2025.08 Note #34

資安動態

1. 不止SSD憑空消失　Windows 11 KB5063878問題超多 AutoCAD、OBS也中招 :
   - SSD突然從系統中消失，情況較輕者，重新開機就能恢復，但嚴重者則可能面臨整個SSD掛掉、資料全無 (SanDisk、ADATA、Kioxia和Corsair)
   - AutoCAD 啟動時被強制要求必須用 Admin 開啟 強制彈出UAC（User Account Control）
2. Google 明年強制第三方開發者驗證 ：Google Play Store 開發者必須提供真實姓名、地址、電子郵件及電話號碼等資訊(開發組織須提供D-U-N-S編號與網站驗證，匿名開發者的應用程式將無法被安裝)
   2025年10月：開發者可以申請提前體驗計畫
   2026年3月：所有開發者將可開始進行驗證
   2026年9月：驗證要求將首先在四個國家生效：巴西、印尼、新加坡和泰國。
   2027年起： 政策將逐步推廣至全球範圍
3. 神盾結盟瑞典 Fingerprints 布局 PC 領域專利與技術授權
4. 不用臉、不用指紋，羅馬團隊開發 WhoFi 技術，用 Wi-Fi 信號就能辨識個人身分 :
   - Wi-Fi 信道狀態資訊（Channel State Information，簡稱 CSI）的變化，從電磁波與人體等物理障礙物互動時的訊號振幅與相位變化中，提取出每個人獨特的「無形簽名」
   - 深度神經網路模型，讓它能識別每個人對訊號造成的特定改變。即使在不同環境下，系統仍可藉由分析 Wi-Fi 干擾模式，精準辨識出同一個人
   - WhoFi 的準確率 95.5%
5. Major password managers can leak logins in clickjacking attacks : 6款密碼管理器存在點擊挾持弱點 : 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios
6. How I Hacked McDonald's (Their Security Contact Was Harder to Find Than Their Secret Sauce Recipe)
7. 英國宣布警車將執行人臉辨識系統Facial recognition vans to be rolled out across police forces in England Politics News Sky News ：一邊開車一邊掃描路人是否與犯罪資料庫查詢可疑人士

標準/規範

1. NIST Finalizes ‘Lightweight Cryptography’ Standard to Protect Small Devices(8/13) IoT
   - Ascon-Based (NIST Special Publication 800-232),
   - ASCON-128 AEAD
   - ASCON-Hash 256
   - ASCON-XOF 128
   - ASCON-CXOF 128
2. NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review 數位身份指引第二次公開草案
   - 包含四個主要文件：NIST SP 800-63 Revision 4：主要指引文件 SP 800-63A：身份證明與註冊, SP 800-63B：認證與認證器管理, SP 800-63C：聯邦身份認證
   - Passkeys SP 800-63B
   - 數位錢包與憑證 SP 800-63C

工具

1. PostgreSQL 13 EOL Notice ：PostgreSQL 13 will stop receiving fixes on November 13, 2025.
2. NGINX Introduces Native Support for ACME Protocol : Nginx 推出原生支援 ACME Protocol 可直接在設定檔中完成TLS憑證的申請與自動更新，無需額外安裝Certbot
   - Only HTTP-01 challenge type is supported
3. jQuery 4.0.0 Release Candidate 1 : including removing support for IE before version 11
4. google osv-scanner: v2.2.2 , Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files

資安事件

1. 英特爾網站資安漏洞，27 萬筆員工資料與機密報告外洩
   - 能獲取大量敏感數據，包括員工姓名、職位、電話號碼、電子郵件地址，以及機密產品報告和保密協議（NDA）等文件
   - with hardcoded secrets providing access to a platform marked "Intel Confidential" and "For Internal Use Only," designed to add newly announced products to the company's ARK database. Worse, Zveare found a GitHub personal access token that could be used 

漏洞

1. PostgreSQL  
   EUVD-2025-24810, CVE-2025-8714: 8.8 High, pg_dump lets superuser of origin server execute arbitrary code in psql client
   EUVD-2025-24809, CVE-2025-8715: 8.8 High, PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server
   ( allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name)
   Fixed: 17.6, 16.10, 15.14, 14.19, and 13.22
2. Docker Windows/MAC/ 桌機版 SSRF漏洞可能讓駭客控制整臺主機
   EUVD-2025-25308, CVE-2025-9074 , v4 9.3 Critical allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled
   FIXED : 4.44.3 release 2025-08-22
3. Apache Tomcat  Improper Resource Shutdown or Release vulnerability
   CVE-2025-48989, 7.5 High DoS in HTTP/2 - Made You Reset attack
   Fixed : v11.0.10+ , v10.1.44+, v9.0.108+
4. GitLab
   EUVD-2025-24600, CVE-2025-6186 8.7 High : allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
   CVE-2025-7734 8.7 High :- Cross-site scripting issue in blob viewer
   CVE-2025-7739 - 8.7 High : Cross-site scripting issue in labels
   Fixed : 18.2.2, 18.1.4, 18.0.6 
5. jsPDF  a library to generate PDFs in JavaScript. Parsing of Corrupt PNGs Leads to Potential Denial of Service (DoS)
   EUVD-2025-25806，CVE-2025-57810, 8.7, High，user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.
   Fixed : v3.0.2

AI

1. MIT 研究警告 ChatGPT 會讓大腦變懶 : 使用 ChatGPT 輔助寫作時，腦電波活動比自己寫作降低近一半，有 83% 的人記不得剛寫了什麼，過度依賴 AI 可能影響記憶力、創造力，甚至增加失智風險
   Your Brain on ChatGPT: Accumulation of Cognitive Debt when Using an AI Assistant for Essay Writing Task
2. Google 發表最新文生圖 Imagen 4 模型 : Announcing Imagen 4 Fast and the general availability of the Imagen 4 family in the Gemini API - Google Developers Blog
3.  Perplexity 宣布推出新的分潤計畫給新聞媒體公司 : 當AI 助理使用該新聞文章回答用戶問題時，就會付錢該給新聞媒體公司 (但這對以往的內容點擊 SEO 商業模式還來得及補救嗎?)
4. GPT-5 for Coding : OpenAI 發布程式設計指南，寫明 提示技巧，幫助開發者更有效地 VibeCoding (guide)
   a) 使用 XML <標籤> 來結構化規則和範例(XML-like syntax)
   #5. Give room for planning and self-reflection
   #6. Control the eagerness of your coding agent