Security Affairs

MARCH 28, 2024

Google’s Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively exploited zero-day vulnerabilities in 2023. In 2023, Google (TAG) and Mandiant discovered 29 out of 97 vulnerabilities exploited in the wild. ” reads the report published by Google TAG.

Government 120

Government Surveillance Cybercrime Ransomware 120

Security Affairs

NOVEMBER 30, 2022

Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm. ” TAG concludes.

Spyware 103

Spyware Surveillance Risk Internet 103

The Hacker News

JUNE 6, 2023

Tracked as CVE-2023-3079, the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023.

Engineering 99

Engineering 99

Dark Reading

JULY 14, 2023

A bug in Zimbra email servers is already being exploited in the wild, Google TAG researchers warn.

87

87

The Hacker News

APRIL 14, 2023

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Clement Lecigne of Google's Threat Analysis Group (TAG) has been

Engineering 99

Engineering 99

The Hacker News

NOVEMBER 25, 2022

Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component.

Software 109

Software 109

Security Affairs

JULY 27, 2023

It was developed by Zimbra, Inc The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. Zimbra this week released version ZCS 10.0.2

Hacking 94

Hacking Cyber threats Risk Information Security 94

The Hacker News

DECEMBER 2, 2022

The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion

Engineering 94

Engineering 94

Krebs on Security

APRIL 15, 2024

. “Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out out of a possible 10). Neither August nor Chirp Systems responded to requests for comment.

Software 270

Software Mobile Marketing Engineering 270

Google Security

NOVEMBER 7, 2023

to develop Memory Tagging Extension (MTE) technology. These include but are not limited to: Shifting to memory safe languages such as Rust as a proactive solution to prevent the new memory safety bugs from being introduced in the first place. We are now happy to share the growing adoption in the ecosystem.

Software 78

Software Technology Architecture Mobile 78

Security Affairs

MARCH 29, 2023

Google’s Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware. Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. links sent over SMS to users.

Spyware 95

Spyware Surveillance Firmware Internet 95

Threatpost

AUGUST 5, 2019

Buffer overflows, race conditions, use-after-free and more account for more than half of all vulnerabilities in the Android platform.

Accountability 57

Accountability Mobile 57

The Hacker News

MAY 20, 2022

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.

Spyware 98

Spyware 98

Krebs on Security

JUNE 8, 2021

Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks. Among the zero-days are: – CVE-2021-33742 , a remote code execution bug in a Windows HTML component.

Backups 288

Backups Cyber threats Ransomware Phishing 288

Security Affairs

JULY 30, 2023

The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [ 2021 , 2020 , 2019 ], it is built off of the mid-year 2022 review. ” reads the report published by Google TAG. Google's 2022 Year in Review of in-the-wild 0-days is out!

Firewall 94

Firewall Software Hacking Internet 94

Krebs on Security

AUGUST 9, 2022

This latest MSDT bug — CVE-2022-34713 — is a remote code execution flaw that requires convincing a target to open a booby-trapped file, such as an Office document. Microsoft this month also issued a different patch for another MSDT flaw, tagged as CVE-2022-35743.

Authentication 230

Authentication Internet Internet Cyber threats 230

Krebs on Security

DECEMBER 14, 2022

The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell , and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

Social Engineering 185

Social Engineering Ransomware Software Engineering 185

Security Affairs

DECEMBER 20, 2023

.” The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. ” continues the advisory.

Surveillance 122

Surveillance Hacking Information Security 122

Security Affairs

APRIL 13, 2022

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes. Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059.” ” reads the advisory published by Apache.

Software 137

Software Hacking Cybersecurity Information Security 137

Security Affairs

APRIL 2, 2024

The Unauthenticated Stored Cross-Site Scripting vulnerability was reported to Wordfence by the WordPress developer Webbernaut as part of the company Bug Bounty Extravaganza. Then the attacker can modify the raw request to contain an X-Forwarded-For header set to a malicious payload enclosed in script tags.

Accountability 126

Accountability Hacking Information Security 126

Security Affairs

APRIL 1, 2023

CISA has added nine flaws to its Known Exploited Vulnerabilities catalog, including bugs exploited by commercial spyware on mobile devices. Google TAG shared indicators of compromise (IoCs) for both campaigns. The experts pointed out that both campaigns were limited and highly targeted.

Spyware 90

Spyware Surveillance Mobile Education 90

Google Security

JUNE 30, 2020

Uninitialized memory bugs occur in C/C++ when memory is used without having first been initialized to a known safe value. These types of bugs can be confusing, and even the term “uninitialized” is misleading. Eliminating an entire class of such bugs is a lot more effective than hunting them down individually.

Software 76

Software DNS Media 76

Google Security

MAY 26, 2022

Chrome’s use of C++ is sadly no different here and the majority of high-severity security bugs are UAF issues. Hardware Memory Tagging to the Rescue MTE (Memory Tagging Extension) is a new extension on the ARM v8.5A Every 16 bytes of memory are assigned a 4-bit tag. Pointers are also assigned a 4-bit tag.

Technology 138

Technology Architecture Authentication Software 138

Security Affairs

SEPTEMBER 15, 2019

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network. The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

Advertising 86

Advertising Cryptocurrency Information Security 86

Security Affairs

JUNE 6, 2019

Bug 30565 : Sync nocertdb with privatebrowsing.autostart at startup Bug 30464 : Add WebGL to safer descriptions Translations update Update NoScript to 10.6.2 Bug 29969 : Remove workaround for Mozilla’s bug 1532530 Update HTTPS Everywhere to 2019.5.13 Bwloe the full changelog since Tor Browser 8.5:

Advertising 91

Advertising Mobile Information Security 91

SiteLock

AUGUST 27, 2021

which includes patches addressing three security vulnerabilities and several bug fixes. In addition to the security issues that were addressed, several bug fixes and improvements were included with this release including: A fix for mod_articles_latest and mod_articles_news that shows “Featured Articles”. recently released version 3.8.12

Malware 52

Malware 52

Security Affairs

JUNE 7, 2023

June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware. In March, Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome.

Spyware 94

Spyware Surveillance Firmware Hacking 94

Security Affairs

FEBRUARY 25, 2024

Iran Crisis Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign U.S.

Spyware 104

Spyware Cyber Insurance Hacking Advertising 104

Malwarebytes

SEPTEMBER 29, 2023

Bug tracking, software feature requests, task management, and wikis for each and every project are available to users. Dependabot has a square profile image and a “bot” tag. Regular accounts have a circular avatar and are also unable to properly replicate the bot tag signifier.

Accountability 108

Accountability Scams Social Engineering Passwords 108

Security Affairs

JANUARY 11, 2023

US CISA added Microsoft Exchange elevation of privileges bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog. The post US CISA adds MS Exchange bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs. Follow me on Twitter: @securityaffairs and Facebook and Mastodon.

Ransomware 97

Ransomware Hacking Government Risk 97

Malwarebytes

SEPTEMBER 22, 2022

CVE-2022-40962 : (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

Risk 77

Risk Architecture 77

Security Affairs

APRIL 3, 2022

Sophos Firewall affected by a critical authentication bypass flaw Mar 20- Mar 26 Ukraine – Russia the silent cyber conflict Security Affairs newsletter Round 358 by Pierluigi Paganini Western Digital addressed a critical bug in My Cloud OS 5 CISA adds 66 new flaws to the Known Exploited Vulnerabilities Catalog. And how to prevent it?

Firewall 89

Firewall Hacking DDOS VPN 89

Security Affairs

APRIL 9, 2024

“V8 vulnerabilities are rarely “classic” memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) Almost every Chrome exploits observed in the wild between 2021 and 2023 triggered a memory corruption issue in a Chrome renderer process that was exploited for remote code execution (RCE).

Engineering 120

Engineering Software Hacking Information Security 120

SecureWorld News

JANUARY 26, 2021

Google's Threat Analysis Group (TAG) has been working for several months to try to identify who is behind an ongoing campaign targeting security researchers, specifically those who work on vulnerability research and development at a variety of organizations. Google's TAG team discovery: cyberattack motive.

Social Engineering 86

Social Engineering Engineering Accountability Malware 86

Malwarebytes

MARCH 8, 2021

Source: Wired) A bug in a shared SDK can let attackers join calls undetected across multiple apps. Source: Horti Daily) A federal judge has approved a $650m settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users. Other cybersecurity news.

Social Engineering 87

Social Engineering VPN Engineering Passwords 87

Security Affairs

JANUARY 18, 2021

While conducting reconnaissance and fingerprinting the experts found three Apple hosts running a content management system (CMS) backed by Lucee , which is a dynamic, Java-based, tag and scripting language used for rapid web application development. ” reads the post published by the bug bounty hackers. Pierluigi Paganini.

Hacking 103

Hacking Authentication Firewall Information Security 103

SiteLock

AUGUST 27, 2021

addressed three major security vulnerabilities and 25 other bugs. Escaping the version string for use in generator tags: This prevents attackers from inserting malicious code into version strings to gain unauthorized access to WordPress sites. The 25 bug fixes include: Improved compatibility with PHP 7.2. WordPress 4.9.5

Malware 52

Malware 52