

Google’s Project Zero discloses Windows 0-day that’s been under active exploit

"CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.
CVE-2020-117087 stems from a buffer overflow in a part of Windows used for cryptographic functions. Its input/output controllers can be used to pipe data into a part of Windows that allows code execution. Friday's post indicated the flaw is in Windows 7 and Windows 10 but made no reference to other versions."

Find bugs in your DNS zone files before deployment

"To help DNS engineers prevent DNS-related outages, we developed GRᴏᴏᴛ, which can validate properties of interest for all possible DNS queries or provide a counterexample. DNS engineers can use GRᴏᴏᴛ before deploying zone files to catch any bugs in them.

GRᴏᴏᴛ is an open-sourced static verification tool for DNS zone files presented through our paper at SIGCOMM 2020, which won a Best Student Paper award this year."

bddisasm: The Bitdefender x86 Disassembler

"Unlike a RISC architecture, x86 has a large number of instructions that may access memory in a complicated, read-modify-write (RMW) manner, and using complicated addressing schemes. In order to simplify instruction decoding and analysis, a dedicated x86 instruction decoder has been created, capable of providing full instruction information, and thus alleviating the HVMI module from needing to know x86 instructions format. This blog post will detail some bddisasm internals, how to work with it, while highlighting why it is a critical part of HVMI. In addition, we will go through some particularities of x86 instruction encoding."

Chrome Root Program

"Historically, Chrome has integrated with the Root Store provided by the platform on which it is running. Chrome is in the process of transitioning certificate verification to use a common implementation on all platforms where it's under application control, namely Android, Chrome OS, Linux, Windows, and macOS. Apple policies prevent the Chrome Root Store and verifier from being used on Chrome for iOS. This will ensure users have a consistent experience across platforms, that developers have a consistent understanding of Chrome's behavior, and that Chrome will be better able to protect the security and privacy of users' connections to websites."

Standing on Our Own Two Feet

"Now, those software platforms have trusted our root certificate for years. And the DST Root X3 root certificate that we relied on to get us off the ground is going to expire - on September 1, 2021. Fortunately, we’re ready to stand on our own, and rely solely on our own root certificate.
However, this does introduce some compatibility woes. Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt."

How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day

"Recently, I discovered a small but potentially devastating vulnerability in the new Tor feature of the Brave browser."

NAT Slipstreaming

"NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions."

Process Herpaderping
"Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself."

Thanks for being a keen reader!

For feedback or any suggestions, please write to us at