[HN Gopher] Zimbra 0-day used to steal email data from governmen...
___________________________________________________________________
Zimbra 0-day used to steal email data from government organizations
Author : hasheddan
Score : 88 points
Date : 2023-11-16 16:04 UTC (6 hours ago)
(HTM) web link (blog.google)
(TXT) w3m dump (blog.google)
| kstrauser wrote:
| Oh, XSS. It's the gift that keeps giving.
| j45 wrote:
| At some point I'm hoping AI can help with hardening by coming
| up with potentially novel security holes.
| kstrauser wrote:
| Right? Let's see some Hex Color Injection or Retina Inversion
| or Bytecode Reversal attacks. I want to see a flatline riding
| a black chrome shark into my browser. Enough of this "XSS"
| this and "Server-Side Request Forgery" that stuff.
| Obscurity4340 wrote:
| Is there very much a usecase for using AI to Xray a site and
| find all this bullshit in an automated fashion? The opposite
| seems so unreliable and unfashionable...
| dang wrote:
| [stub for offtopicness]
| mmoya wrote:
| Post deleted, archive.org has it
| https://web.archive.org/web/20231116160518/https://blog.goog...
| aa_is_op wrote:
| Nah. It's live. Their CDN had a hiccup.
| kyrra wrote:
| Odd, looks like it was deleted? It's on archive.org though.
|
| https://web.archive.org/web/20231116160518/https://blog.goog...
|
| EDIT: updated URL here: https://blog.google/threat-analysis-
| group/zimbra-0-day-used-...
| blakesterz wrote:
| I think the URL just changed to
|
| https://blog.google/threat-analysis-group/zimbra-0-day-used-...
| dang wrote:
| Fixed now. Submitted URL was https://blog.google/threat-
| analysis-group/zimbra-0-day-used-.... Thanks!
| dspillett wrote:
| This is a timely reminder to anyone still using Zimbra 8.x.x that
| is reaches EOL at the end of next month. There is no official
| open release of later versions despite much being covered by open
| source licenses. If you have not already moved off Zimbra you
| need to, ASAP, do one of the following:
|
| 1. Pay for Zimbra and upgrade that way.
|
| 2. Try compile up a later version yourself...
|
| 3. Migrate to one of the forks that sprang up (most of them are
| dead though, Zextras/Carbonio is still going but last time I
| looked the system requirements were a bit daft for what little
| functionality I actually need)
|
| 4. Migrate to something else entirely.
| jsilence wrote:
| Not sure what you are talking about. To me it looks like you
| can just DL and install 9.0 or 10.0 community release. Am I
| missing something?
|
| https://www.zimbra.com/product/download/zimbra-collaboration...
| slipheen wrote:
| Looking at the links on that page, the only links for 9.0 or
| 10.0 look to be for the network edition (non oss)
|
| I'm not familiar with the situation, but reading through
| https://blog.zimbra.com/2020/05/is-zimbra-open-source-yes-
| fa... suggests that they do still provide source for at least
| some portions of 9.x, but they no longer provide binaries or
| packages.
|
| It looks like some components may be missing ("Modern UI"),
| but I don't know if it's usable without them.
| doublerabbit wrote:
| I'm one of those who needs to upgrade and the pre sales part is
| hell.
|
| Either your not big enough to get any priority. They never
| reply. Or the costs are just too stupid for a personal account
| with 5-10 mailboxes.
|
| I host on-prem too, via colocation which then increases the
| cost ten-fold. It's as these companies don't want customers.
|
| Liked the look to IceWarp suite and yet they've been non-
| existence in sales that I end up expecting though out.
| willk wrote:
| It feels like they waited a long time to post an advisory for an
| exploit that was being actively used by threat actors, more than
| a week after they pushed a fix to their repositories. Why not
| give customers a heads up prior? At least give your users a
| fighting chance.
___________________________________________________________________
(page generated 2023-11-16 23:00 UTC)