GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service.

“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” the Microsoft-owned company said. “We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.”

password auditor

Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network (CDN).

To that end, users are refrained from uploading, posting, hosting, or transmitting any content that could be used to deliver malicious executables or abuse GitHub as an attack infrastructure, say, by organizing denial-of-service (DoS) attacks or managing command-and-control (C2) servers.

“Technical harms means overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring,” GitHub said.

GitHub hacking policy

In scenarios where there is an active, widespread abuse of dual-use content, the company said it might restrict access to such content by putting it behind authentication barriers, and as a “last resort,” disable access or remove it altogether when other restriction measures are not feasible. GitHub also noted that it would contact relevant project owners about the controls put in place where possible.

The changes come into effect after the company, in late April, began soliciting feedback on its policy around security research, malware, and exploits on the platform under a clearer set of terms that would remove the ambiguity surrounding “actively harmful content” and “at-rest code” in support of security research.

By not taking down exploits unless the repository or code in question is incorporated directly into an active campaign,…


Google Finds New Exploit That Alters Chip Memory

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Endpoint Security
Fraud Management & Cybercrime

Latest Rowhammer Technique Targets Design Flaws in Modern DRAM Chips

Google Finds New Exploit That Alters Chip Memory
Source: Google Security Blog

Researchers at Google have identified a new Rowhammer technique, dubbed Half-Double, which exploits design flaws in modern DRAM chips to alter their memory content.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

First discovered in 2014, Rowhammer is a DRAM vulnerability in which repeated access to one address can tamper with data stored in other addresses.

“Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system,” the researchers at Google note.

The 2014 paper, however, discusses the DDR3, the mainstream DRAM generation at the time. In 2015, the Mountain View, California-based company’s Project Zero, which was tasked with finding zero-day vulnerabilities, released an exploit that escalates working privilege.

In response to the exploit, chip manufacturers implemented proprietary logic in their products that attempted to track frequently accessed addresses and reactively mitigate when necessary.

2014 saw the release of DDR4, which included built-in defense mechanisms, seemingly marking the end of Rowhammer.

In 2020, however, a paper on TRRespass…


Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

The company’s AnyConnect Secure Mobility Client allows working on corporate devices connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2 using VPN clients available for all major desktop and mobile platforms.

Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.

While the Cisco Product Security Incident Response Team (PSIRT) said that CVE-2020-355 proof-of-concept exploit code is available, it also added that there is no evidence of attackers exploiting it in the wild.

The vulnerability is now addressed n Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.

These new versions also introduce new settings to help individually allow/disallow scripts, help, resources, or localization updates in the local policy, settings that are strongly recommended for increased protection.

Default configurations not vulnerable to attacks

This high severity vulnerability was found in Cisco AnyConnect Client’s interprocess communication (IPC) channel, and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.

CVE-2020-3556 affects all Windows, Linux, and macOS client versions with vulnerable configurations; however, mobile iOS and Android clients are not impacted.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled,” Cisco explains in the security advisory. “Auto Update is enabled by default, and Enable Scripting is disabled by default.”

As further disclosed by the company, successful exploitation also requires active AnyConnect sessions and valid credentials on the targeted device.

Cisco added that the vulnerability:

  • Is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
  • Is not remotely exploitable, as it requires local credentials on the end-user…