Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-10-31 to 2022-11-07.
The update was published and the CVE was adjusted from Critical to High. The OpenSSL blog provides some additional information. Datadog provided a great initial analysis.
This vulnerability is not likely to be exploited in the wild. For exploitation a client or server must be configured to verify a malicious email address within a certificate.
Filippo has got a great post-mortem of this issue. The main question for this vulnerability was definitely, why did it happen in the first place.
Also, hanno asked the question, how the code made it into production. The vulnerability is based on a parser function. As such it would be an ideal candidate for fuzzing. In summary, OpenSSL added new C parser code without doing any basic security testing.
Analysis of the Pegasus spyware by Cyber Geeks. This was originally attributed to NSO by Lookout
The full Proceedings published by USENIX for the symposium are available online. Endless hours of recorded talks and hundreds of pages of papers and slide to read.