Drew Wade, chief of the Marshals Service public affairs office, made the announcement on Monday
Monthly Archives: February 2023
USN-5903-1: lighttpd vulnerabilities
It was discovered that lighttpd incorrectly handled certain inputs, which could
result in a stack buffer overflow. A remote attacker could possibly use this
issue to cause a denial of service (DoS). (CVE-2022-22707, CVE-2022-41556)
USN-5638-4: Expat vulnerabilities
USN-5638-1 fixed several vulnerabilities in Expat. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Rhodri James discovered that Expat incorrectly handled memory when
processing certain malformed XML files. An attacker could possibly
use this issue to cause a crash or execute arbitrary code.
USN-5902-1: PHP vulnerabilities
It was discovered that PHP incorrectly handled certain invalid Blowfish
password hashes. An invalid password hash could possibly allow applications
to accept any password as valid, contrary to expectations. (CVE-2023-0567)
It was discovered that PHP incorrectly handled resolving long paths. A
remote attacker could possibly use this issue to obtain or modify sensitive
information. (CVE-2023-0568)
It was discovered that PHP incorrectly handled a large number of parts in
HTTP form uploads. A remote attacker could possibly use this issue to cause
PHP to consume resources, leading to a denial of service. (CVE-2023-0662)
USN-5821-3: pip regression
USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately,
it was missing a commit to fix it properly in pip.
We apologize for the inconvenience.
Original advisory details:
Sebastian Chnelik discovered that wheel incorrectly handled
certain file names when validated against a regex expression.
An attacker could possibly use this issue to cause a
denial of service.
USN-5901-1: GnuTLS vulnerability
Hubert Kario discovered that GnuTLS had a timing side-channel when handling
certain RSA messages. A remote attacker could possibly use this issue to
recover sensitive information.
Separating FUD from Practical for Post-Quantum Cryptography
Post-quantum cryptography is still a few years from reaching required system capability levels. But organizations can take steps now to prepare. […]
Well-funded security systems fail to prevent cyberattacks in US and Europe: Report
Multi-layered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.
The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.
“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” Aviv Cohen, chief marketing officer of Pentera, said in a press note. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”
The Reviews are In—McAfee+ Earns Top Marks from Review Sites
We created McAfee+ so people can be safe and feel safe online, particularly in a time where there’s so much concern about identity theft and invasions of online privacy—and reviewers have given it top marks as a result.
With data breaches, spam texts and calls, companies collecting and selling personal info, and suspicious charges cropping up on billing statements becoming so commonplace nowadays, it can seem like there’s little you can do to prevent it. Yet that’s far from the case. McAfee+ offers protection that puts you in control of your identity and privacy, all while protecting your devices from viruses and threats.
Reviewers of McAfee+ recognize the need for this kind of protection today, and here’s what three leading consumer PC publications had to say about McAfee+ and how strongly its protection stacks up.
McAfee+ Gets 4.5 Stars and the Editor’s Choice Award from Tech Advisor
Tech Advisor’s review opened with the big picture, that staying safe online protection calls for new tools that put you in charge of your privacy and identity. Of McAfee+, Tech Advisor said, “This feels like the beginning of a new era of cybersecurity where the customer is no longer helpless to unwanted intrusion, and McAfee+ makes sure they have the tools to use that new-found power.”
With that, they went on to say that McAfee+ is, “a complete cybersecurity package that goes beyond simply blocking nasties to offer a complete holistic ring of steel for everything you do online.”
Top features they called out include Lost Wallet support, which will help you cancel your cards and order replacements from a single screen. Moreover, they applauded our Identity Theft and Restoration Coverage which is “the sort of identity protection that you’d normally see from an insurance company.”
Our industry-first Protection Score also racked up points with Tech Advisor, which really latched onto the idea of improving their score. “We actually found chasing points quite compulsive – and most importantly, it means that you don’t need to worry about how any of the features we’re about to look at work, what they do, or even what they’re called – McAfee+ does all that for you, making it great, not just for tech-heads, but seniors, kids, and the less-tech-savvy alike.”
In their summary of McAfee+, Tech Advisor expressed our approach to online protection well by saying, “the future of safety online is holistic, and McAfee has come up with a package that reflects the realities of modern-day living.”
PC Mag Gives McAfee+ 4 Stars with an “Excellent” Rating
The PC Mag review gave McAfee+ a thorough walkthrough with a particular focus on its privacy and identity features, saying, “McAfee+ is now the most complete product in the McAfee line, and its combination of unlimited device protection with identity theft remediation is quite appealing.”
It highlighted our Personal Data Cleanup feature that scans some of the riskiest data broker sites and shows you which ones are selling your personal info and provides guidance for removing it—and further touched on our Identity Theft and Restoration Coverage that, “offers full identity monitoring and identity theft remediation rivaling that of many competing products, and you can now extend protection to your family.”
The review also put McAfee’s Credit Monitoring, Credit Lock, and Security Freeze features through the paces as well, which help you keep an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
PC Mag also called out the unlimited device coverage that protects all devices in your household, McAfee’s excellent third-party test scores for antivirus protection, and unlimited VPN—all adding up to a four-star review and an “Excellent” rating.
Trusted Reviews – A Trusted Score of 4.5 Stars and a Recommended Award
Like Tech Advisor, Trusted Reviews focused on the broader nature of online protection today, that it calls for much more than an antivirus. It calls for identity and privacy protection as well, and “McAfee+ Advanced is very much a do-it-all service.”
Notably, along the same lines, the review mentioned that the “new McAfee Plus tiers are among very few mainstream internet security suites to offer data broker removal services in the UK and Europe.” As mentioned above, our Personal Data Cleanup can help you spot and remove personal information from data broker sites, which bad actors of all stripes use to commit scams and identity theft. A couple of examples—scammers use data brokers to create lists of people that they can send spammy texts and calls, and thieves can also use data broker sites to harvest info that can help them commit identity theft.
Trusted Reviews also highlighted the unlimited number of devices and how it’s helpful for households with a lot of hardware to protect. The core antivirus was highlighted as well, in that “[t]he performance for McAfee Plus Advanced in recent lab tests has been excellent. It detected all malware with no false positives in AV-TEST’s latest Windows consumer antivirus test.”
The company’s push into identity protection and recovery in the UK is almost beyond the score of my anti-malware focus on these reviews, but it’s a useful toolkit to have on hand, and its data broker listing removal service is very welcome indeed.
See what McAfee+ can do for you
Drop by our product page for more about McAfee+, including our new Family plans that include personalized protection for each member of the family. With several tiers and degrees of protection available across all our plans, you can get the level of privacy, identity, and device protection that’s right for you and everyone in your household.
The post The Reviews are In—McAfee+ Earns Top Marks from Review Sites appeared first on McAfee Blog.
Side-Channel Attack against CRYSTALS-Kyber
CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process.
Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack.
The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.