Veracode Security

MARCH 13, 2024

The release of the February 2024 White House Technical Report, Back to the Building Blocks: A Path Towards Secure Measurable Software, brings about a timely shift in prioritizing software security. The report advocates for the adoption of…

Software 98

Software Risk 98

Schneier on Security

FEBRUARY 16, 2022

Google’s Project Zero is reporting that software vendors are patching their code faster. In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.

Software 242

Software 242

Schneier on Security

NOVEMBER 17, 2022

But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twitter laid off about half of its workers , roughly 3,700 people. This is not a good sign.

Authentication 337

Authentication Passwords Accountability Media 337

Penetration Testing

MARCH 14, 2024

In a newly released Threat Analysis report, Cybereason Security Services has sounded the alarm about a dangerous wave of attacks targeting a critical vulnerability (CVE-2023-46604) in the Apache ActiveMQ messaging service.

Penetration Testing 89

Penetration Testing Ransomware Malware 89

Security Affairs

MARCH 14, 2024

Researchers analyzed ChatGPT plugins and discovered several types of vulnerabilities that could lead to data exposure and account takeover. Researchers from Salt Security discovered three types of vulnerabilities in ChatGPT plugins that can be could have led to data exposure and account takeovers. ” continues the report.

Accountability 129

Accountability Authentication Passwords Hacking 129

CyberSecurity Insiders

MARCH 22, 2023

Data breaches are a serious threat to organizations, but vulnerability management automation can help reduce the number of incidents businesses face each year. Managing vulnerabilities is difficult in an increasingly connected cyber environment. What is vulnerability management?

Data breaches 139

Data breaches Cyber threats Cybersecurity Government 139

Security Affairs

APRIL 17, 2024

The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker. The experts pointed out that there is very little knowledge about the Linux variant of the ransomware family. ” continues the report. ” states Cado Security.

Ransomware 137

Ransomware Encryption Malware Accountability 137

Security Affairs

MARCH 21, 2024

Ivanti urges customers to address a critical remote code execution vulnerability impacting the Standalone Sentry solution. Ivanti addressed a critical remote code execution vulnerability, tracked as CVE-2023-41724 (CVSS score of 9.6), impacting Standalone Sentry solution. This vulnerability affects all supported versions 9.17.0,

Authentication 117

Authentication Internet Internet Hacking 117

Malwarebytes

MARCH 26, 2024

The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox. The About Mozilla Firefox window will open. The vulnerabilities The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition.

Mobile 121

Mobile Risk Hacking Cybersecurity 121

Malwarebytes

APRIL 3, 2024

In April’s update for the Android operating system (OS) , Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582.

Firmware 111

Firmware Software Mobile Risk 111

Security Affairs

OCTOBER 16, 2023

The popular encrypted messaging app Signal denied claims of an alleged zero-day vulnerability in its platform. The company launched an investigation into the claims after they have seen the vague viral reports alleging a zero-day vulnerability. PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability.

Spyware 110

Spyware Surveillance Encryption Mobile 110

Security Affairs

FEBRUARY 11, 2024

Raspberry Robin continues to evolve, it was spotted using two new one-day exploits for vulnerabilities either Discord to host samples. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.” ” reads the report published by Checkpoint.

Malware 124

Malware Backups Manufacturing Hacking 124

Malwarebytes

MARCH 28, 2024

And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome. There is one critical vulnerability that looks like it might be of interest to cybercriminals.

Risk 112

Risk Cybersecurity 112

NetSpi Executives

MARCH 19, 2024

Vulnerability scanners help scan known assets, but what about the assets you don’t know exist? Why vulnerability scanners aren’t enough The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. That’s where NetSPI ASM comes in.

Penetration Testing 97

Penetration Testing DNS Technology Internet 97

Malwarebytes

NOVEMBER 29, 2023

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser. So, it doesn’t hurt to check now and then.

Software 134

Software Risk Engineering Cybersecurity 134

Malwarebytes

FEBRUARY 9, 2024

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”. This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and 22.5R1.2)

Authentication 105

Authentication Risk Cybersecurity 105

Malwarebytes

FEBRUARY 29, 2024

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all. In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android.

Accountability 123

Accountability Passwords Authentication Risk 123

Malwarebytes

JANUARY 25, 2024

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user. Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability.

Authentication 94

Authentication Healthcare Manufacturing Software 94

Security Affairs

NOVEMBER 23, 2023

“AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application.” The researchers reported that the attacks impacted tens of millions of individuals. reads the report published by Emsisoft.

Data breaches 119

Data breaches Hacking Retail Identity Theft 119

Security Affairs

OCTOBER 30, 2023

Thirty white hat hackers have earned more than one million dollars submitting vulnerabilities through the platform, with one hacker surpassing four million dollars in total earnings. Most HackerOne customers (57%) believe that exploited vulnerabilities are the greatest threat to their organizations.

Cyber Insurance 123

Cyber Insurance Hacking Insurance CISO 123

Security Affairs

DECEMBER 20, 2023

Google has released emergency updates to address a new actively exploited zero-day vulnerability in the Chrome browser. Google has released emergency updates to address a new zero-day vulnerability, tracked as CVE-2023-7024, in its web browser Chrome. The vulnerability is a Heap buffer overflow issue in WebRTC.

Surveillance 124

Surveillance Hacking Information Security 124

Malwarebytes

JANUARY 18, 2024

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited. And now would be a good time, given the severity of the vulnerability in this patch. Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

Engineering 126

Engineering Software Risk Cybersecurity 126

Malwarebytes

APRIL 11, 2024

Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices. Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

Spyware 112

Spyware Government Mobile Password Management 112

Malwarebytes

DECEMBER 21, 2023

This update includes one security fix for a vulnerability that was subject to an existing exploit. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

Software 125

Software Media Technology Risk 125

Malwarebytes

FEBRUARY 2, 2024

Besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts sounded about two new high severity flaws on January 31, 2024. These vulnerabilities were listed as CVE-2023-46805 and CVE-2024-21887. Active exploitation dates back as far as December 3, 2023.

Accountability 100

Accountability Ransomware Risk Cybersecurity 100

Security Affairs

FEBRUARY 20, 2024

Researchers from Shadowserver Foundation identified roughly 28,000 internet-facing Microsoft Exchange servers vulnerable to CVE-2024-21410. An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. Out of 97,000 servers, 28,500 have been verified to be vulnerable to CVE-2024-21410.

Authentication 129

Authentication Internet Internet Ransomware 129

Malwarebytes

NOVEMBER 2, 2023

Atlassian has released an advisory about a critical severity authentication vulnerability in the Confluence Server and Data Center. All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Authentication 100

Authentication CISO Internet Internet 100

Malwarebytes

APRIL 8, 2024

Want to learn more about how we can help protect your business? Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Get a free trial below.

Small Business 77

Small Business VPN Data breaches Education 77

The Hacker News

JANUARY 12, 2023

A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch. Good vulnerability management is not about being fast enough in patching all potential breaches.

Risk 85

Risk 85

Security Affairs

MARCH 10, 2024

A report published by Lithuanian security services warned that China has escalated its espionage operations against Lithuania. A report released by Lithuanian security services has cautioned that China has intensified espionage activities targeting Lithuania. ” reads the report published by Lithuanian security services.

Government 121

Government Hacking Information Security 121

Malwarebytes

DECEMBER 7, 2023

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything. Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. User interaction is not needed for exploitation.

Risk 141

Risk Cybersecurity 141

Malwarebytes

JANUARY 24, 2024

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs. Apple says it’s aware of a report that the bug may have been exploited already. Updates are available for: Safari 17.3 macOS Monterey and macOS Ventura iOS 17.3

Engineering 125

Engineering Cybersecurity Risk 125

Security Affairs

SEPTEMBER 11, 2023

CISA adds vulnerabilities in Apple devices exploited to install NSO Group’s Pegasus spyware on iPhones to Known Exploited Vulnerabilities Catalog US Cybersecurity and Infrastructure Security Agency (CISA) added the security vulnerabilities chained in the zero-click iMessage exploit BLASTPASS to its Known Exploited Vulnerabilities Catalog.

Spyware 120

Spyware Accountability Hacking Risk 120

Security Affairs

FEBRUARY 22, 2024

Joomla maintainers have addressed multiple vulnerabilities in the popular content management system (CMS) that can lead to execute arbitrary code. 20240203 ] – CVE-2024-21724 Core – XSS in media selection fields: Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

Media 120

Media Risk Hacking Cybersecurity 120

Malwarebytes

SEPTEMBER 29, 2023

According to Google there is an active exploit for one of the patched vulnerabilities, which means cybercriminals are aware of the vulnerability and are using it. And now would be a good time, given the severity of the vulnerabilities in this batch. This update includes ten security fixes.

Software 126

Software Risk Cybersecurity 126

Security Affairs

SEPTEMBER 20, 2023

GitLab rolled out security patches to address a critical vulnerability, tracked as CVE-2023-5009, that can be exploited to run pipelines as another user. GitLab has released security patches to address a critical vulnerability, tracked as CVE-2023-5009 (CVSS score: 9.6), that allows an attacker to run pipelines as another user.

Hacking 117

Hacking Risk Information Security 117

Security Affairs

APRIL 4, 2024

The list of vulnerabilities addressed by the company is reported below: CVE Description CVSS Vector CVE-2024-21894 A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-22053 A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x,

Authentication 110

Authentication Hacking Cybersecurity Information Security 110