بسم الله الرحمن الرحيم
السلام عليكم ورحمه الله وبركاته
Last year, Google employees took the initiative to help the thousands of open source projects weakness correction code execution after decisive in Apache Commons library collections (ACC) are used on a large scale.
Called Rosehub process name, have volunteered in an initiative by some 50 Google employees, which uses 20 percent of the working time to heal the rift over 2,600 open source projects on GitHub, those were prone to "mad weakness tool."
Weakness tool mad (CVE-2015-6420) is faulty remote code execution after the cancellation of the sequence using Java before the House of Commons Apache groups (ACC) library that could allow a remote unauthenticated attacker to execute arbitrary code on the system.
ACC Library has published widely by many Java applications to decode data symbols that are passed between computers. To exploit this flaw, every striker unauthorized needs to do is to provide a maliciously crafted input to the application on the target system using the ACC Library.
Once the library ACC weak on the affected system deserializes content, the attacker can perform after arbitrary code on the compromised system, which can then be used for further attacks.
Remember the ransom attack on the Muni Metro system? Late last year, one anonymous hacker was able to infect and take over more than 2000 computers that use this same defect mad tool in the software used to run the public transport system in San Francisco.
Following the public disclosure of the flaw mad tool, almost every commercial enterprise including Oracle, Cisco, Red Hat, VMWare program, IBM, Intel, Adobe, the HP, Jenkins, and Solarwindz officially revealed that they may be affected by this vulnerability, and patched in programs Their own.
However, a few months later patched all the big companies imbalance, one of the Google staff noticed that many of the prominent open source libraries are still dependent on vulnerable versions of the ACC Library.
"We realized that the industry may best practices failed. There is a need to take action to keep open a safe source community, so rather than just a security advisory publication of asking everyone to address the weaknesses and we formed a working group to update the code on their behalf. Was called the initiative Rosehub process." , Justin, Tony, a software engineer in TensorFlow books, the Google Open source Blog.
Rosehub in the framework of the process, I sent patches to many open source projects, despite the fact that Google staff were only able to correct the open source projects on GitHub that the signal directly to vulnerable versions of the ACC Library.
According to the code of open source, if the municipal transportation agency software systems in San Francisco were open source, it could have been Google engineers are also able to provide patches for mad tool for them, and would never have been breached regulations.
السلام عليكم ورحمه الله وبركاته
Called Rosehub process name, have volunteered in an initiative by some 50 Google employees, which uses 20 percent of the working time to heal the rift over 2,600 open source projects on GitHub, those were prone to "mad weakness tool."
Weakness tool mad (CVE-2015-6420) is faulty remote code execution after the cancellation of the sequence using Java before the House of Commons Apache groups (ACC) library that could allow a remote unauthenticated attacker to execute arbitrary code on the system.
ACC Library has published widely by many Java applications to decode data symbols that are passed between computers. To exploit this flaw, every striker unauthorized needs to do is to provide a maliciously crafted input to the application on the target system using the ACC Library.
Once the library ACC weak on the affected system deserializes content, the attacker can perform after arbitrary code on the compromised system, which can then be used for further attacks.
Remember the ransom attack on the Muni Metro system? Late last year, one anonymous hacker was able to infect and take over more than 2000 computers that use this same defect mad tool in the software used to run the public transport system in San Francisco.
Following the public disclosure of the flaw mad tool, almost every commercial enterprise including Oracle, Cisco, Red Hat, VMWare program, IBM, Intel, Adobe, the HP, Jenkins, and Solarwindz officially revealed that they may be affected by this vulnerability, and patched in programs Their own.
However, a few months later patched all the big companies imbalance, one of the Google staff noticed that many of the prominent open source libraries are still dependent on vulnerable versions of the ACC Library.
"We realized that the industry may best practices failed. There is a need to take action to keep open a safe source community, so rather than just a security advisory publication of asking everyone to address the weaknesses and we formed a working group to update the code on their behalf. Was called the initiative Rosehub process." , Justin, Tony, a software engineer in TensorFlow books, the Google Open source Blog.
Rosehub in the framework of the process, I sent patches to many open source projects, despite the fact that Google staff were only able to correct the open source projects on GitHub that the signal directly to vulnerable versions of the ACC Library.
According to the code of open source, if the municipal transportation agency software systems in San Francisco were open source, it could have been Google engineers are also able to provide patches for mad tool for them, and would never have been breached regulations.
0 التعليقات:
إرسال تعليق