Anyway, enjoy https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498, which was rated 9.8 / 10.0 even though I have very high confidence no production service is actually susceptible to this attack, because: (a) the impacted API is so new that no production service is consuming it yet; and (b) I can't imagine any real, non-theoretical production service ever meeting the criteria necessary for successful exploit.
=> More informations about this toot | View the thread
Speaking as the person who found CVE-2024-43498, I have to vent a bit about the CVSS values assigned to library code. We typically ask ourselves "if absolutely everything goes wrong all at once, what's the worst-case scenario?" - and it creates unrealistically high scores. Bonkers high scores. Because we assume you're using some API in a critical web service with no authentication in front of it, no health monitoring, a narrow and predictable address space, etc.
=> More informations about this toot | View the thread
A PSA to my fellow Washingtonians --
New to the state or changed your address within the past few months? Today (Oct. 28) is the last day to update your voter registration online at https://votewa.gov/ before the Nov. 5 general election.
If you miss this deadline, you can still go to an election site in-person to register or update your registration all the way through the end of Nov. 5. But I think we'd all agree that's much less convenient. :)
=> More informations about this toot | View the thread
Did you know that the University of Florida has a really detailed early vote tracking web site?
https://election.lab.ufl.edu/early-vote/2024-early-voting/
As of this writing (Sunday afternoon), over 40 million of my fellow Americans have voted. 🥳 And come tomorrow evening, once they ingest the updated Washington state weekend tallies, my little +1 will be in there as well.
=> More informations about this toot | View the thread
Publishing these documents helps our consumers better use our components in a reliable and secure manner. It gives people confidence in the safety of our code base and our review process. And it gives a minor glimpse into .NET security team operations, including the pitfalls we try to be mindful of during API design processes.
Enjoy!
3/FIN
=> More informations about this toot | View the thread
But I am happy to say we're making some significant progress here! Just a few minutes ago I submitted a PR with threat models / security designs for some commonly-used building blocks within the .NET ecosystem:
2/
=> More informations about this toot | View the thread
Over the past few months, I've been trying to lead an effort within the .NET team to make threat models and other security design documents publicly available to our consumers. This is a non-trivial amount of work since it involves getting the data into a format appropriate for external consumption, re-reviewing the docs in the context of other .NET ecosystem efforts, and getting publication signoff from multiple teams. 1/
=> More informations about this toot | View the thread
=> This profile with reblog | Go to GrabYourPitchforks@infosec.exchange account This content has been proxied by September (3851b).Proxy Information
text/gemini