Assorted links for Wednesday, March 12:

1. Zen and the Art of Microcode Hacking

   The root cause of the EntrySign vulnerability is that the AMD Zen microcode signature verification algorithm uses the CMAC function as a hash function; however, CMAC is a message authentication code and does not necessarily provide the same security guarantees as a cryptographic hash function.

   The weakness of using CMAC as a hash function is that anyone who has the encryption key is able to observe the intermediate values of the encryption and calculate a way to “correct” the difference so that the final output remains the same, even if the inputs are completely different.

2. Thousands of websites hit by four backdoors in 3rd party JavaScript attack

   While analyzing threats targeting WordPress frameworks, we found an attack where a single 3rd party JavaScript file was used to inject four separate backdoors into 1,000 compromised websites using cdn.csyndication[.]com/.

   Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven’t seen before. Which introduces another type of attack made possibly by abusing websites that don’t monitor 3rd party dependencies in the browser of their users.

3. How to debug code with GitHub Copilot

   GitHub Copilot can streamline your debugging process by troubleshooting in your IDE, analyzing pull requests, and more, helping you tackle issues faster and more robustly.

4. Finding leaked passwords with AI: How we built Copilot secret scanning

   Passwords are notoriously difficult to detect with conventional programming approaches. AI can help us find passwords better because it understands context. This blog post will explore the technical challenges we faced with building the feature and the novel and creative ways we solved them.

5. Monads

   If you understand what a functor is, it should be easy to grasp the idea of a monad. It’s a functor you can flatten.