VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products. That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, Read more about VMware patches critical admin authentication bypass bug[…]

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security. The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.” One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a Read more about Atlassian reveals critical flaws in most of their products[…]

[…] “The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” “It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip Read more about Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though[…]

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git Read more about X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities[…]

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property. Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and Read more about FBI and MI5 bosses speak out together: China hacks and steals at massive scale[…]

[…] Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as Read more about Security flaws in internet-connected hot tubs exposed owners’ personal data[…]

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information. The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the “applicant” for Read more about FBI warns crooks are using deepfake videos in job interviews[…]

[…]Cisco has just released fixes for seven flaws, two of which are not great. First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your Read more about Time to throw out those older, vulnerable Cisco SMB routers – they’re not gonna fix critical bugs for you[…]

GitHub has revealed it stored a “number of plaintext user credentials for the npm registry” in internal logs following the integration of the JavaScript package registry into GitHub’s logging systems. The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described Read more about GitHub saved plaintext passwords of npm users in log files[…]

EU countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players. The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Read more about EU governments, lawmakers agree on tougher cybersecurity rules for key sectors[…]

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. Security Advisory Status F5 Product Development has assigned Read more about BIG-IP iControl REST vulnerability offers root commands[…]

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature. “UEFI threats can be extremely stealthy and dangerous,” said ESET researcher Martin Read more about ESET uncovers 3 vulnerabilities in Lenovo laptops[…]

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.” “A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in Read more about GitLab issues security fix for hardcoded password flaw in OmniAuth[…]

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain. Introduction For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent Read more about Browser In The Browser (BITB) Attack[…]

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy. The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported Read more about High-Severity DoS Vulnerability Patched in OpenSSL[…]

A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host. In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos. CrowdStrike’s threat research Read more about Kubernetes container runtime CRI-O has make-me-root flaw[…]

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading! Looking for a high resolution version to download? Download the table now It’s been two years since we first shared our Read more about How safe are your passwords in 2022?[…]

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal Read more about NSA report: This is how you should be securing your network[…]

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21. Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove Read more about Samsung Screwed Up Encryption on 100M Phones[…]

Ireland’s Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country’s healthcare sector in the summer of 2021 — on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland’s largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 Read more about PwC’s HSE hack post-incident report should be a textbook for leaders[…]

[…]Polkit, previously known as PolicyKit, is a tool for setting up policies governing how unprivileged processes interact with privileged ones. The vulnerability resides within polkit’s pkexec, a SUID-root program that’s installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8. Bharat Jogi, director of vulnerability Read more about polkit has been allowing root for 12+ years[…]

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive. Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most Read more about MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats[…]

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository. As of 28 November last year, the issue Read more about Safari 15 could leak Google account info to malicious sites[…]

An app that visitors to the 2022 Olympics Games in Beijing are obligated to download is also a cybersecurity nightmare that threatens to expose much of the data that it collects, according to a new report. MY2022, the mandatory app for visitors at this year’s Winter Games, offers a variety of services—including tourism recommendations, Covid-related Read more about Security Holes Found in My2022 App for Beijing Winter Olympics[…]

Have you immortalized your beloved dog, Charlie, in all of your online passwords? While he may be tasked to protect your home (or at least his food bowl), your heartfelt dedication might actually be compromising your digital safety. Many passwords believed to be deeply personal to you are, in fact, quite common – making them Read more about The Worst Passwords in the Last Decade (And New Ones You Shouldn’t Use)[…]